August 10, 2023
The Digital Operational Resilience Act (DORA) was not written with the solutions of a global payment network in mind. One look at its regulatory provisions suggests it might as well have been.
The suggestion is not for a payment network to shoulder DORA compliance on behalf of financial entities operating within its network. That would be a tall order even if the focus was purely cyber resilience. It is made taller still by DORA’s coverage of all operational risks associated with information & communications technology (ICT) and posed by the increasing interconnectedness of financial entities.
Rather, the suggestion notes DORA’s position that resilience may “by reason of its scale and effects, be better achieved at [European] Union level” and that payments have “moved from cash and paper-based methods” to digital solutions. DORA’s twin focus on scale, across the EU and beyond, and finance, notably payments, aligns well with the existing activities of global payment networks.
For example, at Mastercard we support financial entities by enabling secure payments and data transfers worldwide. Our digital operational resilience comes via a combination of strong customer authentication, risk quantification, breach & attack simulation, online exposure monitoring, and systemic risk assessment.
The combination is important. DORA notes how the EU’s financial sector is “regulated by a Single Rulebook and governed by a European system of financial supervision” while “digital operational resilience and ICT security are not yet fully or consistently harmonised.” The explicit call is for a harmonised framework, but the implicit suggestion is that the solutions should be harmonised too. A payment network’s solutions can help financial entities attain that harmony together.
Four distinct pillars, one “always on” solution
The four main pillars of DORA logically call for four solutions, and dedicated products exist for each of them to various degrees. But risk management, incident reporting, resilience testing, and third-party risk do not operate independently of one another. DORA addresses them together without interruption for good reason; providers of cybersecurity and other operational risk solutions might consider doing the same.
Payment networks are intimately familiar with the need to be “always on” via the stand-in processing they provide to banks to meet strong customer authentication (SCA) requirements during bank outages and downtimes.
Yet beyond payment authentication and authorisation, payment networks also continuously protect all data on their networks. That protection may cover transactions focused solely on credit card or real-time account-to-account payments, or it may incorporate other financial data via open banking or increasingly blockchain.
Ongoing cycles of cyber risk quantification allow payment networks to manage operational risks to their multi-rail networks and those faced by the financial entities they serve. This quantifiable approach to DORA’s first pillar takes cybersecurity beyond an arcade-game mentality of reactively plugging coins into a slot to stem a relentless onslaught of attacks. Internal customisation can then address specific business needs while external contextualisation provides support based on ever evolving dynamic threats.
Resilience testing via breach & attack simulations complements risk management by mimicking the behaviour of malicious actors. The simulations can run continuously within an organisation’s production environment to address DORA’s second pillar while business operations continue uninterrupted. They can also serve as a continuous validation system that monitors the effectiveness of security controls. The results provide enhanced data for risk management that in turn feed further resilience testing in virtuous cycles. Reports resulting from the continuous testing can then feed into incident reporting mechanisms for DORA’s third pillar as needed.
The fourth pillar, third-party risk, comes after risk management, incident reporting and resilience testing in DORA. The position seems not to be a reflection of importance but rather a recognition of how it underlies the other three pillars in a financial ecosystem.
Many financial entities, one financial ecosystem
Third-party risk is noted as the most challenging of DORA’s four main pillars in a Mastercard-sponsored survey of information & communication technology (ICT) risk teams in 20 financial entities across 20 EU countries between November 2022 and February 2023.
The challenge results from the emerging need for ecosystem resilience as third-party risk shifts from a “me versus them” mentality to a collective “us” that underlies all other aspects of cybersecurity. The overarching aim of DORA is to provide that ecosystem resilience to the EU and ideally worldwide.
From a global perspective, DORA does not require data localisation regarding handling data entering and leaving the EU. Still, DORA is not immune to the “Brussels effect”, which refers to the impact of EU legislation beyond its geographical borders.
More specifically in terms of DORA itself and third-party risk, articles 36 and 44 address activities by European supervisory authorities “outside the Union” and the development of best practices through “international cooperation”.
The scope means the ability of financial entities to address DORA depends on holistic solutions from providers, such as global payment networks, with partnerships spanning the financial ecosystem. The virtuous cycle of risk management and resilience can then further benefit from the economies of scale associated with a financial ecosystem replete with inherent third-party relationships. Dedicated approaches to third-party risk, such as monitoring online exposure and systemic risk, complement the network approach.
The letter of the law versus the spirit of the law
The Digital Operational Resilience Act sounds far more approachable under its personable acronym DORA. Financial entities in the EU and elsewhere will need to know DORA well by January 2025 when the enforcement goes live.
The Mastercard-sponsored survey suggests that financial entities will begin compliance implementation in mid-2023 after completing gap assessments. A comprehensive or “harmonised” package of solutions should help them come in on time.
Yet that help should go beyond the mere provision of connected solutions to meet compliance needs. DORA depends on more than just individual financial entities complying with the letter of the law. It also depends on financial entities recognising the need to come together across the financial ecosystem through a network approach.
Without that network, there will likely be a disconnect. An ironic result for an act designed to cater to an interconnected world.
