DORA and Private Equity: Navigating the EU Cyber Resilience Act

It's easy to overlook the impact of innovation as it unfolds around us. Just think of the changes in the private equity sector within the last 10 to 15 years.

Have you noticed?

We’ve gone from building manual financial models and on-site due diligence to sophisticated investment management software, AI-driven analytics, blockchain for secure transactions, and AI-supported portfolio management apps.

Today, financial entities like fund management firms are integrated with third-party ICT (Information Communication Technology) services like business intelligence platforms, deal management software, payments apps, and what have you.

However, if not managed properly, this interconnectivity brings potential new risks, such as heightened vulnerability to cyberattacks and data breaches.

Following the 2023 ION cyber attack, European Central Bank executive board member Fabio Panetta said it was “vital” the global financial system’s partnership with third-party products and services be assessed.

The Italian economist explained:

An attack on these third parties or on their products and services can disrupt and harm the financial infrastructures that rely on them, with spillovers to interconnected entities.

For private equity firms, this means that the security of their customers’ investments and company data is only as strong as the third-parties they collaborate with – which brings us to DORA.

DORA, the Digital Operational Resilience Act, sets new standards for ensuring that all financial entities, including private equity firms, are resilient to ICT-related disruptions and cyber threats. As a fund manager or senior executive in private equity, here’s what you need to know.

Understanding the DORA and Its Impact

The European Union’s Digital Operational Resilience Act aims to ensure the operational resilience of digital systems within the financial sector.

While the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive) covered aspects of cyber security across various industries, the DORA specifically deals with the financial sector.

And this also means the private equity industry. It’s all about setting out important functions for financial entities, mapping ICT service dependencies, incident management, and threat intelligence. Basically, it’s a playbook for financial firms to withstand, respond to, and recover from ICT-related disruptions and threats. With a key deadline coming up in January 2025, it's estimated that the legislation will impact more than 22,000 financial entities.

Cyber Resilience Pillars for Private Equity Managers

The Digital Operational Resilience Act is built on pillars designed to ensure the integrity of outsourcing within the financial sector as well as business continuity. Here’s a quick summary of the five key pillars that directly impact fund managers and senior management within private equity firms:

ICT Risk Management and Governance

• Financial entities need to have an internal governance and control framework in place that ensures an effective management of ICT risks, the legislation states.
• The management body of a private equity firm is responsible for overseeing ICT management. It means people like directors, heads of investor relations, and fund managers will need to define, approve, and implement risk management and governance policies.
• An organization’s management needs to set clear roles and responsibilities for ICT-related functions.
• The ICT risk management framework must include strategies, policies, procedures, protocols, and tools necessary to adequately protect all information and ICT assets, including software, hardware, and servers.
• There should also be periodic reviews of ICT response and recovery plans.
• At a corporate level, providers of investment services and activities such as trading, portfolio management, and investment advice must establish clear reporting channels. This is to keep the organization well-informed about arrangements with ICT third-party service providers.
• Resources have to be devoted to detecting anomalies and monitoring user activity. 

Incident Response and Reporting 

• A communication and crisis management plan should be drawn up so that all relevant staff and external stakeholders are kept informed about incidents.
• Financial organizations must log, track, and categorize incidents.
• When restoring backup data, financial entities should use separate ICT systems that are completely independent of the affected systems.
• Critical incidents will require three types of reports to the competent authorities; an initial notification, an intermediate report about the response, and a final report analyzing the root cause. 

Digital Operational Resilience Testing

• Financial companies must complete risk-based testing of their ICT management systems and applications.
• Threat-led penetration testing (TLPT) must be carried out every three years by selected critical entities within the financial sector.
• If a financial entity uses its own internal staff to conduct TLPT, it must hire external testers for at least every third test.
• An entity’s ICT service providers must take part in TLPT. 

Third-Party Risk Management

• Financial companies are responsible for managing the risks of using third-party tech services.
• Banks and other financial organizations can only work with third-party ICT services that meet the appropriate information security standards.
• Financial institutions will also need to list and track all the third-party tech services they rely on.
• There has to be exit strategies in place to end a relationship with an ICT partner that does not meet requirements.
• A detailed list of all contracts with third-party ICT providers must be kept by UCITS management companies and other financial entities.
• Contracts with third-party providers may only be signed after due diligence and a risk assessment is completed. 

Information and Intelligence Sharing

• Financial institutions are encouraged to share cyber threat information to improve their digital resilience by raising awareness, limiting threat spread, and supporting defense and recovery.
• However, financial entities that do this must inform the relevant authorities when they join an information-sharing arrangement.

The DORA Timeline

To understand the DORA further and sufficiently prepare for the incoming EU regulations, it’s important to be aware of the following dates. 

