[Reading time: 2 minutes]
The Digital Operational Resilience Act (DORA) will require financial services firms to get serious about operational resilience and third party risk management (and plenty more).
Financial services firms will need to invest time and money over the next two years to ensure they are compliant with DORA by January 2025.
Complying with DORA will be a nightmare.
But…
Complying with DORA is already a necessity.
Why?
Well, over 40 clients of ION Group found out last week, when it was hit by a ransomware attack*.
ION provides IT solutions to support financial trading processes. The attack in ION’s Cleared Derivatives division caused significant disruption across European and US banks and brokers.
Apparently, many firms had to revert to pen and paper to process trades and to meet their regulatory reporting obligations. According to a US regulator, they failed, and I am sure the regulator will probe why these firms were unable to adapt to this disruption (aka ‘Operational Resilience’).
It also caused downstream impacts** on the banks’ and brokers’ customers, apparently causing some to start withdrawing cash from their brokers, due to a concern that this single attack on a single firm was actually a symptom of a wider contagion (aka ‘Systemic importance’).
So what?
DORA will force financial services firms to get serious about operational resilience and third party risk management, so an incident like this in the future does not cause such a significant disruption.
DORA will also enable European regulators to directly oversee the activities of critical IT service providers, because an incident affecting one of these providers can quickly have a contagious effect across the financial services world.
This incident demonstrates why DORA is necessary.
* If you’re interested in reading more about the attack, there’s a good summary on The Register. Bloomberg and The Financial Times have also discussed the attack, including a rumour that ION paid the ransom.
** Thanks to one of my clients for discussing this incident in more detail with me. Media reports are no match for experience ‘on the ground’.