AGEFI Luxembourg - avril 2024

AGEFI Luxembourg 46 Avril 2024 Informatique financière ByOrianeKAESMANN,ResearchManager the LHoFT I n a bid to shield the financial sector fromthe ever-growing dangers brought onby digital vulnerabilities, theDigital Opera- tional ResilienceAct (DORA) emerges as a pivotal piece of legis- lationwithin the European Union’s array of regulations. Slated for enforcement starting January 2025, DORA introduces a holistic framework that champions a cohe- sive strategy to bolster operational resilience, emphasizing the critical need for financial institutions to ro- bustly confront and curtail risks as- sociatedwith information and communication technologies. But it ismore than just ticking boxes for compliance; adopting rigorous cybersecurity practices is a strategic necessity. It is about ensuring that financial organisations are not only equipped to endure but also swiftly bounce back fromtech-re- latedupheavals, thus preserving the fabric ofmarket stability and maintaining consumer confidence. As DORA approaches, compliance offi- cers in finance must grasp and adapt to its wide-reaching mandates. This regu- lation affects everyone, from traditional financial mainstays to more unconven- tional players and third-party tech providers. It demands a proactive up- date to digital risk management tactics. By integrating DORA’s requirements withcurrent policies, complianceofficers aren’t just filling in the blanks – they are fortifying their organizations against dig- ital threats. This journey towards compli- ance,while challenging, sets the stage for enhanced cybersecurity, governance, and incident response, reinforcing a durable infrastructure at the intersection of finance and technology. This summary emphasizes elements of DORA crucial for compliance officers, suggesting a deeper exploration of the regulation (1) for a full grasp of its scope and implications. Developing aComprehensive ComplianceRoadmap With a focus on ensuring operational continuity amidst disruptions, DORA sets forth a uniform framework to ad- dress the challenges ushered by in- creased digitalisation and interconnectedness infinancial services. Itmandates financial entities to establish resilient ICT riskmanagement practices, therebypreservingmarket integrity and consumer confidence (2) . To navigate the complexities of DORA compliance, a structured roadmap tai- lored for compliancemanagers is imper- ative. This begins with a comprehensive review of existing practices, assessing their robustness against the regulation’s requirements: - Initial assessment: Conduct a thorough evaluation of current ICT risk manage- ment frameworks, policies, and proce- dures, along with existing third-party contracts. -Gap identification: MapDORA’sman- dates against the entity’s existingpolicies and practices to pinpoint areas of non- conformance or inadequacy. -Actionplandevelopment: Formulate a strategic action plan to address the iden- tified gaps, including timelines, respon- sible parties, andperformance indicators to ensure effective implementation and compliance. - Implementation and continuous im- provement: Execute the previously de- finedplanwitha focus on strengthening the entity’s digital operational resilience. Regular monitoring and iterative im- provements based on emerging tech- nologies and evolving cyber threats are crucial to maintaining compliance and ensuring the effectiveness of the imple- mentedmeasures. Conducting a Thorough GapAnalysis Whenperformingthegapanalysistoeval- uate how your organisation’s existing practicesmeasureupagainst the rigorous standardsoutlinedinDORA,itisessential to identify key areas to focus on: - ICT risk management framework (3) : first,evaluatethecomprehensivenessand effectivenessofyourorganisation’spolicy in identifying, assessing, mitigating, and monitoringICTrisks;thenassesswhether your company has established a formal digital operational resilience strategy and testingprogram (4) . - Third-party risk management: review your organisation’s policies and proce- dures for managing third-party ICT ser- vice providers, including due diligence, contract management, and oversight mechanisms (5) ; ensure that the company has appropriate controls in place to ad- dressICTthird-partyrisksanddependen- cies (6) . - Business continuity and incident re- sponse: evaluate the adequacy of the ICT business continuity plans, including pro- visions for critical functions outsourced to third-party service providers (7) ; assess the effectiveness of the incident response and recovery plans, in relation to ICT-related incidents anddisruptions (8) . - Access control and authentification mechanisms: reviewyour organisation’s access control policies and procedures to ensure that access to information assets and ICT systems is restricted to autho- rised personnel only (9) ; evaluate the