• On September 24, 2020, the European Commission published the proposal for the DORA as part of a digital finance package.
• The DORA was then formally enacted and became effective on January 16, 2023, starting a two-year transition period for organizations to align with the new requirements.
• On January 17, 2025, the DORA will be fully applied. To support this transition, the three European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) – are developing a range of policy products to facilitate effective implementation. The ESAs will also oversee compliance and designate certain ICT service providers as CTPPs, or critical third party providers, based on their potential impact on the financial system.

Which Organizations Need to Follow the Rules?

The new EU framework aims to weave cyber security and ICT risk management into the fabric of financial entities' everyday operations. But what entities need to comply?

According to the legislation, the DORA applies to the following entities:

Investment Firms: UCITS management enterprises or entities that provide investment services and activities such as trading, portfolio management, and investment advice.

Credit Institutions: Banks and other institutions that accept deposits and provide credit.

Payment Institutions: Companies that offer payment services.

Account Information Service Providers: Firms or intermediary financial institutions authorized to access data on payment accounts held by a service user e.g. Money management apps.

Electronic Money Institutions: Companies that issue electronic money. E.g. payment platforms.

Crypto-Asset Service Providers: Firms authorized to offer services related to crypto-assets under the regulation on markets in crypto-assets.

Central Securities Depositories: Entities that provide infrastructure for securities settlements.

Central Counterparties: Organizations that act as intermediaries between buyers and sellers in derivative and securities markets.

Trading Venues: Platforms where financial instruments are traded, including regulated markets, multilateral trading facilities, and organized trading facilities.

Trade Repositories: Entities that collect and maintain the records of derivative transactions.

Managers of Alternative Investment Funds: Firms that manage alternative investment funds which include hedge funds, private equity, and real estate funds.

Management Companies: Companies that manage collective investment schemes.

Data Reporting Service Providers: Entities that provide services related to the reporting of financial transaction data.

Insurance and Reinsurance Undertakings: Firms that provide insurance and reinsurance services.

Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Entities that act as intermediaries in the sale and service of insurance and reinsurance products.

Institutions for Occupational Retirement Provision: Organizations that manage pension schemes for employees.

Credit Rating Agencies: Firms that assess the creditworthiness of organizations and their financial instruments.

Administrators of Critical Benchmarks: Entities that provide critical financial benchmarks used in the pricing of financial instruments and contracts.

Crowdfunding Service Providers: Platforms that facilitate the raising of capital for projects or businesses through small contributions from a large number of people.

Securitization Repositories: Entities that collect and maintain records of securitization transactions.

ICT Third-Party Service Providers: Companies that provide information and communication technology services to financial entities.

The Role of EU Member States

Members of the EU play a crucial role in the DORA. Each country will be responsible for incorporating the legislation’s requirements into their national legal and oversight frameworks.National competent authorities in each member state, for example, BaFin in Germany, will have to work with the European Supervisory Authorities to monitor and ensure compliance.

Getting Ready for DORA

The DORA will affect the operations of both financial services and ICT third-party service providers. The burden of cyber resilience may mostly be with financial organizations. However, ICT providers have a significant role to play as well as obligations that may carry liability if not fulfilled.

For instance, if a bank’s cloud infrastructure is provided by a third-party tech company, then both groups will need to be proactive ahead of the upcoming deadline.

Here’s a quick checklist on how private equity firms and ICT third-party service providers can prepare for the January 17, 2025 deadline.

DORA Compliance Checklist for Private Equity Firms

1) Conduct Internal Audits: Financial entities can start by conducting internal audits to gauge their existing ICT risk management, identifying any gaps that need addressing.

2) Monitor Processes: Set up continuous monitoring processes to ensure that all ICT systems and practices remain compliant with DORA requirements. This involves regular checks and assessments to identify potential vulnerabilities.

3) Revise Contracts: Updating contractual arrangements with third-party ICT providers to include specific provisions for risk management, incident reporting, will be important for compliance.

4) Gather Information: Keep informed about any changes to the regulation. Remember, from 2025 the European Supervisory Authorities will oversee compliance.

DORA Compliance Checklist for Third-Party ICT Providers

1) Upgrade Security Infrastructure: For ICT partners, improving security infrastructure may mean investing in multi-factor authentication, advanced firewalls, and secure data encryption to ensure services run smoothly without interruption.

2) Stay Updated: It's essential to develop and implement strategies to stay compliant with evolving regulations, especially as a critical third party provider. From the middle of January 2025, CTPPs will be subject to rigorous oversight and regulation by the ESAs. This includes regular audits, inspections, and adherence to stringent risk management and cybersecurity standards.

3) Collaborative Testing: ICT providers should actively collaborate with their financial clients to perform joint resilience testing, such as threat-led penetration testing as required. These collaborative efforts can help in strengthening defenses against significant cyber threats.

We hope this helps in your understanding of the upcoming rules and regulations. Please note that this blog is provided as an update on the Digital Operational Resilience Act and should not be taken as legal advice.