Managing ICT third-party risk under DORA regulation

Posted on: January 31, 2024
facebook x linkedin

Concept, sanctionsWith less than a year to go until the January 2025 deadline to meet the requirements of the Digital Operational Resilience Act (DORA) regulation, entities are digging deeper into understanding the organizational and technical requirements of the regulation. As organizations begin to determine the impact that DORA has on their specific business, a common thread has emerged: while Information and Communication Technology (ICT) Third-Party Risk Management (TPRM) is its own pillar in the regulation, TPRM touches on all other pillars of the regulation.

The DORA pillars of Risk Management and Governance, Incident Management, Resiliency Testing, and Information Sharing are all aspects of determining the impact of third parties on the resiliency of an organization. However, results from a poll conducted during our recent Bolstering Third-Party Risk Management Under DORA Regulation webinar showed that only 5% of respondents consider their TPRM team to be fully integrated into their DORA program. It is critical that organizations work to understand the impact of DORA on third parties as well as how to implement a robust third-party strategy that effectively manages third parties throughout their lifecycle. 

ICT third-party providers are indirectly impacted by DORA

It is likely no surprise to hear that, generally speaking, financial entities in the European Union are affected by DORA regulation. However, because DORA is so deeply focused on critical ICT third-party providers, there is a cascading effect that indirectly affects other entities. DORA only allows impacted entities to enter into contract with providers that meet a high level of information security requirements. Because of this, if an ICT third-party provider is not directly impacted by DORA, if they do not meet the standards required of these entities they will not be able to stay in business with them. 

Additionally, the definition of ICT third-party providers not only includes cloud services but also network services, hardware services, and ICT consulting. This change broadens the scope of risk management considerably, and so impacted entities should take note and proceed accordingly.

Managing third-party vendors across their lifecycle

Under DORA, entities will need to engage teams on a greater level from procurement to onboarding to monitoring. Teams will need to be involved in more steps of the process for comprehensive due diligence and risk assessments during the procurement process as well as with developing monitoring and exit strategies. Additionally, teams must work together to develop a greater understanding of the exact business need of the third-party provider and whether it supports a critical function. DORA requires entities to consider the following across each stage of the vendor lifecycle: 

Pre-contract 

  1. Clearly define the business need addressed by the third party 
  2. Determine the criticality of the function itself served by the third party 
  3. Identify and assess all risk assessments associated with the third-party service, with special attention to concentration and sub-outsourcing risks 
  4. Perform thorough due diligence on the provider 
  5. Assess potential conflicts of interest 

Contract 

  1. Implement minimum contractual requirements for ICT service providers 
  2. Refer to the regulation and take into account reporting requirements that will be enacted annually 
  3. Additionally, consider any audit rights and security requirements to be included in the contract 
  4. Be proactive in considering what contractual changes must be made or enacted in regards to change cycles; plan accordingly and take action on any changes and consider revising your timelines to ensure that your third-party vendors are DORA compliant in time 

Ongoing monitoring 

  1. Determine strategies to have a robust monitoring process in place; which tools, technologies, and activities can you enable to ensure that you have clear visibility into the health and security of your ICT third-party vendors? 
  2. Be sensitive to any data breaches that may occur 
  3. Identify which key performance indicators (KPIs) you will track that show adherence to the contractual agreement 
  4. Maintain a detailed information register for all suppliers and their supply chains 
  5. Ensure you have a way to report your compliance and monitoring to supervisory authorities 

Post-contract 

  1. Develop clear termination clauses and exit strategies for any contingency 
  2. Understand the timelines associated with termination and offboarding 
  3. Define criteria for the activation of exit strategies 
  4. Put in place measures to ensure efficient and effective data recovery 

With these considerations in mind, entities will have a cross-functional understanding of the responsibilities and requirements associated with each step of the ICT third-party vendor lifecycle. 

Implementing effective TPRM under DORA 

There is no doubt that to achieve compliance with DORA, entities must have a clear and robust TPRM program in place. To establish and ensure that their program effectively adheres to DORA regulation, teams must enact strong governance, cross-functional collaboration, and consistency. 

When it comes to strategy and governance, entities must take time to read and consult the regulatory technical standards (RTSs), implementing technical standards (ITSs), and consultation papers that have been published by the European supervisory authorities (ESAs) to understand the true level of effort needed. They need to monitor and control contractual arrangements on a continuous basis and ensure that they not only understand what is being asked of them but also that they are adapting their program to achieve and maintain compliance with DORA. 

DORA regulation creates a unique opportunity to bring teams together to align on operational resilience. It’s been said before but bears repeating: DORA is not a check-the-box compliance activity but rather an opportunity to enact best practices and ensure that the entity is setting itself up for greater operational resilience. DORA must be a deeply cross-functional collaboration effort.

With DORA, organizations need to rethink how they engage teams across the third-party lifecycle. Typically, procurement is handled by one team, ongoing monitoring is handled by risk teams or primary users, and so on. Under DORA, risk teams must take on a more active role in procurement to assess potential risks before a contract is enacted. Similarly, procurement teams must be more active throughout the lifecycle to ensure contractual adhesion. Entities must establish closer relationships between teams and create more seamless handovers to ensure transparency and communication. 

Finally, organizations need to ensure that their policies regarding ICT third-party vendors are applied with consistency. There needs to be a universal understanding of how the entity defines criticality as well as what their critical functions are. Any policies in place need to be reviewed and assessed so that they are consistent across groups. 

Additional best practices for TPRM under DORA 

One of the foundational elements of implementing a DORA program is identifying critical business functions. With ICT third-party vendors, there needs to be an understanding of how each vendor ties into each of the organization’s critical business functionsnot just understanding the risk associated with the third party as a whole. Entities must focus on risk from a service-level (e.g. how does each service from the third party map to the organization’s critical business functions?). Organizations must understand on a granular level how the vendor is interwoven into their processes, assets, resources, and functions. 

Additionally, because DORA is a cross-functional endeavor, entities must have a single source of truth for all of their activities. There needs to be a clear methodology to communicate information to teams and stakeholders and all efforts must be de-siloed. Business continuity, operational resilience, TPRM, operational risk, and other teams must all be able to come to the table to strategize, make decisions, and fully understand how the organization is impacted by DORA regulation. 

Next steps for DORA 

If you’re looking for a partner to help you on your DORA journey, Fusion is here to help! Fusion provides a single hub for your DORA compliance efforts by bringing together information and automating activities. In addition, Fusion has a robust TPRM offering that allows organizations to monitor the health and security of their ICT third-party vendors across the entire lifecycle. For more information, contact our team or request a demo today!