News
DORA aims to enhance digital operational resilience in the financial sector
Date:
17. September 2024
- Regulation
Only a few weeks ago, cybersecurity firm CrowdStrike’s defective software update caused world-wide outages of Windows systems and crippled airports, hospitals and banks. This is only one of many examples demonstrating how vulnerable IT-systems can be. With the Digital Operational Resilience Act, DORA for short, the European Union therefore created a regulation for the entire financial sector for the topics of
Dr André Jaeger, Managing Director, Head of Risk, Universal Investment universal spotlight: Dr Jaeger, what can we learn from the CrowdStrike event?
Dr André Jaeger: Even though our own IT systems as investment management company were not impacted, it was trailblazing to experience such a disrupting global incident. Particularly at a time when we are implementing our group-wide DORA programme in order to avoid similar incidents in our industry from the outset or at least be better prepared. New regulatory requirements always involve significant internal implementation efforts. However, the CrowdStrike event emphasises once more the importance of IT security in the financial services sector.
What is DORA about – in a nutshell?
A very prominent element of DORA is the requirement to have a robust resilience testing strategy in place, making sure that any changes to the systems supporting the business processes are thoroughly tested before going into production. The principle is to avoid things going wrong in the first place – by testing.
The CrowdStrike event also demonstrated how crucial it is to have the service provider supply chain mapped, which is what DORA wants to achieve with the Information Register. The information captured helps to understand dependencies and associated risks with each service provider. Identifying which providers are critical to the operation in advance will enable rapid response in an incident as well as minimised downtime and effective communication.
The same is valid for the implementation of a multi-vendor strategy, which reduces reliance on individual service providers, as well as the implementation of a solid incident management.
How is Universal Investment approaching the DORA programme?
We have set up a group-wide DORA programme, enabled by a robust programme governance. We are currently implementing the DORA requirements in a phased approach.
We have successfully closed out the first phase with completing the gap assessment of the DORA requirements. In phase two, the four sub-projects are implementing deliverables for DORA coming into force on 17 January 2025. This includes the implementation of DORA-relevant strategies, procedures and tools. During the final third phase we will embed compliance into the business-as-usual activities of the organisation.
What implications does DORA have for Universal Investment’s customers?
Our primary goal is to enhance the security and resilience of our digital infrastructure; and this will also benefit our customers. Working towards DORA compliance will support us to enhance our existing risk management framework and realise several benefits.
We will implement even more robust cybersecurity measures to ensure digital operational resilience. This will further reduce the risk of cyberthreats and operational disruptions and provide a more secure and robust IT environment. Our aim is to safeguard our customers against emerging digital risks and ensure the continuity of our services. In addition, we have planned the DORA programme implementation strategy to further avoid disruptions to our operations.
One of the fundamental DORA principles is the management of risks along the supply chain of service providers, the so-called third-party risks. We are identifying critical or important functions and are working closely with our third-party providers to ensure they meet the same high standards of security and resilience.
I am confident that these enhancements will further solidify our position as a trusted partner for our customers.
Does DORA affect the handling of customer data?
DORA puts an even greater emphasis on data protection and security. So, there may be stricter protocols for handling, storing and transmitting customer data to ensure its integrity and confidentiality. If there are any implications for our customers, we will of course inform you promptly.
What is the Information Register all about?
Financial institutions subject to DORA regulation must complete a so-called Information Register, where they capture key information about external service providers (third-party providers). Some of Universal Investment’s customers will also have to comply with these DORA requirements and might classify Universal Investment as an ICT service provider according to DORA.
Universal Investment will, of course, fulfil our obligations to provide the required information for the Information Register. As we are currently still in the process of implementing DORA, gathering and providing the information will take some time. We expect to be able to provide the information by the end of 2024.
Will customers have to adjust existing service contracts and service agreements due to DORA?
Yes, it is possible that customers governed by DORA must adjust their existing service contracts and the associated service agreements to meet the DORA requirements. This could involve contracts where Universal Investment is the service provider, especially when the contract relates to ICT services as defined by DORA. The customers should then contact their Universal Investment account manager to receive support with adjusting the corresponding service contracts to comply with DORA requirements – together we will find solutions.
