There is a potential burden on financial entities and the risk of overlooking critical ICT-related incidents, an EU trade group has warned.
The European Fund and Asset Management Association (Efama), which represents the interests of the European investment management industry and asset managers, has recently responded to the public consultations initiated by the European Supervisory Authorities (ESAs) regarding the draft regulatory technical standards (RTS) and implementing technical standards (ITS) aimed at supplementing the Digital Operational Resilience Act (Dora).
These consultations seek to provide further clarity on how information and communication technology (ICT) risks should be managed within the financial sector.
Efama’s input, on Tuesday 12 September 2023, called for a proportional approach and questioned certain aspects of the proposed regulations.
The proportionality principle
One of the primary concerns highlighted by Efama is the necessity for a comprehensive incorporation of the proportionality principle outlined in Dora.
The scope of entities covered by Dora is wide-ranging, encompassing credit and payment institutions, insurance companies, asset managers and others. These entities, according to Efama, vary significantly in terms of size, structure and business models.
Efama asserts that a ‘one size fits all’ approach, as currently proposed, may be excessive for many, including asset management companies. The association suggested that ESAs should consider factors such as entity size, complexity, system criticality and risk assessment when implementing the ICT risk management framework, as these factors are crucial in determining the appropriate level of compliance with Dora.
Complexity and redundancy
Efama also raised concerns about the proposed templates for registering contractual arrangements related to ICT services.
These templates are deemed overly complex in terms of content, form and technology, with certain elements lacking clear added value. For instance, Efama questions the need for duplicate registers at both entity and consolidated levels, which appears contradictory to standard accountability practices in group consolidation.
Additionally, Efama emphasised that information concerning service providers’ supply chains could be more efficiently provided by ICT third-party service providers themselves, rather than through financial entities.
The association also queried the necessity of retaining information on terminated contracts in the register for a duration of five years, as well as the inclusion of sensitive contractual data.
Challenges in classifying incidents
While appreciating the efforts to provide clarity on the classification of ICT-related incidents, Efama raised concerns about the proposed methodology. The suggested approach would require continuous monitoring of various criteria, which could demand significant resources and may not effectively detect major ICT-related incidents.
Furthermore, Efama suggested that this methodology lacks a clear connection to the definition of major ICT-related incidents outlined in Dora. The association anticipated further technical consultations on Dora in the coming fall.
Zuzanna Bogusz, regulatory policy advisor at Efama, expressed her perspective on the matter, stating, “The asset management industry is very serious about tackling the risks that arise from increasing use and sophistication of information and communication technology. Operational resilience is also key to stable financial markets. However, the high degree of bureaucracy incorporated in the draft technical standards undermines this goal. Financial entities will be overwhelmed with drafting procedures, filling in templates and gathering data, when their attention should be focused on prevention, detection and swift reaction to threats. Also, if a high proportion of ICT-related incidents qualify as ‘major’, it would become harder to detect those truly harmful ones and channel available resources towards them. In other words, it would be counterproductive for the task at hand.”