DORA to drive significant change to TPRM, says Acuiti
22 November 2023 UK
Image: Quardia Inc.
Sell-side firms are making 'significant changes' to how they approach third-party risk management (TPRM) to meet the requirements of the EU’s Digital Operational Resilience Act (DORA), according to an Acuiti study.
‘Third-Party Risk Management in the Time of DORA’ was produced in partnership with Compass Partners and is based on a survey of executives from 106 different firms, predominantly from the sell side.
According to the survey, more than nine in 10 sell-side respondents reported that they will have to make ‘major’ changes to how they manage third-party risk to meet the requirements of DORA — a new regulation that firms are facing with regards to TPRM. These changes are focused on how firms map, monitor and manage third-party relationships.
DORA is intended to ensure that firms have the operational resilience to deal with cyber-attacks and other issues threatening the operations of their information and communications technology stacks.
The regulation will apply to more than 20,000 EU regulated entities and has an extra-territorial impact for any firms with operations or activities in the EU.
For a number of firms, especially those on the buy side, such as hedge funds and proprietary trading firms, DORA will be an entry point into formalised third-party risk management, says Acuiti.
Some of the most significant changes under the new regulation include the requirement to have exit strategies for critical vendors — currently only 17 per cent of sell-side respondents have this in place.
Another change facing firms in scope for DORA include the mapping of nth party relationships; only 39 per cent of survey respondents currently complete this activity.
Other key challenges faced by firms include the operational resources required to comply with DORA, the criteria to analyse threats and receiving information from vendors.
Neil McDonald, managing partner at Compass Partners, says: “The data shows that a lot of firms are unprepared for DORA, and also face significant challenges in ensuring fit for purpose processes and framework as well as a functional target operating model.
“As always, data quality and system feeds ensuring accurate mapping will be a key challenge. Understanding fourth parties and associated risks, substitutability of critical vendors and testing of exit strategies will also add pressure points and complexity, stretching already limited resources.”
Acuiti founder Will Mitting comments: “With little over a year until implementation, there is significant work to be done by firms across the market to be ready for DORA.
“The industry will need to work together with vendors to streamline processes such as information requests to reduce the operational burden.”
‘Third-Party Risk Management in the Time of DORA’ was produced in partnership with Compass Partners and is based on a survey of executives from 106 different firms, predominantly from the sell side.
According to the survey, more than nine in 10 sell-side respondents reported that they will have to make ‘major’ changes to how they manage third-party risk to meet the requirements of DORA — a new regulation that firms are facing with regards to TPRM. These changes are focused on how firms map, monitor and manage third-party relationships.
DORA is intended to ensure that firms have the operational resilience to deal with cyber-attacks and other issues threatening the operations of their information and communications technology stacks.
The regulation will apply to more than 20,000 EU regulated entities and has an extra-territorial impact for any firms with operations or activities in the EU.
For a number of firms, especially those on the buy side, such as hedge funds and proprietary trading firms, DORA will be an entry point into formalised third-party risk management, says Acuiti.
Some of the most significant changes under the new regulation include the requirement to have exit strategies for critical vendors — currently only 17 per cent of sell-side respondents have this in place.
Another change facing firms in scope for DORA include the mapping of nth party relationships; only 39 per cent of survey respondents currently complete this activity.
Other key challenges faced by firms include the operational resources required to comply with DORA, the criteria to analyse threats and receiving information from vendors.
Neil McDonald, managing partner at Compass Partners, says: “The data shows that a lot of firms are unprepared for DORA, and also face significant challenges in ensuring fit for purpose processes and framework as well as a functional target operating model.
“As always, data quality and system feeds ensuring accurate mapping will be a key challenge. Understanding fourth parties and associated risks, substitutability of critical vendors and testing of exit strategies will also add pressure points and complexity, stretching already limited resources.”
Acuiti founder Will Mitting comments: “With little over a year until implementation, there is significant work to be done by firms across the market to be ready for DORA.
“The industry will need to work together with vendors to streamline processes such as information requests to reduce the operational burden.”
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times