A deep dive on DORA’s RTS on the use of ICT third-party service providers

Introduction

In an era where digital technology is at the heart of financial services, the European Supervisory Authorities (ESAs) have introduced the Digital Operational Resilience Act (DORA), a groundbreaking regulatory framework aimed at fortifying the operational resilience of financial entities. The Draft Regulatory Technical Standards (RTS), as mandated by Regulation (EU) 2022/2554, lays down a comprehensive set of guidelines for managing risks associated with Information and Communication Technology (ICT) third-party service providers. This comprehensive analysis expands on the insights shared in our previous blog post and seeks to decode the essence of the RTS, offering a clear understanding of its implications for financial institutions.

ICT third-party risk management policy

The digital transformation has led financial entities to increasingly rely on third-party ICT services for supporting their critical or important functions. While these services offer myriad benefits, including efficiency and scalability, they also introduce a spectrum of risks, notably in operational resilience, information security, and data integrity. Recognising this, Article 28(2) of Regulation (EU) 2022/2554 necessitates the adoption of a strategic policy on the use of ICT services, underscoring the need for a meticulously structured approach towards managing third-party ICT risks.

The policy should specify the requirements, including principles, responsibilities and the processes for each mean phase of the lifecycle of the use of ICT services. This includes but is not limited to:

• (a) the responsibilities of the management body;
• (b) planning of contractual arrangements for the use of ICT services;
• (c) the involvement of business units in respect of contractual arrangements;
• (d) the implementation, monitoring and management of contractual arrangements;
• (e) documentation and record-keeping;
• (f) the exit strategies and termination process.

Structuring governance and oversight

An important aspect of the RTS is its emphasis on governance. Financial entities are required to establish a governance framework that delineates clear responsibilities for the management and oversight of ICT third-party risk. This includes the development and regular review of the ICT third-party risk strategy, ensuring it is integrated into the entity's overall risk management framework. The ESAs advocate for an annual review of the policy or more frequently, should significant changes in the ICT landscape or the entity's operational environment necessitate. ICT intra-group service providers should be regarded as an ICT third-party service provider.

When applying the policy on the use of ICT services supporting critical or important functions, ICT intra-group service providers, where applicable, including those fully or collectively owned by financial entities within the same institutional protection scheme, undertaking the provision of ICT services, should be considered as ICT third party services providers.

Rigorous risk assessment

Before any contracts are signed with ICT third-party service providers, it is essential for financial institutions to carry out a thorough risk evaluation. This evaluation must encompass the effects that the ICT services, which are crucial or significant to the institution's operations, have on its overall risk landscape. This includes operational risks, legal risks, ICT-related risks, risks to reputation, and risks concerning the safeguarding of sensitive and personal data. Additionally, considerations should be made for risks associated with data availability, the physical locations of data processing and storage, and the geographic location of the ICT service provider itself. The assessment should also cover the risks related to depending too heavily on a limited number of ICT providers at the level of the financial institution itself.

Comprehensive due diligence

A comprehensive due diligence process should be in place to scrutinize the contractual arrangements ensuring they align with regulatory and operational requirements, facilitating an informed decision-making process. Before entering into a contractual arrangement, the due diligence process should consider whether the ICT third-party service provider:

• (a) possesses a reputable business standing, adequate capabilities, expertise, and sufficient financial, human, and technical resources. It adheres to high information security standards and has a suitable organizational structure, including risk management and internal controls. If necessary, it holds the required licenses or registrations to deliver ICT services that support essential or critical functions reliably and professionally. Additionally, it has the capacity to keep abreast of significant technological advancements, recognize best practices in ICT security, and apply these practices effectively to maintain a robust and sound framework for digital operational resilience;
• (b) employs or plans to employ ICT subcontractors to carry out ICT services that are critical or significant, or crucial parts of these services;
• (c) operates from, or manages or stores data in a third country, and if so, whether this approach increases the likelihood of operational and reputational risks, or the risk of being impacted by restrictions, such as embargoes and sanctions, which could affect the ICT third-party service provider's capacity to offer the ICT services or the financial institution's ability to utilize those services;
• (d) agrees to allow for audits, including those conducted on-site, by the financial institution, designated third parties, and regulatory bodies at the premises of the ICT service provider;
• (e) commits to ethical and socially responsible conduct, upholds human and children’s rights, follows established environmental protection guidelines, and ensures fair working conditions, explicitly banning child labor.

Enhancing transparency and accountability

The RTS introduces stringent requirements for documenting and reporting the risk management process associated with ICT third-party services. Financial entities are expected to maintain a detailed register of all ICT third-party service providers, including a summary of the services provided and the associated risk assessments. This documentation serves as a cornerstone for transparency and accountability, enabling supervisory authorities to effectively monitor the entity's ICT third-party risk profile.

Continuous monitoring

The RTS outlines that the policy governing the engagement of ICT third-party service providers for critical or important functions must incorporate ongoing monitoring strategies and essential metrics to evaluate these providers' performance. This includes mechanisms to ensure adherence to standards concerning the data and information's confidentiality, availability, integrity, and authenticity, as well as the ICT third-party service providers' compliance with the financial entity's policies and procedures. Additionally, the policy should detail actions to be taken if service level agreements are breached, including the imposition of contractual penalties when deemed necessary.

The policy should outline how the financial entity evaluates the performance and quality of ICT third-party service providers for critical or important functions, ensuring they meet the set standards and policies. This includes:

• (a) receiving regular and incident reports, service delivery updates, and information on ICT security and business continuity from the providers;
• (b) using performance indicators, audits, and reviews to assess the provider's performance;
• (c) obtaining other necessary information from the provider; (d) getting notified about ICT and operational incidents; and (e) conducting independent reviews and compliance audits.

Ensuring operational continuity

A crucial component of the RTS is the stipulation for financial entities to devise exit strategies for their contractual arrangements with ICT third-party service providers. These strategies should outline clear protocols for transitioning to alternative providers or bringing services in-house, without disrupting critical or important functions. This forward-looking approach is vital for safeguarding the operational continuity and resilience of financial entities.

Conclusion

The RTS on the use of ICT services by third-party providers represents a significant leap towards enhancing the operational resilience of the financial sector. By setting forth a structured and comprehensive framework for ICT third-party risk management, the ESAs aim to ensure that financial entities can navigate the digital landscape with confidence, securing the integrity and continuity of their critical functions. As the financial industry continues to evolve amidst a rapidly changing technological environment, the adoption and implementation of the RTS will be instrumental in fostering a robust and resilient digital financial ecosystem.

In this journey towards digital operational resilience, financial entities are encouraged to closely examine the provisions of the RTS, aligning their ICT third-party risk management practices with the regulatory expectations. By doing so, they not only comply with the regulatory mandates but also fortify their defences against the myriad of digital risks, ensuring the safeguarding of their operations and, by extension, the broader financial system.