How DXC Luxoft can help banks achieve digital operational resilience

Aug 16, 2024 by Dhritiman Mukherjee, Dr. Marc L. Brogle

 

  

In brief

  • The new European Digital Operational Resilience Act (DORA) that was introduced on January 16, 2023 (applies from January 17, 2025) is set to improve ICT systems security and resilience within the financial services sector 
  • It calls for a harmonized framework for managing ICT risks, reporting incidents, conducting resilience tests, sharing information and managing third-party risks for financial entities (and their critical ICT providers)   
  • DORA requires significant changes in how banks and other financial institutions handle ICT risks and dependencies 

  

DORA represents an opportunity for banks to upgrade their digital operational resilience and: 

  • Reduce operational, reputational and financial losses 
  • Increase customer trust and satisfaction 
  • Improve operational efficiency and agility 
  • Sharpen their competitive edge 
  • Support digital transformation and innovation 

DXC Luxoft is perfectly placed to assist banks with DORA compliance and achieving digital operational resilience. Our key capabilities and solutions align with DORA's five pillars: information and communication technology (ICT) risk management, incident reporting, resilience testing, information sharing and third-party risk management. In addition, DXC Luxoft helps banks use DORA as a springboard for digital transformation and innovation, enhancing operational efficiency, customer experience and competitive advantage. 

  

What is DORA?

 

DORA creates a binding, comprehensive ICT risk management framework for the EU financial sector. It introduces a comprehensive and harmonized framework for ICT risk management, incident reporting, resilience testing, information sharing and third-party risk management for financial entities and their critical ICT providers. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025. 

  

The five pillars of DORA

 

1. ICT risk management: Principles and requirements of the ICT risk management framework. Firms must: 

  • Establish and maintain resilient ICT systems and business continuity policies 
  • Take “full and ultimate accountability” for the management of ICT risks, setting and approving its digital operational resilience strategy and reviewing and approving the firm’s policy on the use of ICT third-party providers (TPPs) 
  • Identify their “critical or important functions” (CIFs) and map their assets and dependencies 
  • Carry out business impact analyses based on “severe business disruption” scenarios  

 

2. ICT incident management: Reporting of major ICT-related incidents to competent authorities: 

  • DORA creates a substantial new classification, notification and reporting framework and adds “significant cyber-threats” to the list of events that firms must classify 
  • Financial institutions must monitor, record, classify and notify the authorities of ICT incidents  

 

3. ICT third-party risk management: Monitoring third-party risk providers. Key contractual provisions: 

  • Define and execute third-party management strategies and policies. Assess risk and perform due diligence on critical suppliers. Map critical suppliers and business functions 

 

4. Digital operational resilience testing: Basic and advanced testing. Firms must: 

  • Show they conduct appropriate security and resilience tests on their critical ICT systems and applications 
  • Fully address any vulnerabilities identified by the testing 
  • Conduct advanced threat-led penetration tests (TLPT) (firms above a certain threshold of systemic importance and maturity) 

5. Information exchange: Exchange of information and intelligence on cyber-threats 

  • Firms must share information with the regulator and entities to help identify, control and mitigate threats 
  • DORA provides guidelines on how to exchange cyber-threat information and intelligence via financial institution collaboration 

   

Challenges and opportunities

 

DORA poses several challenges for banks, as they must: 

  • Establish and maintain a robust ICT risk management framework aligned with their business strategy and risk appetite and approved by their management body 
  • Identify and map critical functions and ICT assets and dependencies, and conduct business impact analyses based on severe disruption scenarios 
  • Monitor, record and classify ICT-related incidents and notify the competent authorities and stakeholders promptly 
  • Conduct regular and advanced digital operational resilience testing (including threat-led penetration testing) on their critical ICT systems and applications and fix vulnerabilities, deficiencies or gaps 
  • Define and implement a policy on the use of ICT third-party service providers and perform due diligence, risk assessment, contractual supervision and monitoring of their performance and resilience 
  • Share information and intelligence with the regulator and other financial entities on ICT-related threats, vulnerabilities and incidents, and participate in established networks and platforms 

 

 

These challenges will require banks to invest in their ICT systems and processes, enhance governance and oversight, improve awareness and training, and strengthen collaboration and communication with internal and external stakeholders. Banks must ensure they have the necessary skills, resources and capabilities to comply with DORA and manage their ICT risks effectively. However, DORA also offers opportunities for banks to improve their digital operational resilience and gain strategic benefits. By complying with DORA, banks can: 

  • Reduce the likelihood and impact of ICT-related disruptions, incidents and cyberattacks and minimize their operational, reputational and financial losses 
  • Improve customer trust and satisfaction by ensuring the availability, continuity and quality of their ICT services and functions 
  • Increase operational efficiency and agility by optimizing their ICT systems and processes and adopting the best practices and innovations of their ICT providers 
  • Enhance their competitive advantage and market position by demonstrating DORA compliance and their commitment to digital operational resilience 
  • Use DORA as a catalyst to drive digital transformation and innovation, adopting new technologies, solutions and business models that create added customer and stakeholder value 

 

How DXC Luxoft can help

 

DXC Luxoft helps banks comply with DORA and achieve digital operational resilience by offering a range of capabilities and solutions that cover the five pillars: ICT risk management, incident reporting, resilience testing, information sharing, and third-party risk management. DXC Luxoft can also help banks leverage DORA as a catalyst for digital transformation and innovation by offering solutions that can help them improve their operational efficiency, customer experience and competitive advantage. 

Our DORA capabilities and solutions are based on extensive experience and expertise in the financial services sector and our proven internal model of resilience and third-party management. Also, DXC Luxoft’s DORA expertise is aligned with industry best practices and standards, such as the NIST Cybersecurity Framework, ISO 27001, COBIT and ITIL. The following table summarizes our DORA capabilities: 

DXC Luxoft can help banks plan, execute and operate their processes and systems for incident management, 

estate monitoring, patch compliance, backup and restore, aligned functional and architecture design, business continuity 

disaster recovery planning,  

security and compliance policy definition and change management. 

 

 

Find out more

 

If you’d like to learn more about how DXC Luxoft can help your financial institution comply with DORA and achieve digital operational resilience, contact us. 

  

 

 

 

Dhritiman Mukherjee , Managing Partner, Financial Services

Dhritiman Mukherjee author linkedin

Managing Partner, Financial Services

Dhritiman is a Managing Partner for DXC Luxoft’s London-based Financial Services business. He provides SME domain expertise into solutions for our EMEA clients, shaping and delivering large and complex strategic, operational and digital/technology transformation initiatives. Dhritiman has more than 25 years of senior management banking experience and mainly focuses on risk and regulatory compliance in banking, platform banking, embedded finance and digital transformation.

Dr. Marc L. Brogle , Managing Partner, Financial Services

Dr. Marc L. Brogle author linkedin

Managing Partner, Financial Services

Dr. Marc L. Brogle has more than three decades of experience in the IT industry and research field. He is a trusted advisor for many of our platinum customers in banking and capital markets, aligning technology strategies with customer business objectives and visions. Marc lives in Switzerland, where he also held the position of CTO for DXC’s Banking Service Center. His expertise covers core banking, open APIs and open banking, digital banking platforms and architecture, as well as secure and compliant banking platforms and infrastructure operations.

Dhritiman Mukherjee , Managing Partner, Financial Services

Dhritiman Mukherjee author linkedin

Managing Partner, Financial Services

Dr. Marc L. Brogle , Managing Partner, Financial Services

Dr. Marc L. Brogle author linkedin

Managing Partner, Financial Services