The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors

Firms that have not already started preparing for DORA still have a small window in which to achieve compliance. Even those firms that are not affected by DORA can use the regulation to maximise their operational resilience and strengthen their cyber security posture.  

(or main areas) that private equity firms will need to address now, if they haven’t already: 

• Information and communication technology (ICT) risk management 
• ICT-related incident management, classification and reporting 
• Digital operational resilience testing 
• Management of ICT third-party risk 
• Information sharing arrangements 

Firms should start by identifying and mapping ICT systems/providers, reviewing policies and procedures, assessing current capabilities vs. requirements, and developing an implementation roadmap.  

Unlike other regulations in this space that have been seen before, DORA makes technology, resiliency and the management of technology risk a true board-level issue. DORA requires establishing an internal governance and control framework for ICT risk management. The board/senior management will be responsible for defining, approving and overseeing the implementation of ICT risk management. 

There are new requirements for contractual provisions with ICT service providers and obligations in case of breaches by providers. DORA does, however, recognise that requirements should be implemented proportionally based on a firm's size, risk profile, and complexity.  

Changing the relationship between vendors and firms 

DORA will have a huge impact on the relationship between private equity firms and their third-party providers. Private equity firm leadership will be required to engage with third-party provider risk at a level that has not been seen before. Board members must be kept informed of technology risk on an ongoing basis, with appropriate educational support for them to ensure the management of technology risk is informed. Gone are the days of leaving IT and technology to an individual in the back office – IT risk is now a permanent item on the board’s agenda.  

Enhanced due diligence 
Private equity firms must conduct more thorough assessments of their ICT service providers' security posture, risk management practices, and DORA compliance. This includes evaluating the technology and systems used by vendors, not just internal systems. Having an in-depth understanding of the technology that is used to support business operations is fundamental to achieving compliance.  

Contractual requirements 
Contracts with ICT service providers need to be updated to include specific DORA compliance clauses. These should cover: 

• Incident reporting procedures 
• Information sharing protocols 
• Audit rights 
• Exit strategies 

Ongoing monitoring 
Firms are required to continuously monitor their service providers' adherence to DORA requirements. This may involve: 

• Regular reviews of services against established (and meaningful) KPIs. 
• Audits and external validation activities that demonstrate compliance to DORA. 

Critical provider designation 
DORA introduces the concept of “critical ICT third-party service providers,” which will be subject to direct regulatory oversight. Private equity firms need to identify which of their providers may fall into this category. 

Risk management strategy 
Firms must establish a comprehensive strategy for managing third-party risks and maintain a register of agreements with ICT service providers.  

Subcontractor oversight 
Private equity firms need to extend their due diligence to include service providers’ subcontracting arrangements, often referred to as either ‘fourth party’ or ‘Nth party’ relationships. 

Exit planning 
Only 17% of firms currently have exit strategies in place for critical vendors. DORA requires the development of both ‘soft’ and ‘hard’ exit strategies for key providers. 

Information sharing 
There’s an increased emphasis on sharing threat intelligence within trusted communities, which may involve third-party providers. 

Operational burden 
The additional requirements are likely to increase the operational resources needed to manage third-party relationships effectively. 

Private equity firms will need to develop closer, more transparent relationships with their ICT service providers to ensure mutual compliance and enhanced operational resilience. 

If you are struggling with your cyber security and data protection, or need help with DORA compliance, at Thomas Murray we are uniquely placed to help you. We offer bleeding edge cyber security guided by threat intelligence, regulatory expertise, and years of experience in assisting funds of all kinds. Talk to us today to find out more about what we can do for you.