The Digital Operational Resilience Act (DORA) – All you need to know

Digital transformation is at the forefront of many financial institutions today enabling them to better connect to their customers and improve upon their business operations. Spurred on by the COVID-19 outbreak, financial institutions now rely on these digital services for their day-to-day operations with the introduction of many remote working roles and the changes this has brought to their production and delivery of services. However, an increase in demand for these digital services and reliance on third-party suppliers has resulted in more financial institutions being put at risk with third-party supplier failure, data breach, cyber and ransomware attacks, all of which cannot be ignored.

What is the purpose of DORA?

The European Union’s aim of the Digital Operational Resilience Act (DORA) is to improve the cybersecurity and operational resiliency of the financial services sector. As an integral part of the ICT risk management framework, DORA requires financial companies such as banks, insurance companies and investment firms to adopt a robust and comprehensive digital operational resilience testing program covering ICT tools, systems, and processes.

Before DORA, financial institutions did not manage all components of operational resilience, however, with DORA, they must also follow strict rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.

DORA entered into force on 16^th January 2023, 20 days after its initial publication in the Official Journal of the European Union on 27 December 2022. Financial entities in the European Union (EU) and their critical ICT providers must be ready to comply with DORA by 17^th January 2025.

Who does it apply to?

DORA introduces very specific and strict requirements that are consistent across EU member states and will have a significant impact to financial institutions including banks, insurance companies and investment firms. Critical ICT third-parties which provide ICT-related services to financial institutions, such as cloud platforms, data analytics and audit services, are also subject to this new regulation.

What are the requirements?

DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. Requirements covered include risk management, incident reporting, digital operational resilience testing, information and intelligence sharing and third-party risk management.

With the increased use of third-party suppliers and the significant risks these can bring, DORA has considered ICT third-party risk to be an integral part of its framework. Financial entities are therefore required to adopt and review a strategy on ICT third-party risk, including guarantees for access, recovery and return in case of third-party supplier failure, including defining and testing an exit strategy for each.

How Escrow London can help you prepare for DORA

Although DORA may seem daunting for some financial institutions who rely on third-party suppliers,  Escrow London offer a variety of software escrow and SaaS continuity escrow solutions, as well as Ransomware recovery escrow solutions that can help you with your digital operational resilience testing program and become DORA compliant.

Software Escrow and SaaS Continuity Escrow solutions

There are many and varied reasons for considering a software or SaaS escrow agreement including concerns about vendor bankruptcy, ransomware attacks, unplanned service outages, and potential data loss or corruption.

Software Escrow also known as source code escrow is a three party agreement between a software developer (the depositor), the end user (beneficiary) and the source code escrow company (Escrow London). The objective of a software escrow agreement is to provide comfort to the end user that if the software developer is unable or unwilling to support the software, the code, data and other critical materials can be released to them.

SaaS Escrow is similar to a source code escrow agreement but provides continuity for cloud hosted software usually hosted within AWS, Microsoft Azure or Google Cloud. The SaaS Escrow solution may include:

• Replica cloud environment providing swift continuity;
• SaaS Environment Escrow including a deposit of all the components required to deploy the software to a cloud environment including source code, deployment scripts and databases;
• Access to the cloud production environment through the deposit of access credentials.

The software/SaaS escrow agreement outlines the responsibilities of all the parties and includes pre-defined release conditions.

Ransomware Recovery

The Escrow London Ransomware Recovery Escrow combines the best of SaaS Continuity Escrow with Backup as a Service (BaaS) and now gives businesses the chance to restore quickly when the worst happens. Solutions include:

• Ransomware Recovery Live – ensuring efficient continuity in the event of an attack on your live and DR environments.
• Ransomware Database backup & recovery (BaaS) – a daily backup of your encrypted database backups to the Escrow London cloud vaults via a pull Backup as a Service (BaaS) process will keep your database backup out of the reach of hackers. This includes a weekly integrity test to provide assurance that files have not been unknowingly compromised by hackers in the background. 
• Ransomware Source Code & Infrastructure as Code Sync – protects your development source code and deployment scripts such as Terraform and CloudFormation from ransomware hackers.
  

Seek out potential vulnerabilities with Penetration and Vulnerability Testing

There are a comprehensive range of cyber-security services available to identify and evaluate potential vulnerabilities, root cause analysis and mitigation control.  These in-depth assessments help improve the business security position and prioritises the implementation of security controls based on a simulated attack.

Escrow London’s Penetration testing solution conducts a simulated attack on IT infrastructure to determine any weaknesses using the methodologies, techniques and tools that provide the best representation of what a real-world malicious attacker would do.

If you would like to talk to us for further information on how Escrow London can help with requirements relating to DORA, then please do not hesitate to contact one of our experts.

##

About Escrow London

Escrow London is a global SaaS escrow vendor headquartered in the United Kingdom. Our global coverage is provided across our London office, Escrow London North America Inc in Atlanta, and our Australian office in Sydney.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

Find out about SaaS Escrow by viewing our new video here.