The upcoming implementation of the EU’s Digital Operational Resilience Act (DORA) is expected to compel sell-side firms to make substantial adjustments to their third-party risk management software and strategies, according to a recent survey.
Conducted by software vendor Acuity and operational outsourcing provider Compass Partners, the study highlights a concerning lack of awareness and preparation among sell-side firms regarding the upcoming challenges posed by the EU regulation. The Act aims to enhance the European financial services sector’s resilience against cyber attacks and IT incidents, set to take effect in January 2025.
A major challenge for firms will be ensuring they possess the necessary operational resources to analyze cyber threats and comply with the Act’s reporting requirements. DORA will directly affect over 20,000 regulated entities, requiring them to map their relationships with third parties, including critical ICT providers. Consequently, for various buy-side firms, such as hedge funds and proprietary trading firms, this legislation will serve as a catalyst for formalizing their third-party risk management processes.
Unfortunately, the study indicates a significant lack of awareness among these firms, with 80% of proprietary trading firms in the UK or EU either uninformed about DORA or believing it does not pertain to them. Additionally, few firms on either the buy-side or sell-side currently meet the complete requirements of the Act. Specific weaknesses identified include inadequate frequency of reviews of third-party relationships and exit strategies for critical vendors.
As a result, the study anticipates that 90% of firms will increase their investments in risk management technology or outsourcing. “With just over a year until implementation, firms across the market have considerable work ahead to prepare for DORA,” stated Will Mitting, founder of Acuiti. “The data indicates that many firms are ill-prepared and will face significant challenges in establishing effective processes and frameworks, as well as a functional target operating model,” added Neil McDonald, managing partner at Compass Partners. “As always, data quality and system feeds ensuring accurate mapping will also be critical challenges.”