Digital Operational Resilience Act – A Guide for Investment Managers

Compliance with DORA necessitates a multi-faceted approach for investment managers. This regulatory suite aims to bolster the financial sector's resilience to ICT risks, ensuring that entities like investment managers are well-equipped to manage, report, and mitigate ICT-related incidents and threats efficiently. Below is a comprehensive guide on what investment managers need to do to comply with these regulations.

Understanding the Regulatory Framework

The framework comprises four key documents, all issued on 10/1/2024, each addressing different facets of ICT risk management in the financial sector:

1. ICT Risk Management Framework (JC 2023_86)
2. Register of Information (JC 2023_85)
3. Policy on ICT Services (JC 2023_84)
4. Classification of Major Incidents (JC 2023_83)

Key Compliance Steps for Investment Managers

1. Establishing an ICT Risk Management Framework: Investment managers must develop and implement a robust ICT risk management framework, as detailed in JC 2023_86. This framework should include comprehensive policies and procedures for identifying, assessing, and mitigating ICT risks. Key elements include:

• Continuous risk assessment to identify and evaluate ICT risks.
• Implementation of protective measures to mitigate identified risks.
• Regular testing and auditing of ICT systems and processes.
• Development of incident response and recovery plans.

2. Maintaining a Register of Information: As outlined in JC 2023_85, investment managers are required to maintain a detailed register of all ICT-related incidents and threats, including information on third-party ICT service providers. This register serves as a vital tool for documenting incidents, facilitating analysis, and informing regulatory reporting. Investment managers should ensure that this register is regularly updated and easily accessible to relevant personnel and regulators.
3. Developing a Policy on the Use of ICT Services: Investment managers need to formulate a clear policy regarding the use of ICT services, especially those supporting critical or important functions provided by third-party service providers (JC 2023_84). This policy should cover:

• Risk assessment and due diligence processes for selecting and engaging with ICT service providers.
• Governance arrangements and internal controls related to third-party services.
• Contractual arrangements with ICT service providers, including rights to audit, data protection measures, and exit strategies.

4. Classification and Reporting of Major Incidents: JC 2023_83 mandates the classification of major ICT-related incidents based on their impact on the investment manager's operations and the wider financial market. Investment managers must:

• Develop criteria for classifying incidents as major, based on factors such as the impact on confidentiality, integrity, availability of data, and services.
• Establish protocols for internal reporting and management of major incidents.
• Ensure timely reporting of major incidents to regulatory authorities, following the predefined classification.

Implementation and Monitoring

To effectively implement these compliance steps, investment managers should:

• Allocate sufficient resources and assign clear responsibilities within the organisation for ICT risk management.
• Engage in continuous monitoring and regular review of the ICT risk management framework, policies, and procedures to ensure they remain effective and aligned with evolving regulatory requirements and ICT landscapes.
• Foster a culture of cybersecurity awareness and resilience among all employees, emphasising the importance of adhering to established ICT policies and procedures.

Conclusion

Compliance with the new regulatory framework requires a proactive and structured approach from investment managers. By establishing a comprehensive ICT risk management framework, maintaining a detailed register of information, developing clear policies on the use of ICT services, and effectively classifying and reporting major incidents, investment managers can not only meet regulatory requirements but also significantly enhance their operational resilience against ICT risks.