Fintech Startup's Compliance with DORA's ICT Risk Management Requirements

Question

A fintech startup uses multiple cloud service providers for data storage and processing. How should it approach compliance with DORA's ICT risk management requirements?

Executive Summary

Fintech startups leveraging cloud services must carefully manage ICT risks in compliance with the Digital Operational Resilience Act (DORA). Key directives for constructing a resilient ICT framework are as follows:

  • ICT Risk Management Framework: Develop a comprehensive framework, assigning an independent control function to manage ICT risks, aligned with the company’s risk tolerance.
  • System Maintenance and Up-to-Date Protocols: Ensure that all ICT systems, including those provided by cloud services, are current and scaled appropriately for the company’s operational needs.
  • Incident Management Process: Establish a process for detecting, managing, and reporting ICT-related incidents, with pre-emptive mechanisms for threat management.
  • Digital Operational Resilience Testing: Implement a continuous testing program to evaluate and improve ICT systems, including those managed by third-party providers.
  • Third-Party Risk Integration and Contractual Clarity: Integrate risks from cloud service providers into overall ICT risk management and establish clear contractual terms with these providers for accountability.
  • Information Sharing and Cyber Threat Intelligence: Engage in cyber threat information exchange to enhance collective industry defense capabilities.

By adhering to these practices, fintech startups can align their operations with DORA’s stipulations for digital operational resilience.

Assumptions

Given the ambiguities in the legal question, the following assumptions will be made to guide the legal analysis:

  1. Scope of Financial Services: Assume the fintech startup provides services that could potentially be critical or important within the financial sector.

  2. Relationship with Cloud Service Providers: Assume the cloud services are integral to the startup’s operational functionality and involve processing activities that may affect the startup’s risk exposure.

  3. Data Sensitivity and Processing Activities: Assume the data includes various categories that may be subject to regulatory requirements, including personal data.

  4. Startup’s Size and Complexity: Assume the startup has operations that are sufficiently complex to warrant a comprehensive review of DORA’s full suite of ICT risk management requirements.

  5. Existing ICT Risk Management Practices: Assume the startup has some level of ICT risk management practices in place, but these may need adaptation or enhancement to meet DORA’s standards.

Legal trace

Understanding the Scope of Digital Operational Resilience for Fintech Startups

”financial entity means any entity that provides financial services within the scope of DORA.” Article 3

Our fintech startup client falls under the scope of ‘financial entity’, confirmed by the broad definitional ambit of Article 3, necessitating adherence to DORA regulations.

”ICT third-party service provider means an undertaking providing ICT services.” Article 3

It is clear that cloud service providers used by the startup qualify as ‘ICT third-party service providers’. Consequently, the startup’s relationship with these providers must align with the risk management standards mandated by DORA.

Establishing a Robust ICT Risk Management Framework

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. Article 6(1)

The startup must operationalize a detailed ICT risk management framework, reflecting a comprehensive approach to anticipating and responding to ICT risks, as stipulated in Article 6.

Financial entities…shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Article 6(4)

Article 6 prescribes an independent control function within the startup to manage ICT risks, mandating a segregated oversight structure that’s impermeable to conflicts of interest.

…include a digital operational resilience strategy setting out how the framework shall be implemented…establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity… Article 6(8)

The startup’s digital operational resilience strategy must be documented within the ICT risk management framework, according to Article 6, and should be in tune with the company’s designated risk appetite.

Obligations in the Use and Management of ICT Systems

In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude of operations supporting the conduct of their activities… Article 7

The obligations outlined in Article 7 demand that the startup’s ICT systems, including those provided by cloud service providers, be maintained up-to-date and scaled to match the operational volume efficiently.

Identification of Business Functions and ICT Risk

Financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities… Article 8(1)

Article 8 mandates extensive documentation of the business functions that intersect with ICT, which for our client means a deeper analysis into how these functions are contingent on cloud services for continuity.

Crafting ICT Protection and Prevention Strategies

For the purposes of adequately protecting ICT systems…financial entities shall continuously monitor and control the security and functioning of ICT systems and tools… Article 9, paragraph 1

Article 9 emphasizes the requirement for a fintech startup to adopt continuous monitoring and apply appropriate security tools in safeguarding its ICT systems, resonating with proactive cybersecurity measures.

Implementing ICT Anomaly and Incident Detection Mechanisms

Financial entities shall have in place mechanisms to promptly detect anomalous activities… Article 10.1

Article 10 underlines the necessity for the startup to have a robust detection system for ICT anomalies, which must integrate seamlessly with its multiple cloud service platforms to maintain comprehensive oversight.

Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Article 17(1)

The process delineated in Article 17 requires the startup to not only react to ICT-related incidents but also to pre-emptively set up mechanisms to manage potential threats, ensuring a ready stance for incident management.

Digital Operational Resilience Testing

…establish, maintain and review a sound and comprehensive digital operational resilience testing programme… Article 24(1)

Article 24 mandates that the startup institutionalize a rigorous testing program that regularly assesses and bolsters its ICT-related preparedness, including scrutiny of the systems hosted by cloud providers.

Advanced Threat-Led Penetration Testing (TLPT)

Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards… Article 26(3)

Article 26 sets forth the responsibilities on our client to include cloud service providers within the ambit of TLPT and orchestrate their participation, anchoring a stance of not just compliance but active risk mitigation.

Managing Third-Party ICT Risks

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework… Article 28(1)

Article 28 presses upon the startup the integral need to assimilate the risks stemming from cloud service providers into the broader complexion of ICT risk management, ensuring a holistic approach to digital resilience.

Assessing ICT Concentration Risk

Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers… Article 29(1)

Article 29 advises the startup to conduct comprehensive assessments of ICT concentration risks, taking into account its reliance on various cloud service providers and balancing this against the entity’s strategic goals.

Key Contractual Provisions with Cloud Service Providers

The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. Article 30(1)

As per Article 30, the startup must ensure that contracts with its cloud service providers include precise terms and conditions that define the responsibilities and rights of each party, forming a basis for clarity and accountability.

Enhancing Cyber Threat Intelligence Sharing

Financial entities may exchange amongst themselves cyber threat information and intelligence… Article 45(1)

Through Article 45, the startup is encouraged to participate in information-sharing networks, where collaboration on cyber threat intelligence can lead to an augmented defense capability across the financial services industry.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

The following supplemental answer expands upon previously provided guidance to further assist the fintech startup in aligning with DORA's ICT risk management requirements. This addendum integrates relevant insights from supplementary legal documents, providing a more detailed approach to managing cloud service provider relationships and other aspects fundamental to operational resilience.

Legal trace

Establishing Standards and Resources for ICT Service Providers

expertise and adequate financial, human and technical resources, information-security, appropriate organisational structure, including risk management, and internal controls that the ICT third party service providers should have in place. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 9

This quote stresses the importance of ensuring that cloud service providers engaged by the fintech startup have the necessary expertise, resources, and organizational structures in place to manage ICT risks effectively. These are prerequisites in the selection process, aligning with the ICT risk management framework proposed by DORA, to anticipate and mitigate potential ICT-related threats.

Developing and Managing ICT Service Use Lifecycles

The policy referred to in paragraph 1 shall define or refer to a methodology for determining which ICT services support critical or important functions. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 11

Implementing a clear methodology to differentiate ICT services that support critical or important functions is essential. It allows the fintech startup to concentrate risk management efforts on areas with the highest potential impact, consistent with DORA’s requirement for a resilient ICT framework.

Performance Assessment and Compliance Monitoring of ICT Providers

to assess the performance of ICT third-party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity’s relevant policies and procedures. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 17

It is critical for the startup to monitor its cloud service providers’ performance continually, especially concerning data confidentiality and integrity. This proactive monitoring is a core aspect of the comprehensive risk management practice that DORA advocates.

Formulating and Testing ICT Exit Strategies

include requirements for a documented exit plan for each ICT contractual arrangement on ICT services supporting critical or important functions provided by an ICT third-party service provider and its periodic review and testing. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 18

The fintech startup must ensure that there are well-documented exit plans for all contract arrangements with third-party ICT service providers. This strategy is a safeguard recommended by DORA for maintaining continuous financial services in the event of a service provider change or interruption.

Multi-Element Due Diligence and Risk Assessment Approaches

Financial entities shall consider the scope and limitations of the elements listed in paragraph 3(a) and where appropriate, more than one element shall be used. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 14

Emphasizing the need for due diligence that incorporates multiple assessment elements helps ensure the fintech startup’s thorough evaluation of third-party cloud service providers. This multi-faceted approach aligns with DORA’s recommendations for a comprehensive ICT risk management strategy.

Alignment with Policy on Use of ICT Service

the policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers shall specify the requirements for each main phase of the lifecycle of the use of such ICT services. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 12

Aligning the startup’s policies with those of its ICT service providers throughout the entire service lifecycle ensures all critical functions are adequately supported. This is in harmony with DORA’s objective of ICT risk management throughout every stage of service provision, thus enhancing the startup’s overall digital operational resilience.