Given the dynamic changes in the information and communications technology (ICT) space and the growing risks associated with cybersecurity, financial entities must have a proactive and comprehensive approach to identifying, assessing and addressing potential risks. Failure to do so could jeopardize digital operational resilience, network security, and the integrity, availability, authenticity and confidentiality of data of financial entities and their customers. For this reason, it is important to properly establish and maintain security policies in cooperation with third-party ICT providers. It has happened many times that access to an organization’s IT systems was gained through the infrastructure of an external provider. An example of this is the 2020 attack on the SolarWinds corporation, in which suppliers were used for subsequent intrusions. Hackers then gained access to the ICT environments of many global corporations. The Digital Operational Resilience Act (DORA) regulation draws attention to this, sets out rules for working with suppliers, and indicates how risks can be mitigated when using third-party ICT services.
Why does DORA focus on ICT risk management?
Changes in the way financial institutions operate, such as moving payments to the digital world, e-commerce or online claims processing, make the use of IT services an essential part of their daily operations. Today, IT systems are built as a network of interconnected vessels. Some of them are developed internally within the organization, but there is also a large group that is sourced from external ICT providers. For this reason, it is in the interest of financial entities to properly evaluate suppliers to enhance the overall security of an organization’s entire ICT environment. However, despite the significant role played by ICT services, the lack of clear community-wide standards for contracts with external ICT third-party service providers has been a challenge in effective risk management. For this reason, DORA aims to address this gap by establishing principles to guide financial entities in managing risks associated with ICT service providers.
DORA includes a broad definition of an external ICT third-party service provider, defining it as “an ICT service company,” with ICT services defined as “digital and data services provided continuously through ICT systems to one or more internal or external users, including hardware as a service and hardware services including the provision of technical support through software or firmware updates by the hardware provider, excluding traditional analog telephony services.” This is intended to, as horizontally as possible, address the issue. If a company working with a financial entity wonders whether it is an ICT provider for it, and the DORA requirements apply to it, it most likely is.
These principles complement the sector regulations on outsourcing and form the foundation of a comprehensive approach to risk management in the context of using ICT services. This gives financial entities the confidence that they can effectively control and minimize any risks arising from their reliance on ICT service providers, which is becoming critical to their stability and security in an increasingly digital environment.
What responsibilities does DORA impose on financial entities in relation to ICT providers?
Article 28 of the DORA regulation explicitly imposes the task of managing the risks of external ICT providers. According to this, most financial entities (in addition to microenterprises and those identified in Article 16(1)) must develop a strategy to address the risks associated with external ICT providers. This document can cover the issue of cooperation with all of the entity’s suppliers and does not have to be created separately for each supplier. The strategy also includes a policy on the use of ICT services to support critical or important functions, as it applies both at the individual level and, in some cases, at the sub-consolidated and consolidated level.
The financial entity’s management must regularly review the risks associated with the use of external ICT services, taking into account the overall risk profile, scale and complexity of the business services. Based on an assessment of the entity’s overall risk profile and the scale and complexity of the business services provided, the board of directors shall regularly review the identified risks related to contracts for the use of ICT services that support critical or important functions.
From the perspective of both the entity and the supervisory authority, another important element in managing risks when cooperating with ICT providers is the information register on contracts with ICT service providers. This register includes all contractual arrangements for the use of ICT services provided by third parties. Financial entities must maintain and update this document within their organization and, in some cases, at the sub-consolidated and consolidated levels. We wrote more about the information registry for contracts with ICT service providers in the article “How to classify ICT providers and describe them in the DORA information registry?“.
Proportionality principle
Financial entities should manage the risks associated with third-party ICT service providers on the basis of proportionality, taking into account the nature, scale, complexity, and importance of ICT dependencies. Risk assessments should consider the criticality or relevance of a service, process, or function to the continuity and availability of financial services. This approach considers various factors to effectively assess and manage risks from ICT service providers. Consequently, risk management of third-party ICT service providers is not homogeneous but rather tailored to the specifics of each service, considering the materiality and impact on the financial entity’s operations.
What must a financial entity do to mitigate the risks of ICT third-party service providers?
To mitigate these risks, financial entities should take measures based on the DORA regulation and the Regulatory Technical Standards on ICT Risk Management Frameworks, as well as the Simplified ICT Risk Management Framework, all of which were published on January 17, 2024.
Before concluding the agreement
Before negotiating and entering into a contract with a third-party ICT provider for ICT services, a financial entity should review several areas to effectively manage risks and ensure compliance with relevant standards. First, it should analyze potential suppliers and their competitors to ensure they are reputable organizations that meet certain standards. Verification should also be conducted to ensure that the ICT services being procured support critical or important functions.
The financial entity should analyze the benefits and costs of different alternatives from various ICT service providers. The focus should be on compliance with the business objectives and needs identified in the digital resilience strategy.
During the contracting process
The financial entity should identify the benefits and risks of working with an ICT provider in much greater detail during contracting. For this reason, the financial entity should assess the risks of the planned contractual arrangements for ICT services, especially those supporting critical or important functions. Significant risks should be identified, and strategies should be developed to minimize them. The consequences of entering into a contract must also be considered, particularly the possibility of being tied to a difficult-to-replace supplier or having multiple contracts with a single supplier. The financial entity must also assess the implications for operating flexibility and the possibility of making changes.
