blog from FA Solutions

Outsourcing of IT services by asset and wealth management under DORA and NIS2

By Vegard Sporstøl, Cyber Security Consultant, mnemonic

Share this resource

The FA Platform is a cloud-native, SaaS solution with unrivalled asset class coverage, supporting the entire Investment Management process in one transaction-based, multi-currency platform to improve productivity and reduce operational risk through automation of processes

View Solution Provider Profile

Connect with FA Solutions

by FA Solutions
| 13/11/2023 13:15:00

In today’s digital age, asset and wealth manager companies face unprecedented challenges in ensuring the security and resilience of critical infrastructure. The European Union has responded with comprehensive regulations for safeguarding the financial sector, particularly the Digital Operational Resilience Act (DORA) and, more generally, the Network and Information Security Directive (NIS2). In this article, we explore the general objectives of DORA and NIS2, we describe some basic requirements outsourcing partners should meet under DORA and NIS2, and we describe how FA Solutions, as an ‘ICT third-party’ supplier of Cloud-based portfolio management solutions for asset and wealth managers, meets those requirements set under DORA and NIS2.

What are the general objectives of DORA and NIS2?
DORA, a new EU regulation that came into force on the 16th of January 2023 and will apply from the 17th of January 2025, focuses on strengthening the operational resilience of financial institutions and market infrastructure. It requires financial entities such as asset and wealth managers to identify, manage, and mitigate operational and cybersecurity risks, thereby ensuring the continuous provision of critical services. DORA regulation contains sector-specific requirements for the financial sector.

DORA is built on five distinct pillars that set various requirements financial entities must comply with:

  1. ICT risk management
  2. ICT-related incident reporting
  3. Digital operational resilience testing
  4. ICT third-party risk
  5. Information sharing

As seen in the fourth pillar, DORA paid much attention to third-party risk. This means that the requirements regarding outsourcing, particularly their critical services, are detailed. Even though DORA came into force earlier this year, organisations will have until 2025 to comply. Until then, we are also awaiting Regulatory Technical Standards (RTS) that will give more detail about which requirements financial entities will have to demonstrate compliance. The requirements will include e.g. specific technical elements to be included in different ICT security policies, procedures, protocols, tools and plans.

NIS2 builds on its predecessor, NIS1, and mandates enhanced cybersecurity measures for organisations in sectors deemed essential to the economy, such as finance and banking. NIS2 promotes the protection of networks and information systems against cyber threats. NIS2 has expanded the scope of cybersecurity regulations in the EU, impacting not only essential service operators and digital service providers but also their suppliers.

The finance and banking industry should prioritise suppliers that focus on and can demonstrate security, compliance, and transparency in their operations to ensure the resilience of the financial ecosystem and maintain trust among their clients. This also aligns closely with the requirements of Article 28(5) in DORA, which states specifically that “financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.”

What requirements must ICT outsourcing partners meet under DORA and NIS2?
Asset and wealth managers play a critical role in ensuring the financial security of their clients. For these types of financial institutions, protecting sensitive client and financial data is paramount. For asset and wealth managers who consider outsourcing ICT services to third parties, it is imperative to invest in robust (third-party) risk management strategies. This could include due diligence, security monitoring and ongoing compliance efforts. By choosing a risk-based approach, they can safeguard client assets and meet the various requirements of cybersecurity and operational resilience regulations. Further on, there might be third-party vendors that have access to sensitive client data, making it essential to guarantee that these vendors also adhere to data protection and information security standards.

Asset and wealth management companies often rely on a multitude of third-party suppliers for various services and technology solutions. Managing the security and resilience of this complex supplier ecosystem can be challenging. Under DORA and NIS2, asset and wealth managers are responsible for conducting due diligence on their third-party suppliers. This includes assessing their cybersecurity measures and ensuring compliance with relevant regulations. However, gathering all the information necessary for such assessments can be time-consuming and resource-intensive.

Encountering a disruption or security breach at a third-party vendor can have a cascading impact on asset and wealth managers outsourcing critical ICT services to a third party because they are responsible for the service. Ensuring the resilience of the supply chain is a considerable challenge, particularly when suppliers operate across different jurisdictions and are subject to varying regulations.

Drafting contracts and service level agreements (SLAs) that clearly define the security and compliance requirements for third-party vendors is a complex task. Asset and wealth managers must ensure that the third-party vendors comply with applicable DORA and NIS2 obligations. Financial institutions, including asset and wealth managers, must also implement ongoing monitoring of third-party vendors to ensure that they remain compliant and can respond effectively to evolving cyber threats.

How does FA Solutions meet the requirements as set under DORA and NIS2?
FA Solutions considers security and compliance as one of our top priorities, which is essential for being compliant with DORA and NIS2. FA Solutions has implemented a risk-based Information Security Management System (ISMS) on the industry-recognised best practice security standard ISO/IEC 27001:2013. We work continuously to improve our ISMS and are also certified and audited on a yearly basis by an external auditor to ensure that our ISMS are compliant with this standard.

Additionally, we are doing an ISAE 3402 Type II assurance report with a yearly audit by an independent external auditor.

Our client partnerships are built on trust and fostered through open communication and a collaborative approach to understanding their specific needs. We actively engage with our clients to provide detailed insights into our operations, showcasing our proactive strategies and measures to mitigate potential risks.

Moreover, our incident handling and business continuity plans underscore our proactive approach to addressing potential threats. These plans are subjected to regular reviews and testing to ensure their efficiency and resilience, demonstrating our ability to respond effectively to any incidents that may arise.

On the technical side, we utilise a wide range of advanced security products to ensure that our data and solutions are appropriately protected. Additionally, we are working closely with security experts for products, penetration testing our application and reviewing our cloud environments. We are also continuously monitoring DORA, NIS2 and other regulations applicable to our customers with interdisciplinary teams consisting of lawyers, security experts and management to ensure that we have sufficient commitment to implement the required changes. All this makes FA Solutions able to demonstrate compliance and our commitment to our clients when this is required.

Read the original article here.