The lock-step growth of digitalisation, risk and regulation within asset finance: Where do you stand with the Digital Operational Resilience Act (‘DORA’)?

Innovation – for example, to improve efficiency and / or customer experience – is driving the asset finance world into becoming ever more digitised and interconnected. This growing technological complexity, with corresponding growth in the volume, variety and velocity of data that flows through it, also serves to increase an organisation’s risk exposure to digital operations.

The reaction of governments has been to pass additional legislation, such as the EU’s GDPR and DORA, along with additional industry-specific regulations. This means a more complex compliance landscape has emerged too.

Your business’ continuity and reputation would be seriously threatened by a security breach, audit failure or regulatory issue – you probably know of organisations that have already suffered this way. This means digital operational resilience (cyber security included) demands to be treated as a fundamental pillar of digitalisation, one you ignore at your peril, with a corresponding need to act.

What is DORA?

The Digital Operational Resilience Act (‘DORA’, EU Regulation 2022/2554), is a comprehensive framework obliging financial entities to strengthen the digital resilience of their operations. It becomes enforceable in January 2025 – and is the world’s first oversight framework for financial entities (and their third-party ICT service providers).

DORA’s scope covers a broad range of finance sector entities capturing asset finance and – more generally – banks, insurers, intermediaries, investment firms, payment institutions and data reporting services. It divides digital operational resilience into five pillars:

· Risk management

· Incident reporting

· Digital operational resilience testing

· ICT third-party risk management

· Information & intelligence sharing.

Each day’s non-compliance can result in fines being levied as a proportion of the previous year’s average daily global turnover. More generally, a lack of resilience can seriously threaten a business’ continuity along with customer relationships, competitive position, financial stability, data privacy, intellectual property, and reputation in the industry.

What does DORA demand that you do?

Compliance with this regulation (which is within months of being enforceable) needs to be managed via a well-constructed, organisation-wide digital operational resilience programme. Such a programme is an executive level, cross- functional risk management responsibility and should certainly not be considered ‘just IT’.

We would recommend that a phased, balanced approach within an asset financing context is taken, addressing applicable international legislation and the full range of risks – both traditional and newly emerging – together. It is also because there will likely be serious and wide-ranging implications for your organisation if a failure in your operational resilience ever occurs.

So where do you stand with DORA?

Your organisation will be in one of the following three positions. It has either yet to launch a digital resilience programme, is mid-way through one or has completed what was planned.

Given the criticality, complexity and activity mix of such a programme, bringing in some expert help to architect and deliver it – or to at least handle selected elements – is worth carefully considering. Resource to either architect a programme, aid delivery and / or test for completeness, depending on the stage you are at. Managed properly, this should ensure a smooth and effective transition: your organisation’s focus can remain on its core business whilst its ongoing stability and security is being taken care of.

The internal legacy it leaves should be one of perpetual alertness, continuous improvement and regular oversight too, given that risks and regulations will likely continue to grow. We – Invigors Digital – can offer you access to the experienced, certified expertise you will likely need, as required.

To sum up, by understanding the regulation and taking timely, decisive steps to enhance digital operational resilience measures organisation-wide, company boards in the asset financing industry can confidently navigate this landscape.

If this article has left any of your questions unanswered or highlighted areas you want to explore in more depth, do feel free to drop us a note – we’d be happy to talk.