EU regulations to impact finance firms warns consultants

Thursday 18 April 2024

A Channel Islands consultancy firm is warning the finance sector must prepare for the potential commercial consequences of new EU cyber security legislation in January next year.

Black Arrow Cyber Consulting says firms, including fund and asset managers, should prepare for a detailed discussion of their cyber security risk management approach with their EU regulated clients, as part of new cyber security regulations being enforced from January 2025.

The new EU Digital Operational Resilience Act (DORA) requires EU financial services organisations to identify and manage all their information and computer technology (ICT) risks, in particular the risk exposure to and from other financial entities.

There is an additional focus on the EU occupational retirement sector that outsources a significant part of their core business, such as asset management.

Many Channel Islands firms provide services to EU clients that fit this description and Black Arrow is concerned these firms may be unaware that their EU clients will need to contact them to evaluate their cyber security controls.

Bruce McDougall, Director of Black Arrow and Cyber Security Risk and Governance Lead, recommends that local firms understand DORA’s requirements and prepare an objective cyber risk analysis as evidence for their EU clients.

“DORA applies to regulated financial services organisations in the EU, but the effects go beyond the EU and will be felt here in the Channel Islands.

“If your EU regulated client considers that you provide a ‘critical or important function’ to their business, such as administering a fund on their behalf, then you should expect to feature on your EU client’s DORA risk analysis and to discuss your leadership’s management of all cyber risks.

“Remember that you will be dealing with an EU client that has been deep-diving into DORA for some time, so their knowledge and experience on this may be greater than yours at present and their questions may be challenging.

“Remember too that a large part of DORA describes how to manage the risks of third-party IT providers. That is why we recommend you should evidence that your leadership team understands cyber risk management for themselves, and has not delegated this to an IT provider.

“From the EU client’s perspective, they will risk regulatory problems if their important business operations are in the hands of a third party with comparatively weak security. We know how long the journey can be for some organisations to design and implement proportionate security across people, operations, and technology.

“Ultimately, it will be your EU client who decides whether they agree with your cyber security risk management documentation and whether they continue the business relationship with you.

“This means that your approach to managing your cyber security risks is now a key competitive advantage, when your client is comparing your approach to that of your competitors locally and in other locations. We strongly recommend starting work on this now.

“Currently many Guernsey firms are focused on Moneyval, and we are raising awareness of DORA now so that firms do not leave DORA until it is too late. We have public events on DORA planned with partners over the coming months, or firms can contact us directly to discuss how to prepare."