Firms across the sell-side are making significant changes to how they approach third-party risk management to meet the requirements of the EU’s Digital Operational Resilience Act (DORA), a new study from Acuiti has found. 

Third-Party Risk Management in the Time of DORA, which was released today and produced in partnership with Compass Partners, is based on a survey of executives at 106 firms predominantly from the sell-side. The report analyses the challenges that firms will face in meeting the requirements of DORA. 

The study found that the complexity of third-party risk management has increased dramatically over the past three years, driven by evolving regulation and the increased risk of cyber-attacks. 

DORA is the most significant new regulation that firms are facing with regards to TPRM and over nine in 10 sell-side respondents said that they will have to make major changes to how they manage third-party risk to meet the requirements.

These changes are focused on how they map, monitor and manage third-party relationships. Significant changes under DORA include the requirement to have exit strategies in place for critical vendors, something that currently only 17% of sell-side respondents had in place, and the mapping of Nth party relationships, something that only 39% of respondents currently did. 

DORA is set to redefine how financial firms interact with their third-party suppliers. The regulation is intended to ensure that firms have the operational resilience to deal with cyber-attacks and other issues threatening the operations of their information and communications technology stacks. 

DORA will apply to over 20,000 EU regulated entities and has an extra-territorial impact for any firms with operations or activities in the EU. For executives overseeing third-party risk management, DORA is the latest in a web of guidelines and regulation that is exponentially increasing the complexity of the role. 

For many firms, especially those on the buy-side, such as hedge funds and proprietary trading firms, DORA will be an entry point into formalised third-party risk management. 

As part of the study, Acuiti surveyed its asset management and proprietary trading networks on their levels of awareness and the challenges they face in adopting DORA. 

For proprietary trading executives, the challenge was one of awareness with 80% of respondents based in the EU or the UK saying that they were either unaware of DORA or were not impacted by it. As DORA applies to all Mifid II regulated firms, many of these firms will be in scope. 

Other key findings include: 

• The top challenges firms are facing in preparing for DORA include the operational resources required; the criteria to analyse threats and getting information from vendors

• While a majority of sell-side firms already map third-party relationships across their firm, the number that map nth party relationships, a key element of DORA, is much lower  

• Few firms currently meet the full requirements of DORA with exit strategies for critical vendors and the frequency of reviews of third-party relationships identified as key areas of weakness 

• Almost 90% of firms are increasing investment in third-party risk management to meet the requirements of DORA and other regulations and many are considering outsourcing management and compliance on a managed service basis

“With little over a year until implementation, there is significant work to be done by firms across the market to be ready for DORA,” says Will Mitting, founder of Acuiti. 

“Currently, the operational resources required to meet the requirements of DORA is the biggest challenge facing most firms in the market in terms of their preparations for compliance. The industry will need to work together with vendors to streamline processes such as information requests in order to reduce the operational burden.”

“Compass Partners are delighted to partner with Acuiti on this topic.” says Neil McDonald, Managing Partner at Compass Partners. “The data shows that a lot of firms are unprepared for DORA, and also face significant challenges in ensuring  fit for purpose processes and framework as well as a functional target operating model. As always, data quality and system feeds ensuring accurate mapping will also be a key challenge. Understanding 4th parties and associated risks, substitutability of critical vendors and testing of exit strategies will also add pressure points and complexity, stretching already limited resource. Compass Partners can help firms navigate these challenges and ultimately ensure regulatory compliance and best in class vendor management.”