strength and effectiveness of authentica- tionmechanisms used to verify the iden- tity of users accessing ICT systems and sensitive data (10) . - Change management and patch man- agement: assess your company’s change management processes to ensure that changes to ICT systems are controlled, documented, and tested before imple- mentation (11) ; review your organisation’s patch management practices (12) to ensure timelyapplicationof securitypatches and updates to address vulnerabilities in ICT systems. -Trainingandawarenessprograms: eval- uatetheexistenceandeffectivenessofICT security awareness programs and digital operationalresiliencetrainingforstaffand management; ensure that employees are adequately trained to recognise and re- spond to ICT risks and incidents (13) . LeadershipOversight and InformationSharing While implementing DORA in your or- ganisation, it is essential to grasp the im- plicationsofthisregulationintherealmof leadership engagement in ICT risk man- agement. This component of the regula- tion elevates the responsibility of board members, executive leaders, and senior managers, highlighting the necessity for these leaders to possess a comprehensive understanding and capability to assess ICTrisksandtheirpotentialimpactonthe organisation’soperations (14) .Theactivein- volvement of the management body (15) is essential in steering the ICT riskmanage- mentframeworkandadaptingtheoverall digital operational resilience strategy to emerging threats and technological ad- vancements. According to Deloitte (16) , this means that Boards and executive leaderswill need to “be able to articulate how up-front costs are balanced out by having a more re- silient operating model that stands up to increasingregulatoryscrutinyovertime”. Furthermore, the emphasisDORAplaces ontheexchangeofthreatandvulnerability intelligence (17) presents a strategic oppor- tunitytobolsteryourinstitution’sdefences against cyber threats. Engaging in collab- orative information-sharing networks or platforms can provide valuable insights intoemergingthreatsandbestpracticesin risk mitigation, enhancing your institu- tion’sabilitytopre-emptivelyaddresspo- tential vulnerabilities and contributing to theoverallresilienceofthefinancialsector. Conclusion The introduction of DORA is a critical juncture in digital finance, urging finan- cial institutions to adopt a proactive and agile compliance approach. This not only offers a competitive edge but also strengthensoperationalresilienceandcy- bersecurity,enhancingmarketreputation, stakeholder confidence, and operational efficiency. This approach positions insti- tutions as industry leaders, making re- silience a fundamental aspect of their identity in the digital finance era. Starter Handbook The DORAregulation ©Midjourney 1) Regulation (EU) 2022/2554 of the European Par- liamentandoftheCouncilof14December2022on digital operational resilience for the financial sector andamendingRegulations(EC)No1060/2009,(EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and(EU)2016/1011(TextwithEEArelevance)(Last accessed:28thofMarch2024) https://lc.cx/ltX0w5 2) For more information: IBM “What is the Digital Operational Resilience Act (DORA)?” (Last ac- cessed:28thofMarch2024) https://lc.cx/kFx2TI 3) See Article 6 of the Regulation on the “ICT risk management framework”: “1. Financial entities shallhaveasound,comprehensiveandwell-docu- mentedICTriskmanagementframeworkaspartof their overall risk management system, which en- ables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digitaloperationalresilience.” 4)SeeArticle6.8:“TheICTriskmanagementframe- work shall include a digital operational resilience strategysettingouthowtheframeworkshallbeim- plemented”. 5) See Article 28 on the “General principles” for a soundmanagementofICTthird-partyrisk. 6)SeeArticle8and11.5. 7)SeeArticle11.4. 8)SeeArticle11.3:“AspartoftheICTriskmanage- mentframeworkreferredtoinArticle6(1),financial entities shall implement associated ICT response and recovery plans which, in the case of financial entitiesotherthanmicroenterprises,shallbesubject toindependentinternalauditreviews.” 9)SeeArticle9. 10) SeeArticle 9.4(d): “As part of the ICT riskman- agement framework referred to in Article 6(1), fi- nancialentitiesshallimplementpoliciesandproto- colsforstrongauthenticationmechanisms,basedon relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of ap- proved data classification and ICT risk assessment processes;” 11)SeeArticle8.3:“Financialentities,otherthanmi- croenterprises,shallperformariskassessmentupon eachmajorchangeinthenetworkandinformation systeminfrastructure,intheprocessesorprocedures affectingtheirICTsupportedbusinessfunctions,in- formationassetsorICTassets.” 12) See Article 9.4(f): “As part of the ICT risk man- agement framework referred to in Article 6(1), fi- nancial entities shall have appropriate and comprehensive documented policies for patches andupdates.” 