In today’s digital age, asset and wealth manager companies face unprecedented challenges in
ensuring the security and resilience of critical infrastructure. The European Union has responded
with comprehensive regulations for safeguarding the financial sector, particularly the Digital
Operational Resilience Act (DORA) and more generally the Network and Information Security
Directive (NIS2). In this article, we explore the general objectives of DORA and NIS2, we describe
some basic requirements outsourcing partners should meet under DORA and NIS2, and we describe
how FA Solutions, as an ‘ICT third-party’ supplier of cloud-based Portfolio Management solutions for asset and wealth managers, meets those requirements set under DORA and NIS2.
What are the general objectives of DORA and NIS2?
DORA, a new EU regulation that came into force on the 16th of January 2023 and will apply from the 17th of January 2025, focuses on strengthening the operational resilience of financial institutions and market
infrastructure. It requires financial entities such as asset and wealth managers to identify, manage,
and mitigate operational and cybersecurity risks, thereby ensuring the continuous provision of
critical services. DORA regulation contains sector-specific requirements for the financial sector.
DORA is built on five distinct pillars that set various requirements financial entities must comply with:
- ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk
- Information sharing
As seen in the fourth pillar, DORA paid much attention to third-party risk. This means that the
requirements regarding outsourcing, particularly their critical services, are detailed. Even though
DORA came into force earlier this year, organisations will have until 2025 to comply. Until then, we
are also awaiting Regulatory Technical Standards (RTS) that will give more detail about which
requirements financial entities will have to demonstrate compliance. The requirements will include
e.g. specific technical elements to be included in different ICT security policies, procedures,
protocols, tools and plans.
NIS2 builds on its predecessor, NIS1, and mandates enhanced cybersecurity measures for
organisations in sectors deemed essential to the economy, such as finance and banking. NIS2
promotes the protection of networks and information systems against cyber threats. NIS2 has expanded the scope of cybersecurity regulations in the EU, impacting not only essential service operators and digital service providers but also their suppliers.
The finance and banking industry should prioritise suppliers that focus on and can demonstrate security, compliance, and transparency in their operations to ensure the resilience of the financial ecosystem and maintain trust among their clients.
The finance and banking industry should prioritise suppliers that focus on and can demonstrate security, compliance, and transparency in their operations to ensure the resilience of the financial ecosystem and maintain trust among their clients. This also aligns closely with the requirements of Article 28(5) in DORA, which states specifically that “financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.”
What requirements must ICT outsourcing partners meet under DORA and NIS2?
Asset and wealth managers play a critical role in ensuring the financial security of their clients. For
these types of financial institutions, protecting sensitive client and financial data is paramount. For asset and wealth managers who consider outsourcing ICT services to third parties, it is imperative to invest in robust (third-party) risk management strategies. This could include due diligence, security monitoring and ongoing compliance efforts. By choosing a risk-based approach, they can safeguard client assets and meet the various requirements of cybersecurity and operational resilience regulations. Further on, there might be third-party vendors that have access to sensitive client data, making it essential to guarantee that these vendors also adhere to data protection and information security standards.
Asset and wealth management companies often rely on a multitude of third-party suppliers for
various services and technology solutions. Managing the security and resilience of this complex
supplier ecosystem can be challenging. Under DORA and NIS2, asset and wealth managers are
responsible for conducting due diligence on their third-party suppliers. This includes assessing their
cybersecurity measures and ensuring compliance with relevant regulations. However, gathering all
the information necessary for such assessments can be time-consuming and resource-intensive.
Encountering a disruption or security breach at a third-party vendor can have a cascading impact on asset and wealth managers outsourcing critical ICT services to a third party because they are
responsible for the service. Ensuring the resilience of the supply chain is a considerable challenge, particularly when suppliers operate across different jurisdictions and are subject to varying regulations.
Asset and wealth managers must ensure that the third-party vendors comply with applicable DORA and NIS2 obligations.
Drafting contracts and service level agreements (SLAs) that clearly define the security
and compliance requirements for third-party vendors is a complex task. Asset and wealth managers
must ensure that the third-party vendors comply with applicable DORA and NIS2 obligations.
Financial institutions, including asset and wealth managers, must also implement ongoing monitoring
of third-party vendors to ensure that they remain compliant and can respond effectively to evolving
cyber threats.
How does FA Solutions meet the requirements as set under DORA and NIS2?
FA Solutions considers security and compliance as one of our top priorities, which is essential for
being compliant with DORA and NIS2. FA Solutions have implemented a risk-based Information
Security Management System (ISMS) on the industry-recognized best practice security standard
ISO/IEC 27001:2013. We work continuously to improve our ISMS and are also certified and audited
on a yearly basis by an external auditor to ensure that our ISMS are compliant with this standard.
Additionally, we are doing an ISAE 3402 Type II assurance report with a yearly audit by an
independent external auditor.
Our client partnerships are built on trust and fostered through open communication and a
collaborative approach to understanding their specific needs.
Our client partnerships are built on trust and fostered through open communication and a
collaborative approach to understanding their specific needs. We actively engage with our clients to provide detailed insights into our operations, showcasing our proactive strategies and measures to mitigate potential risks.
Moreover, our incident handling and business continuity plans underscore our proactive approach to addressing potential threats. These plans are subjected to regular reviews and testing to ensure their efficiency and resilience, demonstrating our ability to respond effectively
to any incidents that may arise.
On the technical side, we utilise a wide range of advanced security products to ensure that our data
and solutions are appropriately protected. Additionally, we are working closely with security experts
for products, penetration testing our application and reviewing our cloud environments. We are also
continuously monitoring DORA, NIS2 and other regulations applicable to our customers with
interdisciplinary teams consisting of lawyers, security experts and management to ensure that we
have sufficient commitment to implement the required changes. All this makes FA Solutions able to
demonstrate compliance and our commitment to our clients when this is required.