Note that the financial entity should promptly inform the relevant authority of any planned contractual arrangements for ICT services that support critical or important functions, as well as when a function becomes critical or important. The financial entity must consider bankruptcy law provisions related to ICT service contracts supporting critical or important functions. Any limitations related to recovery in the event of the ICT service provider’s bankruptcy must be identified.
If the contract allows for subcontracting, the financial entity must evaluate the potential for long or complex chains of subcontracting and their impact on the ability to monitor contractual functions and supervision by the competent authority. If an ICT service provider has the possibility of subcontracting, the financial entity must carefully assess the benefits and risks of such subcontracting, especially if the subcontractor is located in a third country. If the contract is for ICT services supporting critical or important functions with a third-country-based supplier, the financial entity must verify that EU data protection laws are being followed and enforced.
What should the contract include?
DORA also defines elements that should be included in the contract. A few of the most important points are:
- Parties to the agreement
- The subject of the contract
- Rights and obligations
- Financial issues
- Guarantees
- Audit possibilities
- Possible termination of the contract
- Exit plan
After the conclusion of the contract
Ensuring the security of ICT services provided by third-party providers does not end when the contract is concluded, but rather is only the beginning. Having contractually assured this possibility, the financial entity should exercise its right to access, control, and audit the ICT service provider using a risk-based approach. The financial entity should establish the frequency of audits and inspections, as well as the areas to be audited, in advance and in accordance with generally accepted auditing standards. Additionally, the financial entity should monitor the provider and have the ability to terminate the contract in the event of a serious breach of regulations, changes in the functions provided by the supplier, disclosure of weaknesses in ICT risk management, or the inability of the competent authority to effectively supervise.
ICT security and business continuity
As mentioned above, once the contract is concluded, the financial entity should implement several measures. These measures are listed in the regulation and detailed in the RTS. Financial entities must ensure the early and effective detection of anomalies in the operation of ICT services from third-party providers. To this end, they should properly collect, monitor, and analyze information from various sources. It is important to avoid relying solely on logs and consider broader sources of information, including those reported by other internal functions, information from external providers, and information from general sources.
It is important to consider how closely related financial entities’ business continuity policies are to key elements of ICT risk management. In this context, important aspects include incident management, communication strategies, the change management process, and risks associated with external ICT providers. Vulnerability management procedures must include risks associated with external suppliers. Specifically, financial entities must verify that critical ICT third-party service providers are addressing vulnerabilities related to their services. At a minimum, suppliers must report significant vulnerabilities and provide security-related statistics and trends. Financial entities should require third-party ICT providers to investigate important vulnerabilities, identify their causes, and implement appropriate mitigation measures.
The ICT asset management process requires financial entities to maintain records containing various pieces of information, including the termination dates of the third-party ICT service provider’s regular, extended, and customized support services. Financial entities must also implement controls to protect the integrity of source code within ICT systems developed internally or provided by an external ICT provider. Software and, if possible, source code provided by an external ICT provider or derived from open-source projects must be analyzed and tested prior to implementation in a production environment.
Download our ready-to-use guide and learn how to document cybersecurity and manage ICT risk.
In terms of human resource policies, financial entities should implement requirements for their personnel and third-party ICT providers using the entity’s ICT assets. These requirements should relate to communicating and adhering to the organization’s ICT security policies, procedures, and protocols. Financial entities should also develop, document, and implement identity management policies and procedures to ensure the unique identification and authentication of individuals and systems accessing their information.
The continuity of ICT services provided by third-party providers should be continuously tested. As part of their ICT response and recovery plans, financial entities must consider and implement measures to mitigate the impact of failures by third-party ICT providers supporting critical or important financial institution functions. Financial entities should consider scenarios related to the insolvency or failure of the ICT service provider, as well as political risks in the provider’s jurisdiction. They should also establish and update procedures to verify that their personnel, third-party ICT providers, ICT systems, and ICT services can adequately respond to scenarios.
Exit strategy
The financial entity must include the possibility of terminating the contract in certain cases. This requires creating an exit strategy and plan to be implemented in the event of supplier failure, service deterioration, or other disruptions. These plans should be thoroughly documented and tested according to specific criteria, taking alternative solutions and transition plans into account. The plans should include appropriate contingency measures to maintain business continuity in emergencies. This includes a mandatory transition period to allow for the migration to another ICT service provider or the transition to in-house solutions. The ultimate goal of an exit strategy is to ensure the contract can be terminated without disrupting operations, affecting regulatory compliance, or harming customers.
No outsourcing of responsibilities
Managing the risks associated with ICT services provided by third-party vendors is an essential part of a financial entity’s digital operational resilience strategy. The DORA regulation’s provisions in this area are intended to protect the financial sector from potential risks arising from dependence on third-party providers. A holistic approach to DORA compliance enables financial entities to build operational resilience and contribute to the stability and security of the broader financial ecosystem. In compliance with DORA, financial entities have the option to outsource the task of verifying compliance with ICT risk management requirements to in-house ICT service providers or third-party ICT providers, in accordance with EU and national sectoral laws. However, the financial entity is ultimately fully responsible for verifying compliance with ICT risk management requirements. Article 5(2) explicitly states this, emphasizing that “the management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1), and shall be responsible for their implementation.”