13)SeeArticles5.2(d),5.4,13.6,and16.1(h) 14) See Article 5.4: “Members of the management bodyofthefinancialentityshallactivelykeepupto datewithsufficientknowledgeandskillstounder- stand and assess ICT risk and its impact on the op- erations of the financial entity, including by following specific training on a regular basis, com- mensuratetotheICTriskbeingmanaged.” 15)SeeRecital45. 16) Suchitra Nair and Scott Martin (02 December 2022) “The EU Digital Operational Resilience Act (DORA) is here: what are its strategic implications for the Boards of FS firms?” (Last accessed: 28th of March2024) https://lc.cx/l8ymx8 17)SeeRecital34. P wCLuxembourg, in collabo- rationwithMicrosoft, an- nounces the launchof the GenAI BusinessCenter, located at the PwCExperienceCenter in Luxembourg. This groundbreaking and exclusive collaborationmarks a significant investment byboth companies inhelpingpeople and organisations thrivewith artificial intelligence (AI). The Business Center will start gradually opening in April 2024. This follows PwC’sglobal strategic collaborationwith Microsoft creating scalable offerings using Microsoft Azure OpenAI Service andCopilotforMicrosoft365tohelpsup- port clients in reimagining their organi- sations. PwCearlier in2023also invested, through its industry leading relationship withMicrosoft, over €1bn globally to ex- pand and scale artificial intelligence (AI) and drive human-led, tech-powered transformation. The GenAI Business Center is designed tobea state-of-the-art hub for innovation, highlighting how the integration of PwC’s industry expertise with Mi- crosoft’s advancedAI and technologyso- lutions can come together to address complexbusiness challenges, andunlock new opportunities, allowing companies tobecomemore innovative, resilient, and adaptable. The center will feature: - Executive Engagement and Thought Leadership: Strategic sessions for busi- ness leaders to engage with experts from PwC andMicrosoft; - Industry Scenarios and GenAI Demonstrations: Tailored demonstra- tions to specific industry needs; - Collaborative Innovation Workshops: Leveraging PwC’s Experience Center methodology to foster creativity and co- creation; - GenAI Hackathons: Events to catalyse innovation and develop new business models. - Showcasing Success Stories: Real- world examples of technology and strategic consulting driving business outcomes. The GenAI Business Center will explore key Microsoft technologies, including AzureOpenAI Service,AzureCognitive Services,AzureAI Studio,Microsoft Fab- ric, Microsoft 365 Copilot, Copilot Stu- dio, Power Platform, Microsoft Dynamics 365 Sales Copilot as well as Copilot for Finance. Through the PwC Luxembourg GenAI Business Center, enabled byMicrosoft, PwC is turning its AI experience and knowledge into busi- ness outcomes for its clients. The new Center will help boost GenAI adoption, driving thenecessary investment returns in a safe and secureway. This comes at a time of huge opportunity for businesses but alsoat a timewhen technologyneeds to be appliedwith great responsibility. PwC Luxembourg and Microsoft are committed to providing the necessary resources and expertise to ensure the success of the GenAI Business Center. This collaboration represents a sharedvi- sion for the futureofAI inbusiness, driv- ing growth, innovation, and sustained outcomeswith trustworthy and respon- sibleAI applications. Bjoern Ebert , Financial Services Leader, PwC Luxembourg says, “By merging PwC'sindustryexpertisewithMicrosoft's cutting-edge AI solutions, the GenAI Business Center will serve as a beacon of innovation, offering integrated business solutions, executive engagement oppor- tunities, and tailored industry scenarios. Together, we aim to drive transformative outcomes, accelerate digital transforma- tion,andfosteracultureofinnovationthat propels businesses forward." Patrice Witz , Technology Partner and Digital Leader, PwC Luxembourg says: "Strengtheningpartnershipswith leading tech firms such as Microsoft, to explore howGenerativeAIcanacceleratebusiness value and enhance customer as well as employee experience is paramount. Yet, ourcommitmentextendsbeyondtechno- logical advancement,witha core focus on making (Gen)AI responsible". Marijke Schroos , General Manager of Microsoft in Belgium and Luxembourg, says, “We are delighted with the sub- stantial investment PwC ismaking inAI within the Luxembourgishmarket. This investment is poised to drive transfor- mative change for our sharedcustomers, spanningboth theprivateandpublic sec- tors. Aligning with PwC’s insights from business leaders in Luxembourg, we recognise that Generative AI will yield positive economic impacts.” GenAIBusinessCenter, https://www.pwc.lu/en/generative-ai-business-centre.html PwC Luxembourg and Microsoft launch GenAI Business Center