By Ali Moinuddin, Managing Director of Europe, Uptime Institute
Operational resilience has always been a priority for financial-sector institutions (FSIs), but the sector’s current efforts have attracted the attention of policymakers worldwide, who are introducing new regulations to raise the bar. Although the financial-services sector invests more in digital operational resiliency than most, FSIs still experience outages that are disproportionally disruptive and expensive.
In fact, recent Uptime Institute Intelligence research shows that 77 percent of financial entities suffered an outage in the past three years; nearly one-third reported experiencing an outage they believed to be serious or severe.1 How does this compare to downtime incidents across all sectors? At 31 percent, FSIs accounted for a substantially larger proportion of significant, publicly reported outages between 2019 and 2021 than any other industry.2
One major factor contributing to these outage challenges is the sector’s ongoing and increasing adoption of hybrid infrastructure, making FSIs’ IT (information technology) operations more distributed and complex than ever before. Financial firms’ IT estates often span their own enterprise data centers, colocation (colo) facilities, cloud deployments, SaaS (software as a service) solutions, and information and communications technology (ICT) service providers. Complexity at this scale breeds inevitable but untenable infrastructure and operations risks, especially for vital institutions—the services on which millions depend.
As FSIs have become increasingly dependent on complex, distributed computer infrastructure, some ICT-related third-party service providers (TSPs) have introduced pervasive, systemic risks. According to our latest research, nearly 40 percent of organizations have experienced an IT service outage caused by a problem with an external service provider.3 Historically, these third parties have had limited legal responsibilities for outages and can be particularly difficult to audit, assess or otherwise hold accountable for outages and the risks that cause them.
Operational-resiliency regulations expand
Government concerns about the sector’s digital-infrastructure resiliency have passed the tipping point. The ongoing prevalence of financial-services outages and the massive level of disruption they can cause have served as a catalyst for regulatory action and the dawn of a new regulatory environment for FSIs and the cloud and IT service providers upon which they depend.
Europe has historically taken the lead in proposing new initiatives and legislation to limit risk and enforce accountability, with the well-known General Data Protection Regulation (GDPR) for data privacy and the Directive on Security of Network and Information Systems (NIS), among others.
In 2019, the European Banking Authority (EBA) published its final revised Guidelines on Outsourcing Arrangements (EBA Guidelines).4 That same year, those guidelines became part of the regulatory framework addressed to competent authorities (CAs), including the European Central Bank (ECB), all European Union (EU) domestic regulators and all regulated entities operating in their respective markets. This regulation applied to banks, insurance companies, credit institutions, payment institutions and electronic-money institutions.
The EBA Guidelines focus on the operational risk of outsourcing critical or even important functions and services, which should not be undertaken in such a way as to impair materially the quality of an FSI’s internal control and the ability of CAs to monitor the firm’s compliance with all obligations. The guidelines make it clear that financial-sector CAs should require robust IT estate-management practices, that the overall sector’s approach to IT infrastructure risk management must include all IT service partners, and that outsourcing a function or service to a third-party provider does not relieve the FSI of its regulatory obligations or responsibilities to its customers.
Since the EBA Guidelines became part of the regulatory framework, FSIs are obliged to conduct regular assessments of their IT estates, including third-party suppliers.
More recently, the EU outlined plans to consolidate and upgrade ICT-risk requirements. The new draft EU regulation on digital-operational resilience for the financial sector, known as the Digital Operational Resilience Act (DORA), will further reform operational-risk and risk-management requirements in EU financial services.
Proposed in September 2020 and expected to pass in 2022, DORA is the tip of the spear in an expanding global effort to reduce the risks presented by the financial sector’s growing reliance on third-party technology and digital-services providers. Although the aforementioned EU regulations and others do impact digital-infrastructure resiliency, they’re often patchy, overlapping and inconsistent—and they lack sufficient supervisory authority over TSPs.
DORA means that FSIs can no longer outsource their outage risk to colocation, cloud, SaaS or other ICT service partners. It seeks to fill the oversight gap and quell the systemic risk caused therein by placing ICT providers under financial regulators’ authority for the first time. Not only will European supervisory authorities (ESAs) have direct regulatory oversight of critical ICT suppliers, but they will also have the power to request information, conduct site inspections, make recommendations and even impose sanctions for noncompliance.
