The Digital Operational Resilience Act (DORA) is shaping the way financial organisations approach operational resilience and third-party risk management. To unpack the complexities and provide actionable guidance, Secon and Quod Orbis hosted the webinar, “Exploring DORA and Third-Party Risk in the UK.” We extend our sincere thanks to our speakers, Cornelius Goosen and Jason Wilkes, for sharing their expertise and practical insights.
Below, we summarise the key takeaways and strategies discussed during this informative session.
Why DORA Matters for UK Financial Services.
DORA is designed to enhance operational resilience across the EU’s financial sector by standardising practices for incident reporting, third-party risk management, and ICT systems resilience. While it’s an EU regulation, DORA’s implications extend to UK firms operating across borders or working with EU-based partners. Aligning with DORA helps UK organisations strengthen their resilience and remain competitive in a highly interconnected global financial ecosystem.
Why Now?
- The global financial sector is becoming increasingly interconnected, and operational disruptions can have widespread consequences.
- Threats such as cyberattacks, and third-party failures are growing in frequency and sophistication.
- Proactive resilience is essential not only to meet regulatory requirements but also to safeguard customer trust and operational integrity.
DORA vs. UK Regulations: Alignment and Key Differences.
The webinar highlighted areas where DORA aligns with and diverges from UK regulations like the FCA’s PS21/3 framework and the Bank of England’s guidelines for critical third parties.
Key Areas of Alignment:
- Operational Resilience: Both DORA and UK regulations require firms to map critical business services, set impact tolerances, and test resilience against severe but plausible disruptions.
- Third-Party Risk Management: Both frameworks emphasise the importance of robust contracts, ongoing monitoring, and due diligence for ICT providers.
- Incident Reporting: While DORA mandates reporting within one business day, UK guidelines emphasise timely communication.
Key Differences:
- Scope: DORA applies to a wider range of entities, including ICT providers, whereas UK regulations place accountability solely on financial institutions.
- Standardisation vs. Flexibility: DORA creates a harmonised framework across the EU, while UK regulations are tailored to the domestic market, offering greater flexibility.
- Enforcement: DORA includes stringent penalties for non-compliance, whereas UK regulators focus more on remediation.
Lessons from the CrowdStrike Incident: Third-Party Risk in Focus.
The CrowdStrike incident in July 2024 served as a stark reminder of the vulnerabilities associated with third-party providers. The webinar emphasised key lessons:
- Visibility Is Key: Organisations must have real-time insight into the operational status and security posture of their vendors.
- Proactive Communication: Open and regular communication with third-party providers can mitigate the impact of disruptions.
- Resilience Over Reliance: Avoid dependence on a single vendor for critical services; diversification is essential to minimise risk.
What UK Firms Need to Do: Strategic Actions.
To navigate DORA and UK regulations effectively, UK organisations should focus on:
- Dual Compliance: Build a unified framework that leverages the commonalities between DORA and UK standards.
- Streamlined Incident Reporting: Develop a single protocol that meets both DORA’s and FCA’s requirements, supported by automation.
- Engage ICT Providers: Evaluate vendors’ ability to meet regulatory requirements and include dual compliance clauses in contracts.
- Monitor Regulatory Developments: Stay proactive in tracking changes to both DORA and UK frameworks to ensure ongoing alignment.
Actionable Steps to Begin Your Resilience Journey.
- Audit Your Current Position: Identify gaps in your resilience strategy, vendor relationships, and compliance practices.
- Enhance Visibility: Break down silos to gain a holistic view of your organisation’s operational dependencies.
- Leverage Technology: Adopt tools for continuous monitoring, incident reporting, and compliance management to maximise efficiency.
What’s Next?
The journey to operational resilience is ongoing, but taking proactive steps now will position your organisation for long-term success. For further insights and resources, we invite you to:
- Join our LinkedIn group: The Financial Compliance & Digital Resilience Circle
- Download our whitepaper: A Strategic Approach to DORA
If you’d like to discuss how Secon Cyber can support your organisation’s compliance and resilience strategy, please get in touch with our team. Contact Us: info@seconcyber.com