CIO OPINION deadline passed this January. And if the scope of DORA did not cover beyond internal organisation compliance, they would be right. Unfortunately for most, DORA extends to cover all of an organisation’ s third parties and supply chains – creating the risk of a pretty large potential blind spot.
Financial services organisations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant, they will fail regardless. And these are no small stakes.
For financial services, if their external critical software providers do not comply in time, they could face anything from a fine of 2 % of their annual turnover to criminal charges.
DORA compliance cannot bulletproof you against every threat out there, but being able to prove that everything is in place and that it all works within the defined time frames, will set you up to recover as swiftly as possible from cyberattacks. And, more prudently, it will prevent you from incurring any of the consequences attached to non-compliance.
According to EY’ s Global Third-Party Risk Management Survey, in the US alone, 98 % of financial services organisations have partnerships with third-party vendors. Although they may not realise it, third parties are one of the biggest risks to financial service organisations when it comes to DORA compliance.
Sadly, there is no quick fix. At the very minimum, every bank and financial institution in every EU Member State that falls under DORA is going to have to renegotiate many Service Level Agreement with existing and new third-party partners. Financial services organisations cannot afford to be under any illusions, this will be a necessary but significant piece of work.
Cementing DORA compliance as a pre-requisite will be essential for continued DORA compliance but will require collaborative work from across businesses. Security, risk management, and legal teams will all need to band together to pull this off.
Of course, even having DORA compliance confirmed amongst your third-party providers will not make your organisation completely invulnerable to cybersecurity threats. But it will put you in good stead when it comes to recovering from an attack.
After all, regulatory compliance has never equalled complete security. DORA is more of an exercise in operational resilience improvement, which is a key piece of the puzzle for recovery from cyber-attacks.
98 % of financial services organisations have partnerships with third-party vendors.
www. intelligentcio. com INTELLIGENTCIO MIDDLE EAST 47