Navigating the Road to DORA and PS21/3 Compliance: A Comprehensive Guide

In today's increasingly digital financial landscape, cyber risks pose severe threats to the stability and security of financial institutions. Sophisticated cyberattacks and IT disruptions can lead to large financial losses, compromise sensitive customer data, and erode public trust in financial systems.

To address these mounting risks, regulators worldwide are implementing stringent cybersecurity and operational resilience frameworks. In the European Union, the Digital Operational Resilience Act (DORA) aims to harmonize cyber risk regulations across the bloc. In the United Kingdom, the Prudential Regulation Authority (PRA) has introduced Prudential Standard PS21/3 (PS21/3) to bolster operational resilience.

Both DORA and PS21/3 require financial institutions to overhaul their risk management practices and leverage technology to detect threats, resist attacks, and recover rapidly from incidents. This article provides a comprehensive guide to complying with these landmark regulations. It examines the key requirements, implementation timelines, scope of impacted organizations, challenges involved, and how financial services players can take a strategic approach to compliance.

An In-Depth Look at DORA and PS21/3

What is the Purpose of DORA and PS21/3?

DORA and PS21/3 aim to safeguard financial stability and maintain trust in the financial system by promoting operational resilience.

DORA

The EU's Digital Operational Resilience Act establishes harmonized standards for the management of Information and Communications Technology (ICT) risks across Europe's financial sector. It requires financial firms to evaluate their cyber vulnerabilities, implement robust controls, and ensure business continuity during disruptions.

DORA consolidates the previously fragmented cyber regulations imposed by individual EU member states into a single, comprehensive framework. With consistent rules across the bloc, DORA facilitates cross-border business and cooperation in countering cyber threats.

PS21/3

The PRA's Prudential Standard 21/3 mandates financial institutions in the UK to identify their most important business services, set impact tolerances for disruption, and take a systematic approach to maintaining operational continuity.

Firms must analyze scenarios that could plausibly cause intolerable disruption and make the necessary investments to operate within their impact tolerances. This entails mapping relevant people, processes, technology, facilities and third-party dependencies.

Together, these regulations instill financial services with cyber resilience and continuity capabilities vital to economic stability and consumer protection.

Who is Subject to DORA and PS21/3?

Scope of DORA

All financial entities operating within the EU fall under the scope of DORA, including:

• Credit institutions
• Payment services providers
• E-money institutions
• Insurance companies
• Investment firms
• Financial market infrastructures like CCPs

Additionally, critical ICT third-party service providers to the financial sector must comply with DORA requirements. This captures cloud computing services, data center operations, managed security services, and other outsourced IT functions.

Notably, entities like crowdfunding platforms, mortgage lenders, and non-bank lenders remain out of DORA's scope.

Scope of PS21/3

Within the UK, PS21/3 applies to all banks, building societies, and designated investment firms. Like DORA, it extends to critical third-party technology and service providers supporting these financial institutions.

What is the Timeline for DORA and PS21/3 Compliance?

DORA

The European Commission originally proposed DORA in September 2020. After two years of negotiations, it was formally adopted by the EU Council and Parliament in November 2022.

Financial players have until January 2025 to comply with DORA requirements. The three European Supervisory Authorities (ESAs) are currently drafting Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to pave the way for adoption across the bloc. These harmonized standards should reach their final form in 2024.

PS21/3

The UK's Prudential Regulation Authority issued PS21/3 on March 31, 2022. It mandated financial institutions to meet initial compliance milestones by March 31, 2025.

As of March 2022, firms must have:

• Identified their important business services
• Set impact tolerances for service disruptions
• Performed mapping and testing to required sophistication levels
• Detected operational vulnerabilities
• Begun necessary investments to maintain resilience

Full compliance must follow over subsequent years as providers refine and validate their operational continuity arrangements.

What are the Core Requirements of DORA and PS21/3?

While DORA and PS21/3 differ in scope, their overall goals converge around enhancing cyber resilience. Let's examine the central obligations they impose.

