DORA or not to DORA – What Next for UK Banks?

Will DORA Affect UK Banks and Building Societies?

As DORA becomes a critical regulatory benchmark within the EU, a key question arises for UK-based banks and building societies: Will they be impacted by the compliance requirements of DORA? This question is particularly interesting given the post-Brexit regulatory landscape and the UK’s approach to financial regulation.

Whilst it’s the responsibility of every FS organisation to determine its own exposure, every firm must address operational resilience. 

The UK’s Road to Resilience

What started as smart talk around the urgency to defend banks from cyber threats and risks of all size has now hardened into a mandatory piece of legislation that will affect how banks operate. In as early as 2018, the Financial Conduct Authority, or FCA, has been declaring that operational resilience will become defaulted and enforced under regulatory change. Resilience is not just a synonym for tightened security either – although it can be tempting to make costly assumptions that operational resilience is just another way to frame security measures.

Operational resilience, as seen by UK regulators, is a cornerstone to financial stability. But what does it actually mean?

The Bank of England (BoE) defines operational resilience simply as the following:

“We mean the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them.”

Importantly, the meaning extends into business continuity and disaster recovery. So, under these new regulations, firms will be expected to deliver business as usual regardless of any type of disruption. This might include:

• Cyber-attacks (include cyber warfare)
• System downtime, outages and other unscheduled failures
• Third-party supplier troubles
• Naturally occurring hazards and risks, such as severe weather patterns or a pandemic

Cyber security controls are still expected, but operational resilience is an extension to the ways businesses define, mitigate, and control risk varieties. Under this new scope, UK financial services providers will need greater diligence in planning to grapple with modern, highly disruptive forces.

DORA vs UK’s Operational Resilience Objectives

Many of the strategic requirements in the UK to meet resilience standards, at first glance, appear to be the same with expectations outlined by DORA. Critically, here in the UK, the operational resilience timeline explains why DORA might not apply to your firm.

Since 2018, UK financial regulators have been hardening their approach to operational resilience. Consequently, the proposed regulation for 2025 in the UK shares many similarities with DORA, including:

• Operational Resilience Requirements (i.e. SS1/21)
• Testing as a requirement (such as the Bank of England’s pioneered CBEST assessment)
• Incident reporting (new frameworks will exist to capture operational incidents)
• Third-Party Risk Management
• Review of third-party suppliers

When UK regulators drafted new policy in the area of operational resilience, many critical requirements became interoperable with overseas frameworks (like DORA). The international cooperation with Bank of England and overseas counterparts remains firmly bonded, where standard-setting and mindful regulation is paving the way for more globally resilient financial institutions.

Why Now?

Compliance is a constant boiling pot of ideas, deadlines, and calls to tighten how regulated industries operate and modernise. Official, regulated guidance, whether it’s best practice or mandated, exists to safeguard, defend, secure, and protect a business, its users, and other organisations downwind in a supply chain. In recent years, resilience has been enshrined in this kind of regulation, making it one of the most talked-about subjects in boardrooms across the world.

Why?

As the threat landscape widens, attacks become smarter, more voracious, and targeted, and the cost of a successful invasion is now enough to take down a business, the urgency of resilience has grown as a key priority. Regulators are keenly alerted to this trend and perhaps even more alarmed by the possible harm from disruption as the world saw after the COVID-19 pandemic. The knock-on effect after IT systems become compromised can be devasting, as disruption ripples outward, impacting a wider supply chain. If, for example, a financial services provider became corrupted, users could be affected with costly ramifications, or a bad actor could deepen their attack on the sector, related suppliers, and so forth until there’s a negative impact on the global economy.

DORA, and its UK counterpart, is enforcing operational resilience and how organisations stand up to modern threats like cyber-attacks, data leaks, human errors, and system vulnerabilities. When adhered to, these Acts will, in theory, only serve to strengthen the security of the wider financial services landscape, ensuring stability and resilience in the face of uncertainty and disruption.

It doesn’t end on strict adherence to resilience objectives, but rather DORA’s literature points to intelligence sharing, a kind of open communication, as a possible way forward. Whilst strictly optional, a community of shared risk intelligence, against the likes of prominent cyber threats, is no bad thing. It’s actually the opposite: a brave new world where the risks of digitation become a problem halved through the science of collaboration.

Operational resilience has always been best practice, but will start to be explicitly regulated in 2025.

The journey to compliance is still a long, winding road for many.

Operational Resilience by Example 

A close technology partner to Darlington Building Society, CSI helped this national financial services provider embrace the digital economy with scalable, secure cloud solutions.

Speaking about the relationship, our client had this to say:

Following the successful cloud migration, we are looking forward to a strong future relationship as we continue to grow and invest in our digital future.

You can read the full story here. 

Achieve Resilience with CSI

Regardless of whether or not DORA applies – operational resilience will influence your business in the next year. To remain complaint, financial services providers will need to meet and overachieve these objectives – from rigorous testing, to mapping out response plans to critical (and highly disruptive) incidents and remaining operationally online.

For proactive, complaint financial service providers, operational resilience requirements can be seen as an opportunity to tighten operational values and become more hardened against the disruptive forces outside your business. Operational resilience underpins, with substantial weight, the UK’s attitude towards it banking ecosystem: even the slightest wave of disruption, if effective, could impede the productivity of one the nation’s most critical industries. Once agile and robust, banks are encouraged to future proof through this new compliance.

In conversation with banks, building societies and investment firms, CSI’s FS specialists and analysts have been, for decades, working toward the goal of building profitable and resilient operations. Whether that’s through high-performance IT solutions, scalable storage, or beyond, we can help.

Get in touch today for a no-obligation chat with our specialists and find the support and advice you’re looking for. We’ve been trusted advisors to UK banks for decades – helping customers like Darlington Building Society unlock more value from technology.