Strengthening Cyber Resilience with Risk Communities: How the Risk Cockpit Addresses DORA

In an increasingly digital world, where businesses rely heavily on technology and interconnected systems, the importance of cyber resilience cannot be overstated. Recent cyber incidents have demonstrated that the financial industry is no exception to this rule. This is where the Futures Industry Association (FIA) and the European Union’s Digital Operational Resilience Act (DORA) come into play, emphasizing the importance of creating a risk community for the exchange-traded and cleared derivatives industry. In this blog, we will explore the key findings of the FIA’s task force on cyber risk, the objectives of DORA, and how the Risk Cockpit, a powerful risk management tool, can contribute to building and sustaining a resilient risk community while reducing the associated reporting costs.

FIA’s Cyber Task Force: Insights and Recommendations

The FIA recently released a report on the initial findings of its taskforce on cyber risk. The report underlines the critical importance of continuous risk management for both vendors and firms operating in the derivatives industry. The derivatives market is a complex web of financial transactions, and as it becomes more digital, the risk of cyber incidents escalates. These incidents can have far-reaching consequences, affecting not only individual entities but the industry as a whole. In response to this growing threat, the FIA’s report suggests that robust risk management practices are imperative. The report recognizes that the derivatives industry must be well-prepared to withstand future cyberattacks, and this preparedness is closely tied to the principles of continuous risk management.

It should be noted that the FIA’s taskforce presented six key recommendations that hold vital lessons for the financial industry:

1. Create an Industry Resilience Committee – Establishing a committee that fosters secure communication channels for operational and cyber resilience is paramount. This ensures that financial organizations can coordinate effectively and respond swiftly to cyber incidents.
2. Integrate with Cybersecurity Specialists – Collaboration with sector-wide groups specializing in cybersecurity and operational resilience is essential. The exchange-traded and cleared derivatives industry should tap into this expertise to fortify its defenses.
3. Review and Affirm Policies – Clearly defined policies for reconnection to impacted parties during and after a cyber incident should be in place. Ensuring a smooth restoration process is crucial for overall operational resilience.
4. Share Critical Data – Establish procedures for timely sharing of critical data and information with counterparties and clients during a cyber incident. Swift communication can prevent further disruptions.
5. Efficient Risk Assessment – Streamline the assessment of risks to operational resilience by standardizing questionnaires and evaluation processes. This ensures that potential vulnerabilities are identified and addressed consistently.
6. Participate in Preparedness Exercises – Organizations in the industry must engage in exercises that test their preparedness for cyberattacks. These drills enable entities to fine-tune their response strategies.

The importance of these recommendations lies in the interconnectivity of the financial sector. Many organizations rely on third-party service providers for essential functions, and a disruption in one area can ripple across the industry. Hence, building a resilient risk community is imperative for the industry’s survival and continued growth.

DORA and the Growing Need for Cyber Resilience

The EU’s Digital Operational Resilience Act (DORA), seeks to enhance firms approach to operational risk. DORA builds on the typical approach of allocation to capital by enforcing rules  for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA focuses on establishing stringent requirements across EU member states and even extends its reach to critical ICT third-party providers. As with other EU regulations, it affects not only EU based firms, but any offering services within the Union.

The core pillars of DORA encompass:

1. ICT Risk Management – Robust risk management frameworks are essential to minimize the impact of ICT-related risks and ensure prompt recovery after incidents.
2. ICT-related Incident Reporting – A structured process for monitoring and reporting ICT-related incidents, with an emphasis on standardization and harmonization.
3. Digital Operational Resilience Testing – Regular testing of ICT systems and controls to identify and mitigate weaknesses and gaps.
4. ICT Third-Party Risk – Monitoring and harmonizing relationships with third-party providers, promoting convergence in supervisory approaches.
5. Information Sharing – Encouraging collaboration among financial entities to enhance digital operational resilience, raise awareness of ICT risks, support mitigation and recovery strategies.

The Role of Information Flow

To achieve continuous risk management, firms need a robust flow of information, both from their vendors and to their clients. Cyber incidents can have a cascading effect, impacting multiple stakeholders. Vendors, as integral service providers, play a crucial role in mitigating these risks. They must share timely and relevant information with the firms they serve, enabling them to make informed decisions and respond effectively to potential threats.

Conversely, firms need to relay pertinent information to their clients who may be affected by cyber incidents. This transparency is essential for maintaining trust and ensuring a coordinated response to any challenges that may arise.

KRM22’s Risk Cockpit: A Solution for Managing Cyber Risks

One effective tool in managing cyber risks is our Risk Cockpit. This platform has been purpose-built to receive and manage data from various sources, making it a valuable asset in continuous risk management.

The Risk Cockpit contains four key feature sets that assist firms in managing cyber risks:

1. Standardization – The Risk Cockpit’s risk and control registers are aligned with industry best practice relating to FCA regulations, and control frameworks such as ISO 27001. Offering standardized risk management processes allows entities in the risk community operate on a common framework, reducing cost and complexity.
2. Continuous Risk Management – The tool facilitates continuous risk assessment, allowing firms to identify and address risks promptly, thus minimizing the cost of reactive measures.
3. Information Sharing –  With its collaborative features, the Risk Cockpit enables organizations to share critical risk data, both internally and externally, in real-time. The cost of manual data exchange is greatly reduced while efficiency increased.
4. Cost-Efficient Reporting – The Risk Cockpit streamlines the reporting process, offering pre-configured templates and automation, significantly reducing the cost of reporting to regulators and other firms in the industry.

In conclusion, the importance of a risk community cannot be overstated in the face of increasing cyber risks. FIA’s recommendations and DORA’s objectives emphasize the need for collective action. The Risk Cockpit, with its standardization, continuous risk management, and information sharing capabilities, is a valuable asset in building and sustaining this risk community while efficiently reducing reporting costs. By adopting such tools and embracing the principles put forth by FIA and DORA, the financial sector can fortify its resilience in the face of evolving cyber threats while ensuring cost-effective risk management and reporting.