Beyond the Checkbox (Ep. 2): Nikki Stoy on the Challenges of DORA Compliance
Episode Summary
In this episode of Beyond the Checkbox, host Matt Kelly dives into the Digital Operational Resilience Act (DORA) with Nikki Stoy, Account Executive at Certa. DORA, a new EU regulation, aims to enhance the digital resilience of financial firms and their technology vendors by the end of 2024. Nikki shares her extensive experience in governance, risk, and compliance, shedding light on the importance of robust digital resilience plans.
Nikki explains DORA's five pillars: ICT risk management, incident management, digital operational resilience testing, third-party risk management, and information sharing. She emphasizes that DORA is about preparing for inevitable cyber failures rather than preventing them. This regulation ensures businesses can quickly recover and resume operations after an incident.
Matt and Nikki discuss the specific compliance challenges, including setting ICT risk tolerance, defining security objectives, and managing third-party risks. They highlight the critical role of AI in streamlining compliance processes and the need for a holistic approach to risk management.
Key Insights
The Five Pillars of DORA
Nikki Stoy breaks down the Digital Operational Resilience Act (DORA) into its five core pillars: ICT risk management, incident management, digital operational resilience testing, third-party risk management, and information sharing. These components are designed to ensure that financial firms and their critical suppliers can withstand and quickly recover from cyber attacks or other operational disruptions. Nikki emphasizes that DORA is not just about preventing cyber incidents but about having robust plans in place to manage and recover from them. By formalizing these areas, DORA aims to bring a new level of rigor and structure to risk management in the financial sector, ensuring that businesses can maintain continuity even in the face of significant challenges.
Managing Third-Party Risks Under DORA
Nikki highlights the crucial role of third-party risk management in complying with DORA. She explains that any supplier capable of disrupting a financial services organization falls under DORA’s scope. This regulation mandates that businesses must not only manage their own risks but also those posed by their supply chain. Nikki stresses the need for continuous monitoring and assessment of third-party risks, as these can arise from various domains, including data privacy, information security, and financial stability. By having a comprehensive understanding and oversight of their third-party relationships, businesses can better prepare for and mitigate potential disruptions, ensuring operational resilience across the board.
AI’s Role in Streamlining DORA Compliance
Nikki discusses the transformative impact of AI on compliance processes, particularly in the context of DORA. She notes that AI can significantly speed up tasks such as contract management, due diligence, and incident reporting. For instance, AI can scan and analyze contracts, extract relevant clauses, and integrate them into third-party risk management systems. This capability helps financial firms quickly adapt to new regulatory requirements and ensures they remain compliant. Additionally, AI can assist in monitoring the external environment for potential risks, allowing businesses to stay ahead of emerging threats. By leveraging AI, companies can overcome traditional bottlenecks and enhance their overall resilience, making compliance more efficient and effective.
Beyond the Checkbox (Ep. 2): Nikki Stoy on the Challenges of DORA Compliance
Episode Summary
In this episode of Beyond the Checkbox, host Matt Kelly dives into the Digital Operational Resilience Act (DORA) with Nikki Stoy, Account Executive at Certa. DORA, a new EU regulation, aims to enhance the digital resilience of financial firms and their technology vendors by the end of 2024. Nikki shares her extensive experience in governance, risk, and compliance, shedding light on the importance of robust digital resilience plans.
Nikki explains DORA's five pillars: ICT risk management, incident management, digital operational resilience testing, third-party risk management, and information sharing. She emphasizes that DORA is about preparing for inevitable cyber failures rather than preventing them. This regulation ensures businesses can quickly recover and resume operations after an incident.
Matt and Nikki discuss the specific compliance challenges, including setting ICT risk tolerance, defining security objectives, and managing third-party risks. They highlight the critical role of AI in streamlining compliance processes and the need for a holistic approach to risk management.
Key Insights
The Five Pillars of DORA
Nikki Stoy breaks down the Digital Operational Resilience Act (DORA) into its five core pillars: ICT risk management, incident management, digital operational resilience testing, third-party risk management, and information sharing. These components are designed to ensure that financial firms and their critical suppliers can withstand and quickly recover from cyber attacks or other operational disruptions. Nikki emphasizes that DORA is not just about preventing cyber incidents but about having robust plans in place to manage and recover from them. By formalizing these areas, DORA aims to bring a new level of rigor and structure to risk management in the financial sector, ensuring that businesses can maintain continuity even in the face of significant challenges.
Managing Third-Party Risks Under DORA
Nikki highlights the crucial role of third-party risk management in complying with DORA. She explains that any supplier capable of disrupting a financial services organization falls under DORA’s scope. This regulation mandates that businesses must not only manage their own risks but also those posed by their supply chain. Nikki stresses the need for continuous monitoring and assessment of third-party risks, as these can arise from various domains, including data privacy, information security, and financial stability. By having a comprehensive understanding and oversight of their third-party relationships, businesses can better prepare for and mitigate potential disruptions, ensuring operational resilience across the board.
AI’s Role in Streamlining DORA Compliance
Nikki discusses the transformative impact of AI on compliance processes, particularly in the context of DORA. She notes that AI can significantly speed up tasks such as contract management, due diligence, and incident reporting. For instance, AI can scan and analyze contracts, extract relevant clauses, and integrate them into third-party risk management systems. This capability helps financial firms quickly adapt to new regulatory requirements and ensures they remain compliant. Additionally, AI can assist in monitoring the external environment for potential risks, allowing businesses to stay ahead of emerging threats. By leveraging AI, companies can overcome traditional bottlenecks and enhance their overall resilience, making compliance more efficient and effective.