Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
The Digital Operational Resilience Act (DORA) serves as an extensive regulatory guideline introduced by the European Union to bolster the financial sector's ability to withstand disruptions and threats linked to information and communication technology (ICT). Regulators recognise that financial institutions function within a highly intricate and interconnected supply chain, relying on critical third-party ICT providers, who in turn depend on their own suppliers, creating a layered network of dependencies.
As digital transformation in financial services continues to accelerate, reinforcing cyber defences has never been more crucial in mitigating emerging risks. The increasing interconnectivity of supply chains has amplified the risk of attackers targeting suppliers, highlighting the necessity of a united security strategy.
Regulations like DORA not only tackle these challenges directly but also encourage a forward-thinking cybersecurity mindset that values collaboration and transparency. The intended purposes of these regulations go beyond the direct requirements imposed on the regulated entities; they serve as blueprints to ensure that cybersecurity is at the top of the agenda for businesses with extensive partner networks. By promoting strong governance, enhancing visibility into risks, and encouraging the adoption of automation, DORA sets the stage for a programme that strengthens cybersecurity and resilience.
With DORA shaping the path forward, organisations have the chance to shift from a reactive cybersecurity stance to a proactive one. By integrating effective risk identification and mitigation strategies early on, businesses can not only safeguard their assets but foster trust in their partnerships and supply chains.
The challenge surrounding traditional approaches
Traditional third-party risk management (TPRM) approaches are often manual, static, and point-in-time—providing only a snapshot of a supplier’s security posture at the time of assessment. With reviews occurring annually or less frequently, organisations lack real-time visibility into emerging risks. DORA addresses this gap by mandating continuous monitoring capabilities, enabling financial entities to obtain more accurate and timely risk assessments of their suppliers.
Addressing traditional limitations in TPRM will enable a fundamental goal of DORA – “uncover systemic concentration risks that could threaten the stability of the financial sector”. Regulators require financial entities to submit Registers of Information that capture a variety of operational details, including critical business functions outsourced across the supply chain (to the best of their ability). Supervisory authorities hope this information will allow them to identify systemic risks at the fourth-party level and beyond.
However, simply complying with this requirement and waiting for regulatory insights is a reactive approach. It is unclear when regulators will complete this analysis and communicate their findings. Meanwhile, financial entities remain exposed to risks that exist beyond their direct
visibility of third-party relationships. Proactively identifying and mitigating these risks is essential and collaboration is the only way to accomplish this.
Highlighting the hidden risks
To effectively manage these risks, financial entities must proactively uncover hidden dependencies within their supply chains to identify previously unaccounted risks. A narrow focus on direct suppliers is no longer sufficient – systemic risks can ripple across the sector, impacting stability and resilience. By assessing the broader implications of disruptions, organisations can gain a more comprehensive view of potential vulnerabilities.
Additionally, scenario planning is essential. Financial institutions must evaluate how cyber threats, operational failures, or disruptions from third and fourth party suppliers could impact their business. These proactive strategies not only enhance resilience but also position firms to respond swiftly to emerging threats.
Mapping critical suppliers and assessing their interdependencies can reveal hidden systemic risks, enabling informed decision-making. This may involve restructuring supplier relationships to mitigate exposure or a determination that a risk may be aligned with the risk tolerance of the board. True resilience requires more than just regulatory compliance, it demands proactive collaboration across the entire financial sector. By collectively mapping supply chains and sharing risk intelligence, financial institutions can anticipate threats before regulators do.
Making collaboration a priority
Aggregating supply chain data across multiple financial entities helps reveal concentration risks that may go unnoticed when assessed individually. By merging supply chain maps, businesses can identify vulnerabilities and dependencies that could pose significant threats. Similarly, industry-wide concentration risk analysis helps prevent over-reliance on a single supplier, reducing the chances of widespread disruptions.
A collaborative approach is essential for strengthening risk management. Sharing risk signals enables organisations to detect supplier issues others may have missed, facilitating the exchange of best practices and coordinated mitigation efforts. Peer-to-peer intelligence sharing further enables early detection of risks before they escalate. By adopting an industry-wide perspective on operational resilience planning, organisations can move beyond isolated assessments to establish a more comprehensive and effective approach to risk management.
This proactive strategy aligns with the objectives of financial institutions that have mature cyber risk management programmes, making previously hidden risks more visible and allowing firms to anticipate and address threats before they materialise. By fostering a culture of collaboration, financial institutions can go beyond merely complying with the DORA regulations and collectively build a stronger, more resilient operational security strategy.
