The Digital Operational Resilience Act (DORA) requires European financial services organizations to adopt cybersecurity policies and controls to protect against ICT-related incidents and threats. The objective of the new regulation is to boost operational resilience throughout the financial services sector, meaning that these obligations apply to internal operations and also extend to an organization’s third parties. To prepare for DORA, all impacted firms and their suppliers will need to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions.
ProcessUnity combines three offerings in one comprehensive solution designed to help you meet DORA obligations. The table below outlines the core DORA components and how ProcessUnity streamlines your adherence to those requirements.
||How ProcessUnity Helps
|IT Risk Management and Governance
||Identify and treat on a continuous basis all sources of ICT risk, establish a comprehensive ICT risk management framework guiding all work relating to ICT risk.
||ProcessUnity enables you to create an interconnected cybersecurity risk management framework, including assets, regulations, risks, controls, and policies. The solution is pre-loaded with DORA regulatory content that can be easily added into your existing control framework.
|Digital Operation Resiliency Testing
||Perform regularly scheduled assessments against ICT assets to determine risk ratings and maturity ratings against provisions in the DORA controls framework including mandatory reporting outputs
||ProcessUnity streamlines testing activities via asset questionnaires to determine appropriate testing scope, automated workflows and notifications to asset owners, instructions on how maturity ratings/evidence should be collected, and out of the box reporting on testing output by asset/risk/provision/policy/etc.
||Share knowledge of known cyber threats across the entire industry to raise awareness and preparedness and reduce their impact.
||ProcessUnity supports intelligence sharing with real-time, customizable reporting and incident tracking. The interactive supplier portal allows you to seamlessly share information about known threats with suppliers.
|ICT Supply Chain Management
||Establish formal third-party risk management practices for financial services suppliers, including strategies to manage supplier risks, offboarding harmful suppliers and onboarding substitute suppliers.
||ProcessUnity includes a third-party database to catalog and track all suppliers; templated questionnaires to assess suppliers; a supplier portal for supplier contacts to collaborate with your team; pre-built workflows for onboarding, ongoing monitoring and offboarding, and reporting on supplier risk.
||Respond and recover from ICT-related incidents and cyber attacks and analyze their impact on digital operational resilience.
||ProcessUnity includes an incident management module with functionality to track and categorize ICT-related incidents, allowing you to rapidly investigate and respond to incidents. The platform delivers streamlined, real-time incident reporting.
||Report on vulnerabilities, cyber threats, ICT-related incidents and cyber attacks to regulators, auditors and suppliers.
||ProcessUnity provides access and reporting on user-defined information for read-only access to external stakeholders. Supported views include regulator, auditor, and supplier access, with the ability to generate/export reports on demand.
||Learn and improve from ICT-related incidents and prevent the organization from falling victim to the same attack twice.
||ProcessUnity includes workflows and reporting to thoroughly review internal incidents, then revise ineffective policies internally. The platform can easily integrate with external threat intelligence providers for greater external surveillance.
Who DORA Applies To
DORA applies to European financial services firms and their third-party ICT service providers. Affected organizations include banks, government services, networking systems, cloud providers and more. The chart below provides a detailed look at targeted firms and examples of their ICT assets that are in scope.