CIO OPINION typically further ahead of the curve when it comes to regulatory compliance . For many , DORA ’ s requirements will have been about building on , and proving the strength of the foundations already in place . defined time frames , will set you up to recover as swiftly as possible from cyberattacks . And , more prudently , it will prevent you from incurring any of the consequences attached to non-compliance .
The focus on DORA for financial services will instead be on operational resilience testing , ensuring internal awareness of different scenarios and their risk impacts .
Most financial institutions and banks will have felt confident in their scenario-based testing and , by extension , their compliance with DORA when the deadline passed this January . And if the scope of DORA did not cover beyond internal organisation compliance , they would be right . Unfortunately for most , DORA extends to cover all of an organisation ’ s third parties and supply chains – creating the risk of a pretty large potential blind spot .
Financial services organisations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant , they will fail regardless . And these are no small stakes .
For financial services , if their external critical software providers do not comply in time , they could face anything from a fine of 2 % of their annual turnover to criminal charges .
DORA compliance cannot bulletproof you against every threat out there , but being able to prove that everything is in place and that it all works within the
According to EY ’ s Global Third-Party Risk Management Survey , in the US alone , 98 % of financial services organisations have partnerships with third-party vendors . Although they may not realise it , third parties are one of the biggest risks to financial service organisations when it comes to DORA compliance .
Sadly , there is no quick fix . At the very minimum , every bank and financial institution in every EU Member State that falls under DORA is going to have to renegotiate many Service Level Agreement with existing and new third-party partners . Financial services organisations cannot afford to be under any illusions , this will be a necessary but significant piece of work .
Cementing DORA compliance as a pre-requisite will be essential for continued DORA compliance but will
Every bank and financial institution that falls under DORA is going to have to renegotiate Service Level Agreement with existing and new third-party partners .
www . intelligentcio . com INTELLIGENTCIO AFRICA 39