“How would you feel about the operation of your firm without your IT system?” began Laureline Senequier, director in risk advisory services at Deloitte Luxembourg. “Your applications, your emails, how would you feel? How long would you last without it?” It’s nearly impossible to live without a phone or an IT system nowadays.
“We’ve seen that the landscape has evolved,” she continued. “There’s a digital revolution that has been accelerated with covid. There is system complexity and a real proliferation of the size and the volume of data that we’re processing.” Outsourcing and the use of IT service providers mean that more information is spread around. There is also increased interconnectivity, leading to new types of cyber threats.
“Even if, until now, we’ve had a strong information system that is resisting some incident, the trend is going further,” Senequier stated at the Deloitte conference on Wednesday. “It’s just like if we’re doing sports. You’ve done some push-ups. But now let’s go to the crossfit level.”
The four pillars of Dora
“So what are we looking at?” said Senequier. “What are the four pillars of Dora?” It’s nothing new--what’s different is actually going one step further in the requirements.
The first pillar concerns ICT risk management. “Everybody has heard about ICT risk management since the publication of the EBA [European Banking Authority] guidelines in 2019, implemented by the CSSF [Commission de Surveillance du Secteur Financier, Luxembourg’s financial regulator] by circular 20/750,” said Senequier.
It’s important to have an ICT risk governance framework aligned with the three lines of defence, to have proportionate implementation of ICT risk management, and stronger responsibility and accountability of board members. “We’ve already gone a way with those EBA guidelines and the CSSF circular,” said the Deloitte director. But “let’s go one step further. Let’s be even more strong.”
We’re actually looking at some harmonisation on the reporting of incidents.
Pillar two is about incident reporting, which means notifying people about a cyberattack. Thanks to GDPR and other directives, this already happens. With Dora, “we’re actually looking at some harmonisation on the reporting of incidents,” said Senequier. “Basically, it’s going to be a common language for reporting incidents.” There’s the potential to have a single European reporting hub.
The third pillar focuses on digital operational resilience testing. Cyberattacks are happening--“it’s not a question of whether this is happening or not. It’s a question of when is this happening and who’s attacking?” With digital operational resilience testing, “nice” hackers attempt to make intrusions into systems, testing how easily they can carry out attacks. This is also not new, but Dora will allow a common framework within Europe, meaning that penetration testing in Portugal, for example, would also be recognised in Luxembourg.
The concept of support PSF has been exported to Europe. I think we can be proud of us.
Pillar four is about the risk related to ICT service providers. Senequier used the metaphor of moving treasure--your information--to another location. “If you’ve put your treasure in another house, you have to see how strong this house is, right?” There are two elements to this pillar: the first is ensuring that financial institutions using the services have a proactive approach to ICT risk management.
“The second part of that fourth pillar is actually looking at how those ICT third-party providers can come into the over[sight] of the competent authority,” said Senequier. But wait a minute, she added. That rings a bell. Support PSFs have existed in Luxembourg for a long time. “Actually, the concept of support PSF has been exported to Europe. I think we can be proud of us,” she declared. “Because this means that we are in advance of this pillar.”
Timeline for implementation
With Dora, “we’re going one step further, we’re going to the next layer, the next stage, the next level,” said Senequier. So when will this come into place?
In September 2020, following a push from different European supervisory authorities, the European Commission proposed a first draft of the regulation on operational resilience. After an open consultation, trilogue negotiations and a final tech agreement, the regulation was ratified by the European Parliament and the European Council in November 2022. Once published in the Official Journal of the EU, which is expected to take place in early 2023, there are 24 months to implement the regulation.
Deloitte’s PSF conference also featured the release of consultancy’s annual survey of professionals of the financial sector (better known by their French acronym PSF).