By George Ralph, Global Managing Director & CRO at RFA, Michael Horvath, Partner – Regulatory Advisor at PwC, Vojtech Volf, Manager at PwC, Olivier Carre, Deputy Managing Partner, Technology & Transformation Leader at PwC as published in Insight Out #27
Today, information and communication technology (ICT) plays a vital role in the Private Equity industry and the volume of data processed increases daily – with no end in sight. Alternative Investment Fund Managers have been largely unscathed by regulations that addressed digital operational resilience with respect to services provided and regulatory compliance, so far. This will change with the EU’s Digital Operational Resilience Act (“DORA”).
As of January 2025, around 22,000 EU regulated financial entities (e.g., banks, insurance companies, management companies, AIFMs, PSF [expected]) will be required to comply with uniform, regulatory standards that have two main objectives:
- In-scope entities will be required to build, assure, and review their operational integrity to ensure the continued provision of its financial services and their quality, including throughout disruptions; and
- Limit the risk of contagion within the EU financial system by prescribing a harmonised, minimum standard of digital operational resilience.
Why is this relevant to your business?
Operational resilience will become a key requirement in the due diligence on any business relationship and investment in the EU. ICT matters have always been of importance, but with DORA the resilience is extended to the interlinkage between business functions, ICT assets (IT tools), information assets (data), and the network/communications (e.g., cloud). As such, a Private Equity manager will be subject to DORA due diligence, as well as exercising DORA due diligence (including cyber resilience as required by EU directive EU 2022/2555, for a high, common level of cybersecurity across the Union) on investment companies and counterparties. DORA becomes a relevant investment risk or value driver, depending on the outcome of the due diligence.
What topics does DORA cover?
DORA establishes a sleeve of new topics for AIFMs as detailed below.
Specifically, the expectation for skills and expertise, involvement and understanding of ICT at a local (management) level is highlighted in the Governance requirements detailed by DORA. The establishment of a new 2nd line control function for operational ICT risk is one of those requirements.
What is the expectation of the CSSF?
The CSSF has already been very active in this area and has issued a dedicated DORA readiness questionnaire to a sizeable number of Luxembourg regulated financial entities, which they were required to respond to by the end of June 2023.
The CSSF requested information with respect to the following topics:
- Level of awareness with respect to DORA
- Results of any gap analysis with respect to DORA (if already performed; if not, when is it planned)
- Challenges expected with respect to DORA implementation
- Budget and resources allocated for DORA implementation
- Level of readiness for each of the DORA topics (1 – 5)
DORA enters into force in January 2025 – how should you start?
DORA is an all-encompassing regulation that will challenge every organisation to its core. We recommend the following approach to our clients:
We recommend starting in 2023, as some of the foundations that are required to implement a successful DORA project will require significant lead time, as well as business decisions on the service and business model set-up.
ICT Assets and Resilience
Practically speaking, digital operational resilience means that in the world of finance, it’s not enough for financial organisations to just protect themselves; they must now actively withstand disruptions, incidents, and cyberattacks. DORA focuses on ensuring the reliability and trustworthiness of financial services even when things go wrong. It’s about safeguarding assets like data, software, and hardware, but it’s more than that. DORA shifts the perspective; defence isn’t the goal, it’s about achieving resilience in the face of challenges.
As such, in-scope entities have to not only protect their Servers, Cloud Systems, and Endpoints; they must also focus more on protecting their data. This is critical in the wave of public cloud systems, data synchronization services, and the shift to edge technology solutions.
At RFA we focus on pro-actively protecting the User Data, the Device, and the User Behaviour to ensure these standards are not only met but exceeded. But in-scope entities will need to evidence this; no longer just with reporting, but in the above-mentioned toolsets and structures, in the form of risk management strategies within these sitting policies, procedures, protocols and tools.
The structure and framework that firms implement will also need to be updated annually, showing third party supervisory controls and procedures, or more frequently if there is a major change or an ICT-related incident.