In the evolving landscape of financial regulation, the emergence of the Depository Organizations and Regulation Authority (DORA) and similar legislation in the United States signals a crucial shift towards systemic approaches to quality assurance and operational processes within financial institutions, for both access security matters as well as technology operations of the IT landscape. These regulatory frameworks highlight the imperative for institutions to move beyond reliance on individual expertise and human judgment alone. Instead, they emphasize the need for robust mechanisms that transcend individual biases and ensure comprehensive process coverage, for example in testing. By mandating such systemic approaches, DORA and analogous regulations compel financial institutions to adopt technology-driven solutions that can effectively manage and monitor various aspects of their operations, ultimately enhancing transparency, efficiency, and risk management practices across the industry.
DORA is a new regulation by the European Commission, going into effect in 2025, aimed at enhancing the operational resilience of the EU financial sector to ensure its stability in the face of increasing digitalization and cyber threats. While some practical details remain to be defined, here is how DORA could potentially impact financial services companies doing business in Europe based on its proposed objectives and requirements. This is relevant not only for European organizations, but also any organization that offers financial services within the EU or provides third-party services to EU financial services companies.
Cybersecurity Standards
DORA is expected to introduce stringent cybersecurity standards for financial institutions. This could entail requirements for regular security assessments, penetration testing, and implementation of robust cybersecurity measures to protect against cyber threats such as data breaches, ransomware attacks, and DDoS (Distributed Denial-of-Service) attacks. Financial services companies would need to invest in enhancing their cybersecurity infrastructure to comply with these standards.
IT and Security Incident Reporting
DORA is likely to mandate financial firms to promptly report significant IT and security incidents to regulatory authorities. This aims to improve transparency and facilitate coordinated responses to cyber threats across the EU financial sector. Companies would need to establish robust incident reporting mechanisms and procedures to comply with these requirements.
Outsourcing Oversight
DORA might introduce stricter oversight and controls over outsourcing arrangements within the financial sector. Financial institutions frequently rely on third-party service providers for various functions, including IT services and cloud computing. DORA could require firms to conduct thorough due diligence on outsourcing partners (essentially any 3rd party involved in the technology or business execution of their main business purpose), ensure contractual agreements include adequate cybersecurity provisions, and maintain effective oversight of outsourced activities to mitigate operational risks. This includes Software and Services in the context of your SimCorp Dimension installation, too.
Business Continuity and Disaster Recovery Planning
DORA could impose enhanced requirements for business continuity and disaster recovery planning to ensure that financial institutions can maintain critical operations during disruptive events such as cyberattacks, natural disasters, or system failures. Companies would need to develop comprehensive contingency plans, conduct regular testing and simulation exercises, and establish redundant infrastructure to minimize service disruptions and ensure timely recovery. All this should be done with a systematic and ideally automatic approach and depend as little as possible on the judgment of only a few expert individuals.
Data Protection and Data Governance
DORA will reinforce data protection and data governance standards within the financial sector, particularly concerning the handling of sensitive customer information. This could involve requirements for encryption, access controls, data minimization, and compliance with relevant data protection regulations such as GDPR (General Data Protection Regulation). Financial firms would need to strengthen their data protection policies and practices to safeguard customer data and mitigate the risk of data breaches.
Overall, DORA aims to enhance the resilience of the EU financial sector against evolving digital threats and ensure the continuity of essential services in the event of disruptions. Compliance with DORA is likely to necessitate significant investments in cybersecurity, IT infrastructure, risk management, and regulatory compliance for financial services companies operating in Europe.
What impact on system deployment and testing practices can be anticipated for your IT landscape, incl. SimCorp?
Let's delve deeper into the specific adjustments financial services firms may need to make regarding their testing and technology deployment strategies to address human bias exposure and systematically cover enterprise risks from IT system testing. While this applies to any component of a financial companies’ IT landscape, SimCorp Dimension typically draws an important and often first attention due to its core nature for investment management processes.
Human Bias Exposure in Testing Strategy
Financial services firms need to adopt testing strategies that mitigate human bias exposure, particularly in areas such as algorithmic decision-making, credit scoring, and risk assessment. This involves implementing automated testing procedures and algorithmic validation techniques to detect and correct biases in models and decision-making processes.
Utilizing diverse and representative datasets is crucial to minimize bias in testing. Firms must ensure that their testing datasets accurately reflect the diversity of asset classes and transactions including volumes to avoid perpetuating discriminatory outcomes.
