- Asset managers must act now and adapt their outsourcing practices to comply with DORA, warns Ocorian, to avoid fines of up to €10 million or 5% of their company’s turnover
- Ocorian provides ‘top tips’ for asset managers on how they can comply by using existing practices
At the time of publication – August 20th, 2024, there are less than five months until the EU’s Digital Operational Resilience Act (DORA) will be applied and it’s poised to significantly impact the landscape for regulated funds, warns Ocorian, market leader in fund, corporate, capital market, private client, and regulatory & compliance services.
DORA will impact the EU financial sector and its service providers, as well as companies and entities outside the EU that provide services or do business with any financial market participants within the EU.
Ocorian warns asset managers who haven’t started preparing for DORA to take action now or risk potential penalties of up to €100 million or 5% of their company’s annual turnover from 17th January 2025. The regulation, part of the Digital Finance Package, aims to harmonise cybersecurity, mitigate risks, and increase digital operational resilience standards across the financial sector within the EU. Fund managers must also ensure that their outsourced service providers adhere to DORA’s requirements.
DORA’s impact on regulated funds across five key areas will include:
- Information, Communication, and Technology (ICT) risk management – identifying and assessing risks to ICT systems and infrastructure
- Incident management – identifying, reporting, responding to and recovering from ICT-related incidents
- Digital operational resilience testing – testing systems and processes every year to ensure they can withstand disruptions
- ICT third-party risk management – hold a register of all third-party ICT service providers, with a special focus on critical suppliers
- Information sharing – an option for financial entities to share information about cyber threats
Asset managers who rely on service providers for critical functions need to adapt their outsourcing practices to comply with DORA, says Ocorian. Third-party vendors must also be DORA compliant, so asset managers must ensure vendors have proper risk management, conduct penetration testing and provide evidence to regulators. Contracts with service providers need to clearly outline DORA compliance expectations, including incident reporting, information-sharing protocols, audit rights and exit strategies. Asset managers must continuously monitor their service providers’ adherence to DORA requirements.
How to comply with DORA
- Identify a governance structure – DORA won’t require a complete overhaul of this framework so use the risk management framework you already have in place
- Leverage existing work – it's likely you already have a data asset registry to comply with GDPR, so use this data to meet DORA’s data asset inventory requirement
- Identify gaps – prioritise your effort by identifying gaps between your current practices and DORA’s requirements
- Existing certifications can help – an existing ISO certificate can demonstrate your organisation’s commitment to robust operational practices
- Don’t reinvent the wheel – you will already have a variety of tools in place for tasks like network monitoring and firewalls, so use these for DORA compliance as well
Sharon Hodder, Head of Business Partnering – Technology, at Ocorian says: “While it might seem daunting at first, DORA compliance is achievable for asset managers through a pragmatic approach that leverages existing practices. By focusing on existing governance structures, leveraging GDPR efforts and identifying targeted gaps, firms can ensure compliance without a complete overhaul of their current practices.”
Stuart Geddes, Chief Information Officer, at Ocorian says: “The good news is that many fund administrators and service providers are ahead of the curve and already adhere to most aspects of DORA. Our regulatory and compliance experts – Bovill Newgate – are developing a new service to assist our clients and other institutions with achieving DORA compliance.”
About Ocorian Fund Services
Ocorian’s fund services team delivers operational excellence across fund administration, AIFM, depositary and accounting services to the world’s largest financial institutions along with dynamic start-up fund managers and boutique houses. Its team of over 300 funds specialists work across all major asset classes of alternative investment funds such as private equity, real estate, infrastructure, debt and venture capital, whilst its specialist Islamic Finance team is a leading provider of Sharia-compliant investment structures.
About Bovill Newgate, an Ocorian company
Bovill Newgate is an Ocorian company and specialist financial services regulatory consultancy with a global offering across the UK, the Channel Islands, Singapore, Hong Kong, Mauritius, and the Americas. The firm helps its clients meet complex and evolving regulatory obligations, providing certainty and peace of mind. Its clients are firms of every size across the financial services sector. Bovill Newgate supports its clients in managing regulatory change and dealing with regulatory scrutiny. Providing advice on regulatory change and preventing financial crime, applications to regulators, building or enhancing regulatory frameworks, conducting compliance investigations or diagnostics, training and fulfilling prescribed roles Bovill Newgate have experts based across all the world’s key financial centres who operate globally, acting as one team.