The EU has issued a proposed regulation on digital operational resilience which may have practical implications for certain financial market infrastructure providers, including central securities depositories, central counterparties and trading venues.
As part of the EU digital finance strategy, the European Commission has issued a proposed regulation on digital operational resilience for the financial sector (the DOR Regulation). This sets out requirements for operational resilience and information and communications technology (ICT) risk management and seeks to consolidate and upgrade the ICT risk requirements contained within separate pieces of EU legislation. A copy of the draft DOR Regulation can be found here.
The DOR Regulation applies to a large number of EU financial entities, including central securities depositories (CSDs), central counterparties (CCPs), trading venues, MiFID investment firms, payment institutions and e-money institutions. In addition, some aspects of the DOR Regulation will impact upon entities which provide ICT services to EU financial entities.
We provided an overview of the DOR Regulation in a separate briefing available here.
In this briefing, we consider in more detail some of the proposed requirements for ICT risk management and ICT third-party service arrangements, as well as their potential implications for market infrastructure providers (MIPs), such as CSDs, CCPs and trading venues. In our view, the DOR Regulation is unlikely to have significant implications for MIPs on the basis that many MIPs may, in fact, already have processes in place that would meet the minimum requirements proposed in the Regulation. However, in the short-term, we think it would be prudent for MIPs to carry out a "gap analysis" to determine what (if any) amendments need to be made to their processes in order to comply with the more granular requirements proposed by the DOR Regulation.
Although the DOR Regulation will not come into force before the end of the Brexit transition period (i.e. before 11pm GMT on 31 December 2020) and therefore will not apply directly to UK MIPs, the EU measures likely indicate a strong direction of travel for UK-specific regulation in this area. This argument is supported by the Bank of England and the UK Financial Conduct Authority's recent focus on cyber security and other operational resilience issues (as well as the global focus on these topics from international organisations, such as IOSCO and the Financial Stability Board). In addition, from an industry and marketing perspective, UK MIPs might find that EU market participants will want to see UK MIPs demonstrating compliance with equally stringent rules.
1. ICT risk management
MIPs are already subject to extensive general governance, reporting and outsourcing requirements under existing EU rules and regulations, such as MiFID II (for certain trading venues), the European Markets Infrastructure Regulation (for CCPs) and the Central Securities Depositaries Regulation (for CSDs). Therefore, in many respects, the requirements proposed by the DOR Regulation will not be entirely new or unfamiliar.
However, the DOR Regulation does impose more specific, enhanced requirements in respect of ICT and cyber-security. These requirements will require MIPs to review and, where appropriate, make changes to, their internal governance and processes. There may also be consequential financial implications, as appropriate budget will be required to be allocated to fulfil digital operational resilience needs.
The MIP's management body will be required to focus more closely on ICT and ICT risk, including by having overall responsibility for managing ICT risk (including implementing an enhanced ICT risk management framework in some cases) and setting clear roles and responsibilities for all ICT-related functions. There will also be a number of additional areas subject to the management body's review which will need to be built into the management body's processes, such as the review of ICT audits (and related plans) and the ICT business continuity and disaster recovery plans as well as procedures for determining risk tolerance for ICT risks. MIPs might already have implemented some or all of these management functions or processes, but for others enhanced measures may be required.
Furthermore, MIPs will also need to ensure that they can comply with any additional requirements regarding response and recovery, as well as detailed requirements in respect of the monitoring, testing and assessment of their ICT systems. There will also be a requirement to detect anomalous activities including the monitoring of user activity and to have appropriate arrangements and mechanisms to ensure continuity of critical functions. A number of these measures will likely be familiar to MIPs under their general business continuity obligations, but they will need to review their current processes to ensure that they will continue to comply.
2. Service arrangements
MIPs tend to also make extensive use of third-party ICT service providers. As a result, MIPs will need to ensure that certain obligations under the DOR Regulation are reflected in their contractual arrangements with their own service providers - this may require the review and amendment and/or renegotiation of the relevant contracts.
For example, MIPs making use of non-EU critical ICT service providers may need to consider terminating such arrangements and finding alternative EU providers in light of the proposed prohibition on the use of non-EU critical ICT service providers.
In relation to ICT service arrangements, although many of the proposed obligations under the DOR Regulation reflect the current outsourcing obligations in relevant legislation, there are additional specific ICT and cyber-security related risk management requirements, focussing, for example, on ICT concentration risk.
MIPs might need to also check their ICT risk-management governance structures, for example, there is a requirement for MIPs to allocate a specific senior-management role to monitor arrangements with ICT third-party service providers.
In terms of monitoring compliance, a new annual reporting obligation to the relevant competent authorities on ICT service arrangements will also apply.
3. How we can help
If you would like further information or assistance in understanding the proposals and their potential impact, please speak to your usual Travers Smith contact or any of the partners or senior counsel below.