The closer 2025 gets, the more often you hear about DORA.
And it’s not just about a new compliance act that was introduced by EU. Indeed, this is a framework that aims to help organisations in financial and ICT sectors becoming more resilient against any kind of breaches, outages, and unforeseen events.
Let’s take cyber attacks in the financial sector. The number increasing massively. Last year alone, the number of attacks worldwide doubled compared to the previous year. Several factors are contributing to this, including above all the increasing digitalisation of the banking business, AI-related development, the wars in Ukraine and Middle East.
The EU is offering a regulatory framework DORA, the Digital Operational Resilience Act, that should make operations and business more stable. It is a complimentary framework to NIS2 and others, not a replacement.
This Regulation (EU) 2022/2554 is intended to solve an important problem in financial regulation. Until now, financial institutions have mainly managed operational risk by allocating capital. On the basis of DORA, in future they will also have to comply with more extensive rules for the protection, detection, containment and recovery of information and communication technology (ICT) incidents.
Due to its scope and focus on operational risk management, it affects not only all players in the financial system, such as banks and insurance companies, but also their ICT service providers in particular, who must implement the requirements of the regulation.
DORA sets out rules for risk management, incident reporting, operational resilience testing and third-party risk monitoring of ICT infrastructure. The regulation assumes that incidents and a lack of operational resilience can jeopardise the soundness of the entire financial system, even if sufficient capital is held.
The regulation assumes that incidents and a lack of operational resilience can jeopardise the soundness of the entire financial system, even if sufficient capital is held. On the basis of DORA, they will also have to comply with more extensive rules for the protection, detection, mitigation and recovery of information and communication technology (ICT) incidents in the future.
Until now, financial institutions have mainly managed operational risk by allocating capital. DORA now sets out detailed rules for operational risk management.
The requirements of DORA apply in principle to all financial undertakings (refer to Art. 2 para. 1). These include insurance and reinsurance undertakings, credit institutions, payment institutions, electronic money institutions, account information service providers, rating agencies, investment firms, central securities depositories, providers of crypto services and other companies such as trade repositories and securitisation registers, trading venues and data provision services.
Exceptions
Individual groups of companies such as alternative investment fund managers and institutions for occupational retirement provision are excluded from the scope of application (see Art. 2 para. 3). In addition, EU member states may, by way of a national option, exclude institutions from the scope of application of DORA that are named in the Capital Requirements Directive (CRD). This may affect, for example, the Kreditanstalt für Wiederaufbau and the state development banks of the federal states (see Art. 2 (4)).
In addition to financial companies, ICT service providers are also subject to the regulatory framework. Here, DORA distinguishes between third-party service providers and intra-group service providers.
Teiva Systems supports financial institutions and ICT service providers during the implementation of DORA-Requirements within IT systems like ServiceNow. We help them identifying the gaps, designing the target solution design of service management, risk management, and security-related capabilities, and implementing of those in ServiceNow.
Within the NOW platform you can implement applications that support your DORA-relevant processes incl. ICT Incident Management, ICT Continuity Management, ICT Risk Management Framework, Digital Operational Resilience Testing, ICT Third-Party Risk Management, ICT Incident Reporting to Competent Authorities.
By bringing everything on one platform it will play a pivotal role in in becoming DORA compliant. It will create a synergy, remove silos, and make the organisation meeting the expected objectives.
The cornerstone of begins with effective ICT risk management. ServiceNow provides Integrated Risk Management that equips organisations with comprehensive capabilities and data models to monitor and mitigate risks, utilising advanced indicators to proactively identify potential threats. As result, you will be able to maintain operations seamlessly and enhance service delivery. Moreover, through scenario analysis and impact assessments, financial organisations and ICT providers become a 360-degree view how mature is their operational resilience.
With Service risk management and Continuous monitoring you can define and prioritise metrics and dependencies for business service risks, controls, and tolerances. When knowing you risks, you can than analyse the potential impact of disruptions on customers, employees, products, and technology using Impact tolerance assessments.
Collaboration is key when it comes to counteract threats. ServiceNow’s capabilities offer a secure and efficient exchange of critical information across teams, departments and organisations. Trusted peers, suppliers, and partners can engage directly through portals, foster a robust security ecosystem, and establish a controlled information-sharing approach with granular access control, automated workflows, integrations.
Third-party vendors and suppliers require a huge reliance and dependencies within operational processes. It is an additional layer of risk. ServiceNow’s capabilities within Integrated Risk Management ensure that these risks are managed effectively. A comprehensive strategic portfolio management, vendor management, continuous risk assessment, and mitigation processes are applications that bring structure and transparency.
With Third-party Risk Management (TPRM), you can reduce risk as you build organizational resilience and compliance across the enterprise. TPRM has features that support your dogotal operations: Onboarding, offboarding, and renewals due diligence, Onboarding, offboarding, and renewals due diligence, Onboarding, offboarding, and renewals due diligence, Onboarding, offboarding, and renewals due diligence.
You cannot avoid having incidents but when those occur you need a rapid and organised response and communication. ServiceNow provides a robust framework for managing any kind of critical events. It allows you to oversee and measure the entire lifecycle from detection to resolution. ServiceNow ITSM is integrated with other parts of the platform like SecOps incl. threat intelligence. This seamless connection enable your teams to stay ahead of emerging threats and 24/7 monitoring ensures any incident is detected and addressed promptly.
ServiceNow CMDB and a service-oriented data model (CSDM) is crucial for the Incident Process as it acts as a centralised repository of information about the IT environment. It helps financial organisations and ICT service providers manage and control the IT infrastructure and ensure that incidents are resolved efficiently and effectively. Additionally, when an incident is reported, it helps determine its potential impact on individuals, teams and the company in general.
Moreover, to maintain compliance with regulatory requirements CMDB helps providing a clear audit trail of configuration changes and incident responses. It also supports reporting and analytics, offering insights into incident trends and the effectiveness of the incident management process.
Moreover, with ServiceNow testing and documentation capabilities, you are able to structure your Business Continuity Management and integrate into your common workflows, connect to the exciting data and rely on up to date information.
With ServiceNow as a central platform of action it becomes easier to comply with DORA requirements, you can establish measures to ensure the performance of the execution and improve the experiences of involved parties.
In the next articles, I will evolve how ServiceNow can support financial and ICT organisations in their journey towards a reliable digital organisation.
Kostya Bazanov, Managing Director, Aug 02, 2024
Implementation of NIS-2 directives on the ServiceNow Platform
The European economies depend on functioning and resilient infrastructures – both in the physical and digital areas – tremendous. Essential services in every aspect of our life have been digitised already. This means that the attack vector and the number of vulnerabilities increased as well. Particularly in critical facilities that supply utilities like electricity and […]
read moreBecome DORA ready with applications on ServiceNow
The Digital Operational Resilience Act (DORA) will be applicable for financial institution starting 2025. There are less than half a year to make sure you establish you organisation, processes, tools and data, that comply with the requirements for “strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making […]
read moreFeel the power of AI. At the ServiceNow World Forum 2024 in Munich.
Are you ready for the ServiceNow World Forum? A conference fully packed with AI-driven workflows to service people. Meet ServiceNow clients, partners, developer advocates in one place. We will be there as well. So let us know, if you wish to meet and greet! 📍 Location: Messe München, Am Messesee 2, 81829 München, Germany📅 Date: […]
read more