Introducing the Lead Overseer Role
Following the DORA regulation, the three European Supervisory Authorities (ESAs) – the EBA, ESMA and EIOPA – have been designated as the “Lead Overseer” to supervise critical ICT third-party service providers. DORA is the first financial regulation encompassing ICT third-party providers.
FCG considers the initiative of the new Lead Overseer role a promising move on EU’s part, as compliance towards ICT third-party providers, historically, have proved difficult for financial institutions. An introduction of the Lead Overseer role has benefits but also risks. We have outlined potential benefits and areas of concern, identifying some of the emerging risk issues and examine possible future implications.
Tasks and Authorities of the Lead Overseer
A Lead Overseer is appointed with the objective to provide sufficient conditions for a comprehensive review of ICT risk of third-party vendors. The role incorporates the task of identifying risk towards individual financial institutions and to the entire financial ecosystem (concentration risk). Furthermore, the Lead Overseer will make recommendations on ICT risk issues and propose actions to protect the finance sector. Within the scope of their mandate, national authorities are part of the function and must follow the recommendations provided.
The ESA will, through a “Joint Committee”, designate the critical ICT third parties.The assessment of critical third parties are based on the system impact the provider has, e.g. by taking into account how many financial entities the providers supports, how many of these entities that are globally systemically important (G-SIIs) and how many that are systemically important in other ways (O-SIIs).
The Lead Overseer shall assess whether each critical ICT third-party service provider has a comprehensive, sound, and effective framework in place to address the ICT risks it may pose on financial entities. The framework should consist of rules, procedures, mechanisms, and arrangements that consider security, resilience (continuity) and risk management arrangements based on high standards of security, confidentiality, and data integrity. Furthermore, governance arrangements including an organizational structure with clear, transparent, and consistent liability rules enabling effective ICT risk management should be included. In addition, testing of ICT systems, infrastructure and ICT controls and audits should also be a part of the framework. These can be based on relevant national and international standards applicable to the provision of the provider’s ICT services to financial entities such as ISAE 3402, SAS-70, etc.
The powers of the Lead Overseer range from being able to request any relevant information and documentation, perform any general investigation and control (including physical controls), review any data or electronic information stored in ICT systems to seal premises and information during an investigation. In other words, the Lead Overseer holds a strong mandate towards the critical ICT third-party providers.
Furthermore, the Lead Overseer can develop recommendations concerning requirements, processes, security, strategies resilience plans, incident management and testing of ICT system, ICT infrastructure and ICT controls. Upon completion of supervisory activities, the Lead Overseer is able to request reports to review actions taken by the provider in relation to its recommendations. If the critical third-party providers do not comply with the requirements of the DORA regulation, the Lead Overseer may impose a periodic penalty payment up to 1% of the average daily worldwide turnover in the preceding business year (Article 31 (6)).
FCG’s Conclusion
FCG believes financial entities will benefit from the DORA regulation and the new Lead Overseer role, as the requirements across financial institutions and critical third-party vendors will be harmonized.
Furthermore, critical third parties will be audited by the Lead Overseer which ensures the future governance and management of risk management and information security. However, there is a down-side to this. The Lead Overseer also has the mandate to force a financial institute to, in-part or fully, cease usage of an ICT third-party provider triggering the “Exit plan”. A move that should not be underestimated, as significant investments towards the critical third-party vendor have been made by financial institutions and enforcing the exit plan will be a complex maneuver.
Likewise, third-party vendors to the financial industry are also struggling to prepare as it is difficult to predict how many, and which critical third-party vendors ESA will identify during their assessment.
To access more information please visit FCG’s DORA site.