t cht lk
t cht lk
It ’ ll require a significant amount of resources to completely map out all of your third-party providers .
Most financial institutions and banks will have felt confident in their scenario-based testing and , by extension , their compliance with DORA when the deadline passed this January . And if the scope of DORA didn ’ t cover beyond internal organisation compliance , they would be right . Unfortunately for most , DORA extends to cover all of an organisation ’ s third parties and supply chains – creating the risk of a pretty large potential blindspot .
Time to put the work in
Financial services organisations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant , they will fail regardless . And these are no small stakes . According to EY ’ s Global Third-Party Risk Management Survey , in the US alone , 98 % of financial services organisations have partnerships with thirdparty vendors . Although they may not realise it , third parties are one of the biggest risks to FS organisations when it comes to DORA compliance .
Sadly , there is no quick fix . At the very minimum , every bank and financial institution in every EU Member State that falls under DORA is going to have to renegotiate many Service Level Agreement ( SLA ) with existing and new third-party partners . Financial services organisations can ’ t afford to be under any illusions , this will be a necessary but significant piece of work . Cementing DORA compliance as a pre-requisite will be essential for continued DORA compliance but will require collaborative work from across businesses . Security , risk management and legal teams will all need to band together to pull this off .
DORA ’ s double-duty for data resilience
Of course , even having DORA compliance confirmed amongst your third-party providers won ’ t make your organisation completely invulnerable to cybersecurity threats . But , it will put you in good stead when it comes to recovering from an attack . After all , regulatory compliance has never equalled complete security . DORA is more of an exercise in operational resilience improvement , which is a key piece of the puzzle for recovery from cyberattacks .
But this doesn ’ t mean that compliance should be an afterthought . For financial services organisations to achieve compliance with DORA and secure their
70 INTELLIGENTCIO EUROPE www . intelligentcio . com