6th Annual Digital Financial Services and Fintech Conference: Digital Resilience

• Global

• Financial services - Digital Financial Services

11-12-2020

Introduction

On 3 December 2020, Eversheds Sutherland hosted a webinar to discuss digital resilience as part of the sixth annual Eversheds Sutherland Digital Financial Services and Fintech conference.

The discussion was led by Craig Rogers, Partner in the FS group at Eversheds Sutherland. The panel also included: Mark Pickersgill (Associate General Counsel of HSBC’s Technology functions); Scott Williamson (Counsel and Lead of IBM’s Global Business Services); Jake McQuitty (Partner in the Eversheds Sutherland Financial Disputes and Investigations group); Paula Barrett (Partner and Co-Lead of the Eversheds Sutherland Cyber Security and Privacy group); and Rhys McWhirter (Of Counsel in Hong Kong and Lead of the Eversheds Sutherland Asia Technology practice).

Overview

The panel answered questions about the shift in the direction of travel for financial services regulation, away from general principles towards a more prescriptive set of rules. They provided insights on an evolving suite of international regulations, such as the EU’s Digital Operational Resilience Act (“DORA”) and coordinated FCA/PRA Consultation papers on operational resilience and third-party risk management. Discussions highlighted the challenges that the regulations pose for all firms across the sector; and balancing the competing objectives of delivering innovative, customer-centric products and services (often using cloud-based technologies) with increasingly demanding regulatory requirements.

Summary of key themes in the recent regulations: 

There were three key themes that emerged from the panel’s discussion about DORA and other international regulations.

1. Firstly, DORA aims to bring together various existing complex regulations and create a more standard approach across jurisdictions. In theory, this should make compliance less time-consuming for large companies acting across multiple locations. Rhys McWhirter discussed similar issues with current regulations across Hong Kong, Singapore and China - where large businesses face difficulties setting an international threshold standard for digital resilience.

2. Secondly, the panel emphasised that DORA focuses on putting the customer at the heart of everything and this provides a useful indication of what the regulators think is most important. 

3. Thirdly, DORA  Will, for the first time, bring critical ICT service providers within the regulatory perimeter. If adopted in the current form, DORA would trigger a fundamental shift in the dynamic between regulated financial institutions and their critical third-party service providers. The fact that regulators will have the ability to impose sanctions directly on technology service providers is likely to be a major topic of conversation in future contract negotiations.

Summary of key challenges for businesses as a result of recent regulations:

1. Institutions need to focus on communication. Paula Barrett suggested that the entire business should know what the organisation’s data consists of, who has it, where it is located and who can access it. A detailed record should be kept to evidence this; especially if the company interacts with third, fourth or fifth parties. In reality, it will be challenging for businesses to obtain such a vast amount of information and keep accurate records.

2. Businesses need to ensure they have proper systems in place, due to additional compliance obligations. Jake McQuitty explained that this should not just be immediate crisis incident response procedures, but also ongoing assessments of reactions following disruptive events. If companies adopt the expectation that a disruption “will” happen at some point, rather than “if” or “may” they will be better placed to react to real situations. 

3. Institutions should regularly audit, review and test their systems. Mark Pickersgill suggested that there should be frequent testing and reporting of incidents, in line with DORA. Scott Williamson added that companies’ capability to have oversight of procedures and scrutinise systems will be dependent upon the visibility of their supply chains. The panel also discussed the value of international standards (such as the ISO/IEC suite and SOC audits) and a common due diligence framework (for example under the CMORG or AIMA initiativeS).

Concluding remarks

The panel reflected that although the regulations alleviate some issues, a key challenge remains - for institutions to strike a balance between providing innovative tech solutions whilst also ensuring that they are resilient to internal and external pressures. Another important issue on the horizon is Brexit. If anyone would like further guidance on tackling this and any other challenges, they should get in touch with the team.