Your MSSP should be DORA compliant

Your MSSP should be DORA compliant

One of the key outcomes of DORA is the oversight of Critical ICT Third Party Service Providers with the objective of ensuring that large, multi-tenant platforms (such as those offered by public cloud providers like AWS or Azure) that serve multiple financial organisations are also resilient in the face of ICT risks. Should one of these critical providers fail, they risk disrupting multiple financial services organisations that could ultimately cause the destabilisation of the European financial markets. 

DORA has defined an initial set of criteria for determining which ICT service providers should fall in scope for oversight, however the mandate also introduces a reporting mechanism where financial service organisations would regularly disclose who their third-party service providers were and which financial services functions (or critical functions) those providers support, opening the door for wider oversight at a later point. Achieving compliance as a Critical ICT Service Provider is not trivial, requiring the provider to maintain a European presence, pay Oversight fees and agree to hefty penalties for non-compliance. 

ICT Service Providers Supporting Critical Functions 

At present, most MSSPs do not meet all of the initial criteria to be classified as a Critical ICT Service Provider because: 

  • An operational failure at an MSSP does not necessarily translate into an operational failure at the financial services providers that they support. 
  • MSSPs can be substituted from a large competitive market of providers and are relatively easy to change. 
  • The MSSP must support financial services organisations across more than one EU member state. 

Although most (if not all) MSSPs are not subject to Oversight under DORA, they are still considered as ICT Third Party Service Providers that support critical or important functions of the financial services organisation. It would be difficult to argue that cybersecurity is not at least an important function of the financial entity. The financial entity will need to complete a specific report template that records all of their ICT Third Party Service Providers, explain which functions they perform and provide details of their contractual arrangements. In this template, MSSPs are identified under the category “SO4 – ICT Security Management Services”, so definitely on the regulator's radar.

Outsourcing Critical and Important Functions to MSSPs 

DORA’s high-level regulation is supported by a number of Regulatory Technical Standards, so it is essential that financial organisations (and the MSSPs that support them) reference all the documents when mapping their compliance with the requirements.

At Talanos, we support a number of financial services organisations with exposure to Europe where DORA is certainly applicable and we've worked through the regulations and supporting RTS, cover to cover, to identify how we can help them to achieve and maintain their compliance and in some cases take ownership of the requirement on their behalf. We've mapped the regulation and requirements into a handy whitepaper so that:

  • we're clear with our customers about how we as their MSSP can take responsibility for the critical and important functions assigned to us;
  • our financial services customers understand how we can support them in becoming compliant; and
  • prospective customers can benchmark our services against other MSSPs who perhaps do not take compliance as seriously.

Download the Navigating DORA Compliance Whitepaper

Whilst always retaining accountability, financial services organisations should look to MSSPs to support them in becoming compliant with the DORA regulations and use a RASCI model to assign clear roles and responsibilities.

Download the whitepaper here

Talanos have assigned, across the DORA Chapters, the responsibility of the MSSP in helping their financial services customers to become compliant using: (R)esponsible, (A)ccountable, (S)upporting, (C)onsulted and (I)nformed. For example:

 

 Article Description MSSP Responsibility
15

The ESAs shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to:

  1. specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 9(2), with a view to ensuring the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the availability, authenticity, integrity and confidentiality of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;
  2. develop further components of the controls of access management rights referred to in Article 9(4), point (c), and associated human resource policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;
  3. develop further the mechanisms specified in Article 10(1) enabling a prompt detection of anomalous activities and the criteria set out in Article 10(2) triggering ICT-related incident detection and response processes;
  4. specify further the components of the ICT business continuity policy referred to in Article 11(1);
  5. specify further the testing of ICT business continuity plans referred to in Article 11(6) to ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider and, where relevant, the political risks in the respective providers’ jurisdictions;
  6. specify further the components of the ICT response and recovery plans referred to in Article 11(3);
specifying further the content and format of the report on the review of the ICT risk management framework referred to in Article 6(5);

Responsible and/or Informed

The MSSP should, together with the financial entity that they support, review all of the technical standards to ensure compliance against the DORA regulation. 

 

For example, Article 19 (1b) expects that financial entities should ensure that their security policies are shared with and reviewed by third-party ICT providers. Article 13 expects that firewall rules are reviewed every 6 months. These are informational responsibilities imposed on the MSSP.

 

Processes or requirements that have been outsourced to the MSSP should be included in any contractual agreements and measured against strict performance criteria, ensuring that the MSSP holds overall responsibility (even though ultimate accountability rests with the financial entity).

Tags: