Firms across the sell-side are making significant changes to how they approach third-party risk management (TPRM) to meet the requirements of the EU’s Digital Operational Resilience Act (DORA), a new study from Acuiti has found.
The study report, ‘Third-Party Risk Management in the Time of DORA’, was produced in partnership with Compass Partners and is based on a survey of executives at 106 firms predominantly from the sell-side. The report analyses the challenges that firms will face in meeting the requirements of DORA.
The study found that the complexity of third-party risk management has increased dramatically over the past three years, driven by evolving regulation and the increased risk of cyber attacks.
DORA is the most significant new regulation that firms are facing with regards to TPRM and over nine in ten sell-side respondents said that they will have to make major changes to how they manage third-party risk to meet the requirements. These changes are focused on how they map, monitor, and manage third-party relationships.
Significant changes under DORA include the requirement to have exit strategies in place for critical vendors, something that currently only 17% of sell-side respondents had in place, and the mapping of ‘Nth party’ relationships, something that only 39% of respondents currently did.
For many firms, especially those on the buy-side, such as hedge funds and proprietary trading firms, DORA will be an entry point into formalised third-party risk management.
As part of the study, Acuiti surveyed its asset management and proprietary trading networks on their levels of awareness and the challenges they face in adopting DORA.
For proprietary trading executives, the challenge was one of awareness with 80% of respondents based in the EU or the UK saying that they were either unaware of DORA or were not impacted by it. As DORA applies to all Mifid II regulated firms, many of these firms will be in scope.
Other key findings include:
- The top challenges firms are facing in preparing for DORA include the operational resources required; the criteria to analyse threats and getting information from vendors.
- While a majority of sell-side firms already map third-party relationships across their firm, the number that map nth party relationships, a key element of DORA, is much lower.
- Few firms currently meet the full requirements of DORA with exit strategies for critical vendors and the frequency of reviews of third-party relationships identified as key areas of weakness.
- Almost 90% of firms are increasing investment in third-party risk management to meet the requirements of DORA and other regulations and many are considering outsourcing management and compliance on a managed service basis.
What is an Nth Party?
Nth party refers to the chain of suppliers and associated dependencies that exists beyond a third-party supplier to an organization.