Banks and Their Tech Suppliers Face More IT Scrutiny in Europe

EU Digital Operational Resilience Act

Banks and their IT providers will soon face tougher scrutiny in the European Union (EU).

That’s because of the Digital Operational Resilience Act (DORA), which passed last year but isn’t set to be enforced until January of 2025. A report Thursday (Aug. 8) by CNBC examines the implications of the law, particularly in the wake of last month’s CrowdStrike outage.

DORA requires banks to carry out strict IT risk management, digital operational resilience testing, information and intelligence sharing on cyber threats and vulnerabilities, along with taking measures to manage third-party risks.

In addition, the report notes, companies will have to assess their “concentration risk” in relation to outsourcing critical operational functions to third-party companies.

These IT providers often provide “critical digital services to customers,” Joe Vaccaro, general manager of Cisco-owned internet quality monitoring company ThousandEyes, told CNBC.

“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” said Vaccaro.

Lenders will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” he added.

As the report notes, DORA aims to help banks escape incidents like the massive IT outage last month when a software update glitch at cybersecurity provider CrowdStrike caused Microsoft Windows systems to crash at airports, hospitals and financial services companies.

Weeks later, the fallout from the outage continues, with Delta Air Lines — which canceled more than 5,000 flights following the disruption and says it stands to lose $500 million — threatening legal action against CrowdStrike.

CrowdStrike struck back against the airline’s claims on Sunday (Aug. 4), arguing that while it accepts responsibility for the outage, it does not accept responsibility for Delta’s IT decisions, noting that “Delta’s competitors, facing similar challenges, all restored operations much faster.”

As PYMNTS wrote earlier this week, the incident underlines the importance of third-party vendors like cloud service providers and IT companies in maintaining resilient infrastructure.

“With complex ecosystems, you have a higher number of partners than you may have historically had” in the past, Larson McNeil, co-head of marketplaces and digital ecosystems at J.P. Morgan Payments, told PYMNTS. “You’ve got to understand your industry and the various players in the ecosystem — and as complexity increases, you’ve got to understand the risk and the opportunities that this creates for the business.”

PYMNTS-MonitorEdge-May-2024