The Impact of the Digital Operational Resilience Act (DORA)
Banks and their IT providers in the European Union are gearing up to face heightened scrutiny under the forthcoming Digital Operational Resilience Act (DORA). Passed last year, this stringent legislation is slated for enforcement in January 2025, aiming to bolster the digital resilience of financial institutions.
Key Requirements Under DORA
DORA mandates that banks implement rigorous IT risk management protocols. This includes conducting regular digital operational resilience testing and sharing information and intelligence on cyber threats and vulnerabilities. Furthermore, banks must address their reliance on third-party providers by managing associated risks and evaluating their "concentration risk," which pertains to outsourcing critical functions to external companies.
The Role of Third-Party IT Providers
According to Joe Vaccaro, general manager of ThousandEyes, part of Cisco, "Third-party providers are integral to delivering critical digital services to customers." Consequently, these providers must participate in testing and reporting processes. Financial institutions are thus encouraged to invest in solutions that help identify and manage dependencies on these providers, ensuring they can deliver and maintain digital services effectively.
Learning from the CrowdStrike Incident
The necessity for such measures was recently underscored by a significant IT outage involving CrowdStrike, a cybersecurity firm. This incident led to the disruption of Microsoft Windows systems, affecting airports, hospitals, and financial services firms. Delta Air Lines was notably impacted, canceling over 5,000 flights and estimating losses of $500 million. In response, Delta has threatened legal action against CrowdStrike, which acknowledges its role in the outage but contends that Delta's competitors managed to restore operations more swiftly.
Addressing the Complex Ecosystem of Vendors
The CrowdStrike incident highlights the critical role of third-party vendors such as cloud service providers in ensuring resilient infrastructure. Larson McNeil, co-head of marketplaces and digital ecosystems at J.P. Morgan Payments, emphasized the complexity of modern business ecosystems, where multiple partners operate together. Understanding these relationships and the risks they pose is vital for maintaining operational resilience.
In conclusion, as banks and their IT providers brace for the implementation of DORA by 2025, it is imperative for them to fortify their digital infrastructures and manage third-party relationships effectively. This proactive approach will not only help prevent incidents like the CrowdStrike outage but will also enhance the overall resilience of financial services in the EU.
