Australia's Interaction with Dora: An Exploration

The Digital Operational Resilience Act (DORA), a European Union regulation, is now live and operational, marking a significant step towards strengthening the financial sector's IT security. DORA is designed to provide guidelines for operational risk in Financial Institutions and is expected to have far-reaching implications.

Unlike the APRA CPS230, which is planned to be introduced more gradually, DORA is set to be more quickly implemented. This regulation aims to ensure that numerous financial institutions, including credit institutions, insurance and reinsurance companies, securities firms, payment and e-money institutions, crypto-asset service providers, and managers of alternative investment funds, among others, comply with stringent ICT risk management requirements.

Criticality assessment under DORA is comprehensive, considering factors such as concentration risk, the number of financial entities served, the systemic importance of those entities, and the potential impact of a disruption on the financial system. Furthermore, DORA considers specific risks posed by each third-party provider to the financial entities they serve.

Third-party providers, deemed critical under DORA, must implement and regularly test their business continuity and disaster recovery plans. Advanced red team resilience testing, such as threat-led penetration testing, is required to identify and address vulnerabilities. Each entity must also conduct continuous monitoring of potential third-party providers, assessing their performance and associated risks.

Contracts with third-party providers must include exit strategies and provisions for smooth transitions in case of termination or service disruption. DORA's focus on digital operational resilience and its comprehensive framework could serve as a model for other sectors, emphasising the interconnectedness of all sectors and the need to avoid silo thinking.

David J. Gee, a seasoned professional with over 20 years of experience as CIO and CISO, joined Macquarie Group in early 2021 as Global Head of Technology, Cyber, and Data Risk. Gee, who previously served as CISO for HSBC Asia Pacific and led the cybersecurity transformation maturity uplift in 19 countries for this large investment bank, brings valuable expertise to the table.

The requirements of DORA are expected to spread geographically and to other sectors. With enhanced due diligence and monitoring at its core, DORA presents a challenge for anyone to fulfil. However, it is a necessary step towards ensuring the resilience and security of the financial sector in the digital age.