Close Menu
Fund

What DORA means for fund managers | Goodwin

The Elite Times TeamBy No Comments6 Mins Read

[ad_1]

Q: What is Dora?
DORA stands for Digital Operational Resilience Act, an EU regulation that creates a new framework for the EU financial sector regarding information and communications technology (ICT).

DORA is part of the Digital Finance Package adopted by the European Commission on 24 September 2020.

The package includes a competitive Contains digital finance strategies and legislative proposals on crypto assets and digital resilience for the turbulent EU financial sector. This package supports the European Union’s ambitions for a recovery that embraces the digital transition. Digital financial services will help modernize the European economy across a variety of sectors and transform Europe into a global digital player.

Q: Who does DORA apply to?
DORA applies to financial institutions and service providers such as fund managers, including authorized alternative investment fund managers (AIFMs), but not subthreshold AIFMs.

The scope of regulation is very wide. DORA targets Luxembourg and other European companies engaged in the financial and insurance sectors.

  • credit institution
  • Payment institutions, including those exempted pursuant to the amended Payment Services Directive
  • Electronic money institutions (including electronic money institutions exempted under EMID)
  • Investment company
  • Authorized crypto asset service providers and issuers of asset reference tokens (under Regulation (EU) 2023/1114 on Crypto Asset Markets – MiCA)
  • Alternative investment fund manager
  • Management companies making collective investments in transferable securities (UCITS)
  • Insurance and reinsurance companies
  • ICT third party service provider
  • Luxembourg branch of the aforementioned legal entity

Q: Who enforces and checks DORA compliance?
For Luxembourg entities, compliance may be assessed by the Commission for Financial Supervisory Services (CSSF) or other competent authorities appointed by the CSSF to assist with specific technical requirements.

Q: Why is DORA important now?
DORA goes into effect on January 17, 2023 and is applicable from January 17, 2025. Now is the time for European fund managers affected by DORA to assess what DORA means for them and prepare.

Q: What does DORA cover?
DORA provides harmonized technology standards to ensure the resilience of digital operations by establishing uniform requirements for network security and information systems that support financial institutions’ businesses.

DORA is divided into five core pillars that address different aspects or areas within ICT and cybersecurity, providing a comprehensive digital resilience framework for relevant organizations.

  • ICT risk management
  • Managing, classifying, and reporting ICT-related incidents
  • Digital operational resilience test
  • Managing ICT third-party risks
  • Information sharing arrangements

For fund managers, this means the need to develop internal governance and management frameworks for ICT risk management. Therefore, board members must define, approve, oversee and be responsible for all ICT risk management practices. This refers to ICT risk identification and management procedures. This means that board members are responsible for the strategies, policies, procedures, ICT protocols and tools to manage such risks. and this includes (i) reporting and disclosure requirements in the event of an incident or new contract with a third party ICT service provider; (ii) specific roles for new responsibilities within the fund manager; and mandates at board level. Ensure that the board maintains sufficient information and skills to understand and assess ICT risks and their impact on operations (e.g. specialist board members, specialist training).

Additionally, DORA establishes important new requirements regarding the terms of contracts with ICT service providers and the obligations of fund managers in the event of a breach by a service provider.

In summary, a fund manager will need:

  • Written policies and risk assessments for risk management. Includes:
    • “Digital resilience” strategy
    • Why certain ICT functions are provided by third-party service providers
    • Identify all tasks, functions and staff that utilize ICT tools and update annually
    • Changes to networks and information systems used for business functions and information assets
    • Approvals required for changes to procedures or protocols
    • Continuity planning, response and recovery planning
    • Communication strategy for internal and external stakeholders and regulators
  • Provide regular training to staff on how to assess ICT risks and ensure appropriate controls.
  • Prepare CSSF to request policy and risk assessment documentation, as well as monitor and request changes.
  • Role in monitoring new arrangements for ICT service providers (can be done by existing staff)
  • Role in preventing conflicts of interest when identifying ICT risks (must be independent from other ICT functions)
  • Internal audit role for ICT risks (must be independent from other ICT functions and can be outsourced)
  • The role of crisis management
  • The role of communication for public and media reporting
  • Assess existing ICT systems annually before connecting or adding new systems.
  • Written policies and processes in the event of an ICT-related incident:
    • To record ICT-related incidents
    • To report serious incidents to competent authorities
    • To (voluntarily) notify competent authorities of potential threats;
    • To notify clients/investors of potential threats
    • To notify customers/investors in the event of any incident and the measures taken to mitigate the impact;
  • Annual testing of all ICT systems for critical and critical functions (carried out by an independent party)
  • Perform threat-based penetration testing every three years
  • To report new or proposed contractual arrangements for the provision of ICT services from third parties;
  • To allow us to terminate contracts with third parties that provide/support critical functionality;

Q: What are you still waiting for?
The European Securities and Markets Authority published its final report on regulatory technical standards in January 2024. The report clarifies the technical aspects of what fund managers must comply with when creating and implementing the new framework.

Q: Are there any Luxembourg-specific laws yet?
The CSSF has published Circular 24/847 aimed at promoting ICT reporting as it moves closer to DORA compliance.

This circular introduces a three-part notification process: initial, intermediate, and final. It provides notification timelines and information needed at each stage to align with future DORA reporting requirements.

This Circular will be applicable to fund managers from June 1, 2024.

Q: What can fund managers do now?
Even when all the final details are announced, there is only a limited amount of time in which the new framework can be implemented. Now is the time to review your existing processes and procedures.

Consider what has already been adjusted and what needs to be reviewed and amended to ensure continuity of service delivery. This may include designing new procedures, adopting new roles, and ensuring compliance with ICT service agreements.

The team would like to thank Céline Moille for her contribution to this article.

[View source.]

[ad_2]

Source link

Share.

Related Posts

Leave A Reply