top of page
Search

DORA Pillar 4: Mastering the Art of ICT Third-Party Risk Management (Articles 28, 29, 30, & 45)

The Digital Operational Resilience Act (DORA) is not only about protecting your digital infrastructure; it's also about strengthening your entire supply chain. In the concluding part of this blog post series, we will discuss DORA's fourth pillar. This crucial aspect of the regulation focuses on managing the cybersecurity risks posed by your ICT third-party service providers (TPPs). These providers are like the essential links in your digital defence - any vulnerability on their part could compromise your security.


ree

Why Third-Party Risk Demands Your Attention

 

In today's financial landscape, it's common for organisations to outsource critical ICT functions. This includes cloud providers storing sensitive data and payment processors handling transactions. However, the consequences can be severe if a vendor experiences a cyberattack, major outage, or data breach. DORA Pillar 4 provides the tools to help navigate the complex web of interconnected risks.


Navigating DORA Pillar 4: Your Compliance Compass


Article 28: General Principles: This lays the groundwork, establishing your organisation's ultimate responsibility for ensuring the resilience of your entire ICT ecosystem. It emphasises a risk-based approach – tailoring your oversight to each TPP's risks.

 

Article 29: Preliminary Assessment of ICT Concentration Risk: Over-reliance on a single TPP or a group of interconnected providers is a significant risk. This article mandates a thorough assessment of concentration risk, pushing you to consider factors like vendor substitutability, subcontracting complexities, and even the impact of potential insolvencies.

 

Article 30: Key Contractual Provisions: Consider this your contract blueprint. DORA outlines specific clauses that MUST be included in agreements with your TPPs. These cover everything from service levels and audit rights to data protection and termination conditions—particularly for vendors supporting critical functions.

 

Article 45: Information Sharing: Knowledge is your most vigorous defence. This article emphasises the importance of collaborating with other financial institutions and sharing cyber threat intelligence. Working together can build a more robust defence against the ever-evolving threat landscape.


6-Month Implementation Roadmap: Your Path to Third-Party Resilience

 

Month 1: Build Your Team & Assess Your Situation: Assemble a cross-functional team and thoroughly review your current third-party risk management practices. Identify any gaps compared to DORA requirements.


Month 2: Due Diligence & Risk Assessment: Carefully examine your existing and potential third-party providers. Conduct risk assessments for each provider, focusing on the potential impact of their failure on your operations.


Month 3: Contract Negotiation & Optimisation: Review, update, or create contracts with your third-party providers to ensure they meet DORA's requirements. Pay close attention to service levels, audit rights, and exit strategies.


Month 4: Tackle Concentration Risk: Analyse your dependency on key providers. Diversify where possible and have backup plans in case of disruption.


Month 5: Join the Information Sharing Network: Participate in relevant communities to share threat intelligence and learn from others' experiences.


Month 6: Ongoing Monitoring & Improvement: Monitor your third-party providers' performance and security posture. Make this an integral part of your risk management process.


The DORA Dividend: Why Compliance Pays Off


Meeting DORA's third-party risk management requirements isn't just about avoiding penalties. It's a strategic investment that delivers:


Resilience Boost: Protect your operations from disruptions caused by TPP failures.


Enhanced Risk Management: Proactively identify and address threats in your supply chain.


Regulatory Alignment: Demonstrate your commitment to DORA compliance.


Reputation Enhancement: Showcase your dedication to security and operational excellence.


The Takeaway

 

DORA's Pillar 4 is a valuable tool for navigating the complex world of third-party risk management. Following its guidelines can strengthen your digital defences and build a more resilient financial institution. This concludes the fourth part of our look at key articles in the DORA level 1 text.


 

 

 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page