The DORA-compliant ICT supplier survey is designed to verify a lot of information about a financial entity’s supplier including whether the contract is for ICT services supporting a critical or important function. In a highly competitive financial market, depriving financial entities of the opportunity to establish partnerships with ICT third-party providers would reduce the quality of services offered to the target customer. Financial entities, despite their obligations regarding confidentiality, availability, integrity and authenticity of data, must continue to cooperate with critical third-party providers.
For this reason, the legislator included a compromise in preparing the Digital Operational Resilience Act. On the one hand, it incentivizes cooperation and information sharing, but on the other hand, it creates conditions under which such transfer will be secure. Surveys of ICT providers are one of the tools that make this possible.
ICT providers
DORA provides a definition of an ICT provider but does not specify whether a particular company providing a particular service or offering a particular product is such a provider. To determine whether an entity is an ICT service provider, it is necessary to refer to the definition of ICT services. ICT services include digital services and services provided at a specific time by ICT systems to one or more internal or external users, including hardware provided as part of the services and the provision of technical support through software or firmware updates provided by the hardware provider, excluding traditional analog telephony services.
This is a very broad definition, indicating that it is sufficient for a provider to deliver digital services through ICT systems to be considered an ICT third-party service provider. Notably, it also includes hardware providers for financial entities.
Tasks of a financial entity
Knowing the definition of an ICT provider, it is possible to determine whether the company with which a financial entity wants to start working falls into this group. Organizations that fall into this category have several obligations imposed on them. The legislator knows that the financial entity does not have as smooth control over the supplier’s ICT environment as it does over its own. Above that, the financial entity has minimal control over its ICT supplier’s subcontractors. Despite this, Article 28(1)(a) indicates that, in light of DORA, the entire responsibility for the application and fulfillment of the contractual arrangements between the financial entity and the ICT supplier lies with the financial entity.
DORA, among other things, in Articles 28 and 30, specifies many of the tasks that face a financial entity wishing to enter into a relationship with an ICT provider. The financial entity must clearly define the rights and obligations of both parties in writing with service level clauses. The financial entity must receive assurances that the ICT third-party service provider will support it in the event of any incidents related to the ICT service. It should also receive assurances on the subject of the ICT provider’s cooperation with the relevant regulators and forced restructuring authorities. The financial entity must be provided with termination rights in specific situations, and minimum notice periods must be specified. A description of all ICT functions and services provided by the provider, including subcontracting terms, should be drawn up. The regions or countries where services will be provided and data processed must be specified, with the obligation to give advance notice of changes in the processing location. The financial entity must include provisions for data availability, authenticity, integrity and confidentiality. The financial entity must also prepare a description of the guaranteed service levels, their updates and the change process. In addition, there must be an assessment of compliance with supervisory conditions for contracting, and potential areas of contractual conflict of interest should be identified.
The financial entity must select ICT providers that adhere to appropriate information security standards, particularly in the context of critical or important functions. For this reason, it should verify that the contract covers ICT services supporting a critical or important function. With a set of information already in hand, the financial entity identifies and evaluates all material risks associated with the contract, including concentration risks in the ICT area.
ICT provider survey
What is the first step that makes these tasks possible? One of the tools created for this purpose is the ICT supplier survey. One of the worst forms of risk is the unknown. Conducting an interview or sending a survey to an ICT provider, which will include questions on all the issues that are important from the perspective of the financial entity, allows you to build a basic awareness of the provider’s ICT environment and services. This helps to reduce the risks associated with cooperation. This is a major challenge facing financial entities and, among others, purchasing departments responsible for acquiring new services and products.
In addition, according to Article 28.3, financial entities must have and continuously update a record of information with respect to all contractual arrangements for the use of ICT services provided by ICT third-party service providers. These must be properly documented, distinguishing between arrangements that include ICT services that support critical or important functions and arrangements that do not support such functions. This is further clarified by the implementing technical standard (JC 2023 85) included in the first part of the regulatory technical standards. This standard defines templates according to which financial entities should keep a record of information on contractual arrangements with ICT providers. Classification of ICT providers into critical or important, internal and external, and many other criteria also requires drawing data from the survey.
Financial entities shall, at least annually, provide information to the competent authorities on the number of new arrangements for the use of ICT services, categories of external ICT third-party providers, the types of contractual arrangements, and ICT services provided and functions supported. Financial entities shall also provide this and other information at the request of the competent authority.
Role of the European Supervisory Authorities (ESAs)
The ESAs, comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), are responsible for supervising critical ICT third-party providers that offer services to financial entities in the EU. The ESAs’ involvement helps ensure that the conditions for secure information transfer are met, supporting the legislator’s compromise by balancing cooperation with security requirements.
The ESAs need information collected in the DORA information registers from ICT Surveys to effectively monitor and assess the risk landscape of ICT third-party providers. This data enables the ESAs to identify potential vulnerabilities and threats, ensuring that financial entities are adequately protected against cyber risks. By leveraging this information, the ESAs can provide informed guidance and enforce compliance with regulatory standards, thereby enhancing the overall resilience and security of the financial sector.
Use of tools for generating, evaluating and storing surveys
Sending an ICT supplier survey in the form of a simple Excel table when dealing with the scale of cooperation with ICT suppliers of a typical financial entity may not be sufficient, as it is a manual and time-consuming tool to analyze. Simply collecting information from an ICT supplier is only the first step in third-party risk management, one of DORA’s primary responsibilities. A simple table file may also be insufficient to store data on records of contractual arrangements with ICT suppliers.
For this reason, it is advisable to use modern GRC tools that can facilitate the acquisition of information from an ICT supplier, and more importantly, automate the process of analyzing the knowledge provided by the supplier. Using a comprehensive system allows for repeatability, and repeatability results in saving time and money. It is for this reason that RIG DORA provides functionalities such as a register of information including contracts, procedures and subcontractors. This provides insight into the overall third-party risk management in one place. Unlike an Excel table, processing, comparing and analyzing the data in these registers is straightforward, and conclusions can be seen instantly on an aggregated dashboard.
Regardless of the form of survey chosen, it is worth keeping in mind the purpose of the survey. An effective survey should be able to translate its results into Digital Operational Resilience Act and map the supplier against assets and processes. For this reason, a task module has been prepared in the RIG DORA, which allows accountability of team members for the implementation of activities aimed at ensuring operational digital resilience.
