Gregory Kennedy, IO columnist. Image: IO.
Chronique
Opinion

Regulators watch too many sci-fi movies

Expecting firms covered by DORA to possess the skills, time, and capacity to function as ICT experts is yet another regulatory demand that offers little in terms of investor protection. The added layers of control imposed on investment firms are poised to escalate costs far more than they bolster safeguards.

In order to ensure operational resilience, firms will be required to conduct due diligence across their entire supply network, extending even to the subcontractors of their suppliers. Considering that 90% of firms in Luxembourg outsource a portion of their operations, this presents a monumental challenge.

Investment firms predominantly outsource ICT services either within their group or to third-party providers, which will significantly complicate their compliance with DORA. Particularly noteworthy is DORA›s mandate for the monitoring of group ICT services to match that of third-party services.

Now, let’s dissect the 5 core pillars of DORA:

1.    ICT Risk Management:
DORA›s primary objective is to ensure that firms meticulously document, monitor, and consistently enhance their ICT infrastructure. Due to a dearth of in-house expertise, most firms will resort to outsourcing to meet these requirements, leading to a surge in demand for consultants but minimal improvement in ICT capabilities.

2.    ICT Related Incident Reporting:
Regulators anticipate regular reporting from firms regarding ICT-related issues, expecting firms to maintain a detailed log of such incidents and classify them according to criteria outlined in DORA. This poses a significant challenge for teams already stretched thin by existing reporting obligations.

3.    Digital Operational Resilience Testing:
Essentially, firms are mandated to rigorously test their ICT systems through exercises such as penetration tests, commonly known as Red/Purple team assessments. This level of capability is likely to exceed the capabilities of most firms and will consequently be outsourced.

4.    ICT Third-Party Risk:
Given that the bulk of firms outsource their IT operations—such as hosting infrastructure on Microsoft Azure cloud—the expectation is that they monitor their IT providers. However, it remains unclear how such assessments will effectively identify potential issues.

5.    Information Sharing (Optional):
Finally, DORA aims to foster information exchange among financial entities so they can collaborate in identifying and mitigating ICT issues. Given that firms often operate in competitive environments and ICT problems can tarnish reputations, the effectiveness of this initiative is uncertain.

DORA sets the unrealistic expectation that all investment firms, regardless of size, should become ICT experts, actively monitoring and testing their ICT processes. This demand is feasible only for the largest investment managers whose business models hinge on resilient ICT infrastructure.

At first glance, with the advent of cloud computing and artificial intelligence, it might seem plausible for a Conducting Officer to emulate Tom Cruise’s character in Minority Report, detecting issues within their ICT framework. However, such a scenario is highly improbable.

In essence, DORA will likely result in an upsurge of paperwork and reporting, with questionable gains in actual ICT and supplier resilience.

Gregory Kennedy is a columnist for Investment Officer Luxembourg. His columns appear every other week. He also works as a business development manager at Finsoft.lu.