Key Requirements of DORA

DORA organizes cyber risk management requirements across five pillars:

1. ICT Risk Management

• Assign roles and responsibilities for ICT risk management
• Conduct ICT risk assessments regularly
• Implement security controls like access management, encryption, and patch management
• Maintain Plans of Action and Milestones (POAMs) to track risk treatment
• Perform exercises to validate controls and preparedness

2. ICT Incident Reporting

• Establish procedures to detect, classify, and report ICT incidents
• Notify national authorities within mandated timeframes about significant incidents
• Preserve evidence and root causes following an incident

3. Digital Operational Resilience Testing

• Test incident response, business continuity, disaster recovery, and crisis communication plans regularly
• Assess cybersecurity posture through threat intelligence, vulnerability scanning, penetration testing, and simulated attacks
• Validate third-party cyber resilience via testing and assurance reports

4. Information Sharing Arrangements

• Share cyber threat intelligence and indicators of compromise (IOCs) with regulators and industry peers
• Participate in coordinated exercises like Waking Shark and the Cambridge 2 exercises
• Collaborate with authorities on emerging threats, vulnerabilities, and incidents

5. ICT Third-Party Risk Management

• Classify outsourced services and providers criticality
• Conduct cyber due diligence during third-party selection
• Embed security requirements into contracts
• Gain assurance of providers' resilience controls via audit rights

Together, these stipulations engrain cyber resilience while distributing accountability across financial ecosystem stakeholders.

Key Requirements of PS21/3

The core elements of the PRA's PS21/3 standard include:

• Mapping: Document the people, processes, technology, facilities, and resources that support delivery of important business services.
• Impact Tolerances: Define the maximum acceptable disruption for important business services.
• Scenario Testing: Evaluate whether the organization can remain within impact tolerances under severe but plausible scenarios.
• Investment: Make necessary investments to operate consistently within impact tolerances.
• Vulnerability Identification: Pinpoint vulnerabilities in operational resilience and make timely improvements.
• Communications Strategy: Create a plan to communicate with relevant external stakeholders during a disruption.
• Third-Parties: Understand and monitor third-party dependencies; ensure their resilience meets in-house standards.

Implementation deadlines

• March 2022: Identify important business services and set impact tolerances. Begin mapping and testing.
• March 2025: Complete mapping. Perform robust testing and required investments to comply with impact tolerances.
• 2025 onwards: Iterate on arrangements to validate and improve resilience.

This phased approach gives firms time to embed operational continuity fundamentals before proving more advanced capabilities.

The Challenges of Compliance

While regulations like DORA and PS21/3 aim to harden financial services against disruption, they present significant implementation challenges.

Adapting to the Evolving Threat Landscape

Cyber risks evolve at breakneck speeds. Financial institutions must continually monitor the threat landscape, adjust controls and preparedness levels accordingly. Emerging attack techniques like AI-enabled phishing campaigns, supply chain compromises, destructive wiper malware, and ransomware with data theft require ever-advancing mitigation strategies.

Outpacing sophisticated, well-resourced cyber criminals demands substantial investment in security staff, tools, and processes. This makes compliance resource-intensive.

Building Robust Governance

Operational resilience requires comprehensive oversight and coordination. Firms must implement formal governance frameworks with executive leadership and clearly defined roles and responsibilities.

Governing bodies like Security Steering Committees and Resilience Oversight Committees should meet regularly to assess cyber risks, guide investments, monitor preparedness, and direct incident response.

Appointing Chief Information Security Officers and Heads of Operational Resilience injects cybersecurity expertise into steering discussions.

However, developing this governance fabric requires substantial time and planning.

Understanding Complex Attack Surfaces

Today's financial institutions build services across complex, interconnected IT ecosystems. Core banking systems interact with customer-facing applications, analytics platforms, cloud infrastructure, and networks of third-parties.

Firms struggle to map this vast attack surface and identify critical assets, dependencies, and vulnerabilities. Gaining comprehensive visibility is essential to managing risks, but presents a monumental challenge.

Retrofitting Legacy Infrastructure

Major financial institutions rely extensively on aging, legacy IT systems that predate modern security best practices. Mainframes, ERP software, databases, and network devices accumulate enormous technical debt over years of incremental updates.

Refurbishing this infrastructure to meet strict resilience standards represents a multi-year, billion-dollar undertaking. Firms must strategically identify and remediate critical vulnerabilities while phasing out antiquated systems.

