The European Union’s incoming Digital Operational Resilience Act (DORA) represents a significant regulatory challenge for sell-side firms with regards to third-party risk management, a new report suggests. Neil McDonald, managing partner at private equity firm Compass Partners, spoke exclusively to BEST EXECUTION on why firms are only just beginning to consider soft and hard exit strategies, and what firms must do to meet DORA requirements before it comes into force in 2025.
Third-Party Risk Management in the Time of DORA, produced by Acuiti in partnership with Compass Partners, is based on a survey of executives at 106 firms predominantly from the sell-side. The report analyses the challenges that firms will face in meeting the requirements of DORA.
Continuously evolving regulation and increasingly sophisticated cyber-attacks have driven complexity in third-party risk management. Given this, more than 90% of sell-side respondents said that they will have to make major changes to how they manage third-party risk to meet the requirements post-DORA.
The regulation is intended to ensure that firms have the operational resilience to deal with cyber-attacks and other issues threatening the operations of their information and communications technology stacks. Significant changes under DORA include the requirement to have exit strategies in place for critical vendors, something that currently only 17% of sell-side respondents had in place, and the mapping of Nth party relationships, something that only 39% of respondents currently did.
Neil McDonald, managing partner at private equity firm Compass Partners, told BEST EXECUTION that firms are only just beginning to consider soft and hard exit strategies. “In our experience firms are not particularly mature in maintaining or testing the latter. This is partly due to the overheads involved and the co-ordination required internally between the relevant functions and risk domains.”
“Firms have more pressing priorities at present with Ops resilience mappings and ensuring Third Party Management of critical vendors is accurate enough to cover all important business services and critical third party providers. As such, the can is kicked down the road. We also see that some firms will risk accept the lack of a tested exit strategy in terms of multinational vendors who have global footprints through their wider enterprise risk framework,” McDonald said.
“Nth party relationships is one of the biggest challenges across the industry as part of a robust TPM process. Some firms are blissfully unaware of a) the requirement to understand nth parties, or b) who their nth parties are and the associated risks. We have seen various examples of cyber attacks recently whereby the impacted vendors have been nth parties to numerous tier one banks.”
“Some institutions were not aware that the vendors were being utilised by their 3rd party and as a result were blind to the risk and impact. The industry is also behind in terms of requesting full transparency of nth party relationships via their vendor populations, and of course, it is onerous for vendors to supply this information which often slows down the process. The knock on impact across Ops Res, TPM and DORA is significant,” McDonald said.
For proprietary trading executives, 80% of respondents based in the EU or the UK said that they were either unaware of DORA or were not impacted by it. However, as DORA applies to all Mifid II regulated firms, many of these firms will be in scope. On why so few firms are aware of DORA, McDonald told BEST EXECUTION that, as a rule, firms only tend to get familiar with upcoming regulation as it hits a risk or compliance radar.
“There can also be a lack of sufficient communication between different areas and indeed lines of defence that lead to a disparate approach and understanding. DORA compliance is required by 2025, which seems a long way off but in reality will appear on the horizon very quickly. Given the process mappings and overlap between TPRM, Ops Resilience and DORA, firms very much need to be prioritising this now to have a chance of compliance by early 2025,” McDonald said.
DORA will apply to more than 20,000 EU regulated entities and has an extraterritorial impact for any firms with operations or activities in the EU.
For many firms, especially those on the buy-side, such as hedge funds and proprietary trading firms, DORA will be an entry point into formalised third-party risk management.
Acuiti founder Will Mitting said: “With little over a year until implementation, there is significant work to be done by firms across the market to be ready for DORA.”
“Currently, the operational resources required to meet the requirements of DORA is the biggest challenge facing most firms in the market in terms of their preparations for compliance. The industry will need to work together with vendors to streamline processes such as information requests in order to reduce the operational burden,” Mitting added.
© Markets Media Europe 2023