Core to this new regulation is an oversight framework for critical ICT third-party providers (CTPPs). These organizations include cloud, software, analytics and data-center providers that deliver services supporting vital aspects of the financial sector. Which TSPs regulators will consider “critical” depends on criteria noted within the proposed legislation, including whether there would be a “systemic impact on the stability, continuity or quality of the provision of financial services if the TSP were to experience a large-scale operational failure,” for example.5
Once DORA passes, an ESA overseer will be assigned to each CTPP. Its aim will be to inspect every aspect of IT-operational resiliency, both of end-to-end financial services and individual companies. These supervisory authorities will work to identify any risks that could compromise the availability of the financial network, whether related to system malfunctions or failures, cybersecurity or physical disruptions.
The annual operational-resilience assessments will involve reviews of critical software, security processes and more, as well as verification of pertinent operational documentation, such as certifications, designs, training programs or even electrical diagrams. Based on the investigation results, the overseer will instruct CTPPs to resolve any areas of concern. EU supervisory authorities can even work with financial regulators to halt or terminate a CTPP’s customer contracts if the assessment finds risks that could damage the financial sector’s stability.
DORA measures the severity of an IT incident using a range of criteria (with yet-to-be-announced thresholds), including the duration, how many users it affected and their geographic distribution, the economic impact and more. The legislation requires that any FSI that experiences a significant outage or incident due to their CTPPs must notify the appropriate supervisory authority before the end of the business day, followed by an updated report and, ultimately, a final report with in-depth information on the impacts of the event. As such, FSIs must develop and implement new processes for closely monitoring these elements and notifying regulators quickly following a verified “major” incident.
DORA’s daunting challenges
Interinstitutional negotiations (trilogue) started in early 2022 and will take 12 to 18 months to complete. Once DORA’s regulatory requirements come into effect, FSIs and third-party digital services companies have one full year to achieve compliance. Some have closely watched this legislation from the start and have already begun taking steps to prepare, but many will be pressed for time in any case, given the amount of work required before the deadline.
Noncompliance will mean a daily fine lasting up to six months and equal to 1 percent of the company’s average daily worldwide revenue from the previous year. For example, for an organization with annual sales of $10 billion, failing to comply with DORA’s requirements could cost $275,000 per day—or roughly $50 million after six months. Financial-sector organizations will not escape this new degree of regulatory oversight, and FSIs and individuals employed by them may be sanctioned.
Therefore, it’s no longer enough to simply conduct risk evaluations for cloud, colo and SaaS partners during the vendor-selection process. To maintain compliance, FSIs must conduct comprehensive evaluations of service providers and their facilities around the world on an ongoing basis. This will likely put an immense strain on existing ICT and data-center infrastructure teams and will require FSIs to augment existing resources with the expertise and processes needed to get the job done.
Ongoing audits to measure and reduce risk within owned and third-party ICT infrastructure are critical pieces of the puzzle, but FSIs will also need to ensure they can provide evidence of these audits for regulatory-filing requirements. This means assembling documentation throughout the process, showing that the data centers and IT infrastructure powering critical services are designed, built and operated to meet strict resiliency standards.
Although DORA targets organizations doing business in the EU, financial-sector participants operating in other countries should take note. DORA’s requirements will also affect ICT TSP organizations and banking intuitions globally. As GDPR and more recent operational-resiliency and third-party-outsourcing regulations have demonstrated, policymakers worldwide often look to landmark legislation as a guiding framework for their own equivalent regulations or require conformance to it in their own countries.
As a matter of fact, current regulatory initiatives have already sparked a new focus on improving risk-management practices and minimizing outages within the financial sector. These requirements are already spreading across the globe, with similar statutes from the Federal Reserve (the Fed) and the Office of the Comptroller of the Currency (OCC) in the United States, the Monetary Authority of Singapore (MAS) and the China Banking and Insurance Regulatory Commission (CBIRC).
FSIs that fall within DORA’s jurisdiction should focus on developing a strategy for compliance and a concrete plan for conducting ongoing risk audits across all areas of their global IT estate—whether owned or outsourced. The rest of the global financial sector must pay close attention as DORA rolls out and begins the groundwork to address similar policies that are sure to appear around the world. More financial-sector digital-resiliency regulations are coming. Are you prepared?
1 Uptime Institute: “2020 Data Center Industry Survey Results.”
2 Uptime Institute: Abnormal Incident Report (AIRs) database of publicly reported outages.
3 Uptime Institute: “2021 Data Center Industry Survey Results.”
4 European Banking Authority (EBA): EBA Guidelines.
5 European Commission (EC): DORA proposal (section 2, article 29).