最近经受了COVID-19大流行的考验, 弹性, 面对网络攻击和其他危险, 继续是vnsr威尼斯城官网登入业的焦点(界别). 虽然该行业在这次大流行中表现出色, 这一事件为企业提供了一个机会,以确定使其业务更具弹性的方法. 新/新兴技术(如.g., 云, DLT, 人工智能(AI)有可能提供加速公司运营弹性所需的燃料. 这种新技术可能以与市场进入者(如.g., FinTech), 将某些服务外判给资讯及通讯科技供应商, 或者通过公司自己采用这项技术.
这项技术在该部门的普及理所当然地引起了越来越多的监督审查. The European Union (EU) has long considered the potential impacts of financial digitalization on operational 弹性 and how the introduction of new/emerging technology may alter the provision of financial services in the future. Recognizing the need to balance the potential introduction of new and unknown risks against the opportunity for innovation, the European Commission (EC) drafted the 数字化运营弹性 Act (DORA) as part of a larger Digital Finance package, 哪一个 was designed to lay the foundation for EU Member States to promote safety and soundness across the Sector as well as financial services innovation. DORA looks to provide consistency and to harmonize the digital operational 弹性 requirements across the EU Member States, 目的是减轻企业的行政负担,增强监管效能.
了解风险
DORA框架寻求解决以下风险领域:
第三方/外包风险 -企业继续扩大使用外部方来交付vnsr威尼斯城官网登入和服务, 哪一个 increases the attack surface area and the need for firms to understand and validate the 弹性 of these external parties.
ICT的风险 – The EU Member States have numerous regulatory initiatives and supervisory approaches to manage cyber risks 哪一个 have resulted in inconsistencies that increase administrative and compliance costs without significant gains in managing this risk. DORA seeks to create consistency in certain ICT risk management areas 哪一个 may lead to better ICT risk management for financial firms.
事故报告 – Financial institutions have long been required to report operational events to supervisory authorities as part of their regulatory obligations. 不幸, divergent national and sectoral approaches to this reporting has limited the value of information on the current and emerging threat environment. 当报告要求在司法管辖区内和跨司法管辖区内一致时, 监管机构能够更好地发现和减轻系统性风险. 进一步, divergent reporting requirements increases the compliance burden on firms with little commiserate benefit across borders.
新的监督框架
DORA is currently sitting with the European Parliament where it will undergo additional scrutiny by the different Member State representatives, 这可能会改变最初的欧共体提案. 而DORA在创建这个领域的单一规则手册方面还有很长的路要走, 在处理上述风险时,应考虑某些因素.
第三方外包风险管理
The financial services industry uses a range of critical service providers ranging from highly regulated financial institutions to small, 不受监管的金融科技公司. 而DORA正在考虑一个以信息通信技术提供者为重点的框架, 这种有限的范围可能会使其他不受管制, 监管保护伞之外的非ict提供商, 哪一个 could lead to the development of additional frameworks that could introduce operational complexities and additional compliance burdens. A potential long-term solution could be the development of a single third party oversight framework that allows for the management of third party risks based on its market and consumer impacts. This approach may allow greater flexibility to expand or contract the framework as new technology and market entrants develop.
事故报告
有许多事件报告框架, 每个都有不同的报告时间框架, 报告模板和所需信息. 适用于在各成员国开展业务的公司, the different permutations of reporting requirements complicate their ability to both meet their compliance objectives while addressing the incident. 进一步, the diverse reporting requirements complicate a supervisory authority’s ability to have a clear picture of the threat landscape and its ability to share information with firms about new/emerging risks. DORA建议通过一个报告框架来简化这种报告. 这不仅有助于报道公司, 而且还将提高整个部门对新/新兴威胁的可见性, 哪一个, 反过来, 加强监管,同时提高所有企业的准备水平.
ICT的风险
Firms are required to develop and maintain systems and applications that minimize the impacts of ICT的风险, 实施预防措施,防范资讯及通讯科技风险, 并检测/响应ICT事件. Supervisory rules and guidance across the EU Member States vary in both granularity of ICT risk requirements and the ICT risk areas covered, 哪一个 makes it challenging to meet all the rules in a manner that is cost effective and best utilizes the limited skill availability in the marketplace. 进一步, these differences require firms to either develop separate risk management programs for the different Member States in 哪一个 they operate or select the most stringent of each requirement to meet compliance obligations. This impact could unintentionally disincentive firms from offering valuable services across Member States as a firm may elect to operate in a limited number of states to avoid the additional operational complexity and costs associated with monitoring the requirements of numerous jurisdictions. Though DORA attempts to address many of the challenges created by the divergent national and sectoral approaches to managing ICT的风险, it is important that the framework remains flexible enough to manage future risks and that it provides proportionality both for the range of firms it covers and the external providers it will impact.
结论
DORA is a major step in the right direction that will likely benefit both firms and supervisory authorities. The aforementioned recommendations may serve to assist the European Parliament and European Commission in further strengthening this legislation and create consistency across the European Union.