Incorporating fairness and explainability metrics into testing frameworks can help ensure transparency in decision-making processes.
Systematically Covering Enterprise Risks from IT System Testing
Financial services firms need to expand their testing scope to systematically cover enterprise risks arising from IT system failures, cyber threats, and operational disruptions.
This requires comprehensive testing protocols that assess the resilience of IT infrastructure, including network security, data storage, software applications, and cloud services. Firms should conduct rigorous penetration testing, vulnerability assessments, and scenario-based simulations to identify and address potential weaknesses in their IT systems.
Testing should also encompass business continuity and disaster recovery plans to evaluate the effectiveness of response mechanisms in mitigating the impact of IT system failures or cyber incidents on critical operations.
Implementing continuous testing practices enables firms to proactively monitor and assess the performance and security of their IT systems, allowing for timely detection and remediation of vulnerabilities and threats.
The required seamless integration of testing tools with the software under test favors standard software applications and established market best practices. In the future more than ever, it will be important to carefully pick the business process pieces where deviating from established standards is providing a true extra value, and ideally a unique selling point to your own customer base – because being different will come at a larger and larger long-term cost.
Comparison to other Financial Services Regulations
In the United States, financial services firms are subject to regulations such as the Federal Financial Institutions Examination Council (FFIEC) guidelines, which provide guidance on IT risk management, cybersecurity, and business continuity planning.
Additionally, regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act (SOX) impose requirements related to data privacy, information security, and financial reporting, which indirectly influence testing strategies and risk management practices.
In Canada, financial institutions adhere to regulations like OSFI's Cyber Security Self-Assessment Guidance and PIPEDA, emphasizing cybersecurity resilience and data protection.
The UK's financial sector operates under regulations such as the Financial Services Act and PRA guidelines, focusing on operational resilience and risk management in a rapidly evolving digital landscape.
Across Asia, financial regulatory bodies like MAS in Singapore and FSC in South Korea enforce regulations such as the Technology Risk Management Guidelines and Cybersecurity Act, aiming to bolster operational resilience and cybersecurity measures amidst increasing digitalization and cyber threats.
While the regulatory landscape in other countries differs from that of the EU, there are parallels in the objectives of enhancing operational resilience, cybersecurity, and risk management across all jurisdictions. Financial services firms around the world need to adapt their operating and testing strategies to address evolving regulatory expectations and emerging cyber threats, similar to their counterparts in Europe.
Tech Solutions: Relevance of APIs to test automation
APIs form an essential prerequisite for successful test automation as they enable seamless communication between software systems, facilitating efficient data exchange and interaction. Different approaches to automating through APIs offer varying benefits regarding time to value and cost of maintenance. For instance, code-based automation frameworks like Selenium and REST Assured provide flexibility and customization but entail significant development effort and ongoing maintenance, potentially resulting in higher initial costs and longer time to value.
On the other hand, low-code or no-code automation platforms such as Postman and SoapUI offer rapid test creation with minimal coding required, accelerating time to value while minimizing maintenance overhead. However, these platforms may have scalability and customization limitations, requiring careful consideration of trade-offs when selecting the most suitable approach for API test automation. As an alternative, full as-a-Service offerings that can adapt to the customization needs while leveraging the standard platform structures can be a powerful alternative here, such as the Testing-as-a-Service platform from Sixsentix.
Tech Solutions: Path to compliance
As financial institutions navigate the complexities of regulatory compliance covering DORA and similar legislation, there lies a transformative opportunity to revolutionize their operational paradigms. By embracing technology-driven solutions over reliance on manpower and individual expertise, firms can not only enhance the quality of their continuous deployment agendas but also mitigate overall risk exposure while simultaneously reducing costs. To fully realize these benefits, a two-fold approach is imperative. Firstly, standardizing software systems using an open API framework facilitates seamless connectivity and interoperability, fostering agility and innovation across the industry. Secondly, institutions must prioritize the implementation of true end-to-end test automation, incorporating robust test data management and dynamic adjustment of risk profiles based on near-real-time business data. If a financial institution consumes testing services from a third party, look for a partner who is not trying to sell you bodies, but who provides you with (technology driven) compliance and continuous deployment value outcome.
By embracing these principles, financial institutions can navigate the regulatory landscape with confidence, driving operational excellence, and fostering sustainable growth in the digital age.
If you want to learn more about this subject, please get in touch with us.