You know that meme, right? It’s been doing the rounds.
Q: Is four a lot?
A: It depends on the context. Dollars? No. Murders? Yes.
So let’s play: what about hours?
Would you say 4 hours are a lot?
Again, it depends on the context.
Time on the beach? Nowhere near enough. Time inside an MRI machine? Way too long.
And what about time to detect any major ICT-related incident across your tech estate and notify the relevant authorities of said incident with enough detail to go beyond ‘a thing happened that doesn’t look good’?
If you are a lay, normal person, a person who keeps their money in a bank… you’d probably assume that 4 hours is plenty of time for the bank you keep your money in to work out that something major is going down.
Sadly, you would be wrong.
And if you were someone who works inside any of the financial services institutions affected by operational resilience regulation, you are probably thinking that 4 hours is nothing. 4 hours is nowhere near enough.
And it is nothing, but not because you want to take your sweet time, not because you have better things to do. (Although, realistically, everyone has better things to do than report major incidents to the regulator. Not more important, but ‘better’? For sure).
4 hours is nothing. Because a lot of organisations are using transaction systems that predate the real-time era we live in. So you may not know there has been an issue in that timeframe, simply because the system is not designed with that kind of observability in mind.
You may not know something is off until end of day. And, depending on when the incident occurred, you may already be late for your 4-hour notification window and running behind on the 24-hour window for reporting any and all events of lower severity.
Don’t the regulators know that?
Of course they do.
That’s why they put this regulation in.
It is explicitly stated and implicitly demonstrated by the regulatory posture around DORA that the regulators don’t think we are doing enough.
So they are raising the bar: DORA mandates that financial institutions implement comprehensive risk management frameworks to address ICT-related risks in a particular way and within a particular timeframe.
That involves a more robust set of expectations before, during and after an incident. This means that new provisions are coming in around identifying, assessing and mitigating risks associated with any affected financial institutions ICT systems and third-party service providers.
If you are thinking that’s a lot: why… yes it is.
If you are thinking: surely they can’t mean this? I get it. But they do. They totally mean it.
The expectation of the regulation is that organisations will change their posture around risk management in this space. And they will do so holistically and forever. For tech they have built themselves, tech that is being provided by third parties, and all associated services that may impact critical assets, cybersecurity etc.
And honestly, as a consumer, I’m nervous that this wasn’t already the case.
As a technology professional who’s been working in financial services for 25 years, I know why it’s not the case – and why complying with the regulation isn’t just a case of being quicker.
A lot of technology uplift will be needed.
A lot of third party contracts will need to be re-papered, with new rules, SLAs and expectations.
A lot of relationships may have to be re-thought.
It’s a lot and it’s why many organisations haven’t done it yet.
Because it’s not like DORA came out of a clear blue sky.
We are 20 years into a journey towards a fully digital, real-time economy. And organisations have been navigating the pressures of this journey and change to the best of their ability, ambitions and budgetary restrictions.
Some things had to give.
Some things had to not be given priority. In the name of all the other things that did get done.
I get it.
But the regulator is calling time on this. That’s what operational resilience is about.
The needs of the real-time economy, what consumer duty looks like like a real-time economy. What having actual control over your tech real estate and knowing what is happening inside your own house looks like, in a real-time economy.
So even if many of the largest players affected by the regulation choose to risk-accept and hope for the best… and they will…
Even if you are trying to work out a good reason why this doesn’t apply to you, and there are many procedural reasons that may get you out of needing to comply this time round…
Even if you are sitting in a part of the market or a part of the globe that isn’t DORAing yet and you are heaving a sigh of relief…
Don’t.
Because you may not need to do any of this yet.
But stop and think: would you know, within 4 hours, of a major incident occurring in your estate? Even if you didn’t have to report it. Would you know?
Would you know before a client reported it?
Would you know before it compounded into another set of issues?
If the answer is no, then… wouldn’t you want to know?
Seriously now.
You may not need to do the threat-led pen testing that DORA stipulates. You may not need to implement the robust ongoing testing… yet. But if you are operating in this digital economy of ours (and if you are in business right now, you are) then why wouldn’t you want to know? Why wouldn’t you want to know if something is broken as quickly as possible?
Why would you not want to know if you have vulnerabilities in your third party estate? Legally, you are responsible for the outcome of these relationships as they pertain to your clients, DORA or no DORA… so why on earth wouldn’t you want to know?
DORA or no DORA, the world is digital, the bad guys are savvy, and threats abound. The night is dark and full of terrors. Do you really need to be told by the regulator that knowing your vulnerabilities is a good thing?
Don’t you already know that?
What you choose to do about protecting yourself, once you know, may be a journey, calibrated for budget considerations and other priorities. Of course it will be. You may choose to take the whole making changes thing… slow.
You may do so and have good reasons.
But wouldn’t you want to know before you make that call?
Just in case you are… you know… wrong?
Just in case 4 is nowhere near enough… hours… when it comes to how long it would take you to know that something inside your organisation was really badly broken.
And maybe you are ok with that. It’s all a matter of context I guess.
4 hours of things being broken inside a regulated financial institution, in a real-time world…? Sounds like a lot to me. And maybe fixing it is a lot too. But at least I’d like to know.
Because 4 may be nowhere near enough when it comes to hours but it is way too many when it comes to blind spots.
So, as I said. I would like to know. And so should you.
If you would like to know more about how The Disruption House can help your organisation, and your suppliers, align with operational resilience regulation, contact our team.