Coordinating Third-Party Oversight

Financial services ecosystems lean heavily on third-party technology vendors, service providers, and partners. Cloud operators, data centers, and application developers comprise an interconnected web of suppliers.

Understanding and managing risks across this third-party attack surface requires intensive coordination and assessment. Firms struggle to gain holistic visibility and impose uniform security standards across their partner landscape.

Four Steps to Compliance Readiness

While significant in scale, the path to DORA, PS21/3 and similar regulations can be navigated through a strategic approach:

1. Establish Strong Foundations

Begin by instilling foundational cybersecurity, risk management, and resilience capabilities:

• Risk Assessments: Conduct recurring risk assessments of critical assets, systems, and processes. Keep inventories of hardware and software up to date.
• Security Hygiene: Enforce strong authentication, access controls, encryption, vulnerability management, and cybersecurity awareness across the organization.
• Third-Party Risk Management: Classify third-parties by criticality. Perform risk-based due diligence during onboarding. Embed security requirements into contracts, and monitor compliance.
• Incident Response Planning: Institute robust incident response processes adhering to standards like NIST 800-61 Rev. 2. Validate regularly through exercises.
• Business Continuity Planning: Identify critical business functions, recovery time objectives, and continuity strategies like redundancy, backup/restore, and alternate sites. Test plans annually.

These fundamental capabilities provide the necessary base for regulatory compliance.

2. Increase Visibility of Critical Assets

Leverage asset management and IT service mapping tools to identify systems that support vital services. This visibility enables targeted hardening of mission-critical resources.

3. Perform Scenario-Based Testing

Analyze and test scenarios that could realistically cause significant disruption, such as:

• Ransomware attacks that encrypt critical data
• DDoS attacks that overwhelm public-facing applications
• Cloud service outages that disable essential SaaS platforms
• Supply chain compromises that penetrate trusted third-parties
• Insider threats and credential theft
• Physical hazards like fires, floods or electrical outages

Testing validates controls and uncovers previously unknown single points of failure.

4. Strategically Upgrade Resilience Capabilities

Given limited budgets and resources, firms should strategically identify and mitigate the most severe vulnerabilities first. Core areas for investment include:

Incident Response

• Advanced endpoint detection and response
• Next-gen firewalls and intrusion prevention
• Security automation and orchestration
• Threat hunting and penetration testing
• Cyber threat intelligence collection and analysis

Business Continuity

• High availability architecture
• Redundant infrastructure and regular data backup
• Alternate work sites and telecommuting capabilities
• Crisis communications and stakeholder management

Infrastructure Hardening

• Asset lifecycle management to phase out unsupported systems
• Network segmentation to isolate sensitive resources
• Encryption mechanisms for data-at-rest and in-transit
• Rigorous patch management procedures

A strategic roadmap will build compliance momentum over time while maximizing risk reduction.

Looking Ahead with DORA and PS21/3

Cyber risks will only intensify as financial systems grow more complex and interconnected. DORA and PS21/3 represent landmark efforts by EU and UK regulators to control these threats.

By mandating financial services to implement robust governance, response capabilities, and infrastructure resilience, these regulations aim to safeguard financial stability for the digital future.

The journey to compliance will be arduous and involve substantial technology investment. However, the payoff will be financial institutions with the cyber resilience to withstand crises, earn customer trust, and fuel the global economy.

Conclusion

DORA and PS21/3 mark a new era in financial services regulation by entrenching holistic operational resilience. With cyber risks growing exponentially, these frameworks provide prescriptive yet adaptable guidance to financial institutions on hardening defenses.

The path to compliance will be characterized by significant challenges like ever-evolving threats, governance complexities, sprawling attack surfaces, legacy tech constraints, and third-party coordination. Still, a strategic roadmap can overcome these hurdles over time as foundational capabilities provide a launch pad for greater cyber maturity.

Ultimately, achieving the visions of DORA and PS21/3 will require extensive collaboration between regulators and industry. As standards and testing methodologies mature, financial services will grow increasingly adept at maintaining continuity during even extreme disruptions. This cyber resilience promises to safeguard the financial system as technology infuses deeper into the global economy.