Regulatory focus on digital operational resilience
Digital operational resilience has been the focus of governments and regulators across sectors lately, which is unsurprising given that information and communications technology (ICT) is a key enabler for the business models of most financial services providers. When we factor in a remote working scenario for many staff, reliable ICT becomes even more operationally important.
IT investment and IT risk management have been flagged by the European Central Bank as key concerns in various risk reports over the last number of years. The European Supervisory Authorities have published a number of guidelines on this topic, such as the EBA Guidelines on Information and Communications Technology and Security Risk Management and ESMA Guidelines on Cloud Outsourcing. On the horizon, the European Commission's Digital Operational Resilience Act (DORA), was published last year and has been the subject of a recent consultation.
Digital Operational Resilience Act
When DORA is enacted, it will apply to financial services firms and to third party ICT service providers. Under DORA firms are required to have internal governance and control frameworks that ensure effective and prudent management of all ICT risks. The board will be required to follow specific training to understand and assess the risks and will be accountable for the implementation of the risk management framework. There will be a requirement for firms to have a designated role to monitor arrangements with third party service providers of ICT services.
DORA will require firms to ensure that ICT systems and protocols are reliable and resilient in adverse situations. Systems must be continuously monitored and controlled to minimise risk and must have mechanisms to detect anomalous activities. There will be detailed requirements on response, recovery and backups. Firms will be required to have a communications plan to enable disclosure of incidents or major vulnerabilities to clients, counterparties and the public, with one person tasked with implementation of the communication strategy in the event of an ICT incident.
Central Bank focus on digital operational resilience
The Central Bank of Ireland is also focused on the management of technology and published cross-industry guidance on information technology and cybersecurity risks in 2016. More recently, the Central Bank included the role of Chief Information Officer as part of the Fitness and Probity regime's list of pre-approval controlled functions. This role is required for financial services providers with a risk impact rating under PRISM of high or medium high or where IT is a key enabler or core element of the firm's business model.
The Central Bank's 2021 Priorities outline that enhanced organisational capability to deal with cyber-security issues is a key issue for the regulator. And in April 2021, the Central Bank opened a consultation on proposed Cross Industry Guidance on Operational Resilience (the Guidance) which has specific ICT and cyber resilience recommendations. The Guidance specifies that firms should ensure that the technology they use is robust and resilient and subject to protection, detection, response and recovery programmes. Firms should identify where technology is a part of any critical or important business service. Systems should be tested regularly, including under severe scenario simulations to ensure continuity in the event of these circumstances arising. The overall operational resilience programme should have regard to on-going threat intelligence and situational awareness programmes and should be aligned with the firm's IT risk management, IT incident management and IT continuity and disaster recovery programmes.
The Central Bank expects that the boards and senior management of regulated financial services providers will review the Guidance when finalised, and adopt appropriate measures aligned with the Guidance to improve their operational resilience frameworks and their effective management of operational resilience. Regulated firms should be able to demonstrate that they have applied the Guidance within an appropriate timeframe. The CBI also intends to increase its engagement with firms on their levels of operational resilience. The consultation on the Guidance is open until 9 July 2021.
For more information contact Kevin Allen, Patrick Brandt and Peter Walker, partners and Sinéad Prunty, financial regulation knowledge lawyer or any other member of the ALG Financial Regulation team.
Date published: 2 June 2021