Cyber Risk Partners

Protecting Your Business from Cyber Threats

en_GB English (UK)
en_GB English (UK) es_ES Español

DORA blog series #4

Posted by:

Nick Thatcher

|

On:

|

#4 ICT services supporting Critical or Important Functions

The DORA regulation requires financial entities to adequately manage the risk of outsourcing critical or important functions to third-party ICT service providers.  This makes sense.  Whilst a financial organisation can transfer some of its operational risk to third parties, compensated by contractual penalties, ultimately the financial entity will suffer most from the loss of a particular ICT service.

Before we delve into how the European Commission defines “critical or important functions” in the DORA regulation, it is worth pausing to reflect why this regulation was written into EU law for all member states to adhere to.  As previous financial crises showed, the collapse of one financial entity can lead to the collapse of others, due to short-term liquidity issues or the reliance on another entity for a business process, such as settlements.

The proportionality concept introduced in DORA is also relevant here.  The operational failure of a crypto broker or a small mortgage lender will be unlikely to have a material impact on other financial entities, sufficient to concern the EU banking ecosystem.  Therefore, we would expect these companies to have a reduced set of critical or important functions.

Definition

The regulation is vague when it defines the terms “critical or important functions”, using phrases such “the disruption [of the function] would materially impair the financial performance … or the soundness or continuity of its services and activities … [or] impair the continuing compliance …”

Whilst this definition could describe almost all functions of a financial entity such as a bank, the selection of business processes which are critical or important should be restricted to those which would have a knock-on effect to other entities.  For example, payroll is an important function for all companies, but one that is unlikely to affect a wider ecosystem in the short term.

How to prepare for DORA

As a financial entity, the task here is to document all of your business functions and label them as critical, important or neither.  These could be client onboarding, credit card transactions or physical building security.  Then, map your business and IT applications to these functions.  This is no small undertaking as there is a many-to-many relationship here.  For example, your VPN application is likely to underpin multiple business processes.

Hopefully your IT asset inventory mapping applications to hardware, software and databases is up-to-date.  If not, now is the time to refresh it and ensure there are processes in place to maintain its integrity.

What’s next?

In the next blog we will look at how the definition of critical or important functions affect third-party management, especially risks and contracts.

#𝗗𝗢𝗥𝗔 #𝗳𝗶𝗻𝗮𝗻𝗰𝗲 #𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻 #𝗘𝗨 #𝗰𝘆𝗯𝗲𝗿 #resilience

Posted by

Nick Thatcher

in