DORA: Exploring further with a targeted questionnaire
As we covered in the last DORA Digest, most organisations that are in scope of DORA are likely to be at least partially in compliance with its requirements already. The fact is that, when it comes to DORA, size really does matter. It’s the larger financial institutions that have had the resources to meet at least some DORA requirements already. Of the organisations struggling to reach compliance, it is likely to be smaller or less mature organisations that are still trying to create or change their policies, processes, and procedures.
The purpose of this monthly DORA Digest is to outline what most of these organisations will need to do to achieve the desired results. With less than a year to go until DORA takes effect, the DORA compliance journey should be well mapped out by now. This month, we cover:
- Understanding DORA requirements in more detail
- How Thomas Murray’s DORA assessment questionnaire can help
- Challenges that organisations are likely to face
DORA regulation applies in:
Is your organisation ready?
Subscribe to DORA Digest and stay up to date with the key issues
and developments unfolding as the countdown to DORA begins.
Under the hood: DORA requirements in detail
DORA seeks to ensure that risk management for Europe’s banking and financial infrastructure is not a tick-the-box exercise. It goes beyond setting out requirements by providing technical guidance, so that risk management procedures can be aligned to good practise and effectively implemented. Let’s look at them in more detail as they relate to DORA’s various Chapters and Articles.
ICT risk management
ICT governance and organisation: Covers the requirement to have three lines of defence for ICT risk management and seeks to ensure that organisations have allocated resources and responsibility for managing ICT risk and ICT third-party risk.
ICT risk management framework: Provides requirements for various components of an organisation’s ICT risk management framework, its ICT risk management framework review process, and its digital operational resilience strategy.
Identification: Elaborates on the how organisation goes about identifying ICT risk. Includes (among other things) sources of risk identification, consideration of the criticality of ICT assets, ICT risk scenarios, and ICT risk assessments. Also includes methods for identifying critical business functions, ICT assets and ICT third parties that support critical functions.
Protection and prevention: Describes the requirements for implementing ICT security policies, procedures, protocols, and tools that aim to ensure the resilience, continuity, and availability of ICT systems.
Detection: Provides requirements around implemented detection use cases, alert thresholds and resources for monitoring and detection.
Response and recovery: Covers requirements for organisations to have implemented ICT incident response and recovery processes, along with testing of the same and how it aligns to overall business continuity management.
Backup policies and recovery methods: Sets out requirements for organisations to implement backup policies and procedures to support the recovery process, along with requirements on restoration activities.
Learning and evolving: Includes requirements for organisation to continuously learn incidents, threat landscape and improving ICT risk management practices.
Communication: Provide requirements around sharing information in a coherent way during crisis.
ICT-related incident management, classification, and reporting
ICT-related incident management process: Components to be considered in the ICT-related incident management process (and implementation of the same).
Classification of ICT-related incidents and cyber threats: Classification guidance for ICT-related incidents and, more specifically, what the various input parameters are for determining what counts as a significant ICT-related incident.
Reporting of major ICT-related incidents: Describes what the content of ICT-related incident reports should be, which authorities to report to, and what the timelines for reporting are.
Digital operational resilience testing
General requirements: Expands on requirements to have a range of assessments, tests, methodologies, practices and tools, sourcing models for performing tests, and processes for remediating and reporting findings.
Testing of ICT tools and systems: Provides requirements on types of assessments and tests to be performed.
Advance testing based on threat-led penetration testing (TLPT): Provides requirements for conducting regular TLPT, requirements for internal testing team and external testing teams.
Managing of ICT third-party risk
General principles: Covers requirements around (among other considerations) ICT third-party risk management frameworks that assess risk for ICT third parties across various risk domains like financial, legal, ICT security, etc., contracting, process of performing ICT third-party risk assessment.
Assessment of ICT concentration risk: This Article includes requirements for organisations to assess ICT concentration risk at a group level and for managing sub-contracting relationships.
Key contractual provisions: Details requirements around minimum contractual clauses of critical ICT third parties and non-critical ICT third parties.
Pre-flight checklist: ready to go
Here at Thomas Murray, we have developed a methodology that considers an organisation’s level of compliance against each of DORA’s individual requirements. This approach reflects the fact that most organisations that are in scope of DORA are likely to be at least partially in compliance with its requirements already.
Using our Diligence tool, we can collect information and insights from across an organisation and review as required. For complex organisations, the assessment approach and tooling in place should be considered, because (as noted) there are extensive requirements that need to be reviewed, assessed, and potentially mapped to existing activities.
This gap assessment is critical, as it will form the basis of the rest of the work the organisation needs to do in the run up to DORA coming into force in 2025.
How the questionnaire works
- The questionnaire is structured to mirror the DORA requirements.
- These requirements are broken down into multiple options for granular input and analysis, for example:
- The scoring methodology is then normalised. This gives an organisation:
- the ability to easily report overall compliance, compliance for chapters/functions, etc; and
- an overview of how many requirements it has/has not met.