At BIQH, we advise our clients to audit their suppliers
The Digital Operational Resilience Act (DORA) recently became applicable, introducing a new risk management framework for financial entities to comply with. Amid the increasing number of regulations, many organizations express concerns about their readiness for DORA compliance. It’s a substantial, high-pressure project, but the good news is: you don’t have to navigate it alone.
DORA’s supplier requirements
An essential requirement of DORA is identifying critical suppliers and designating them as providers of ‘critical or important functions’. Market data platforms are often at the heart of financial operations. They deliver the historical and analytical data necessary for informed decision-making, compliance reporting, and effective risk management. Without dependable market data, financial institutions risk operational disruptions, inaccurate valuations, and non-compliance with regulatory standards.
Recognizing these platforms critical or important functions means ensuring their providers adhere to stringent standards for security, availability, and continuity. This blog encourages financial institutions to classify market data platforms and similar services as critical, conduct regular audits, and implement strong security measures. Compliance is not solely the responsibility of financial institutions. Suppliers must also be DORA-ready and can play an active role in supporting your compliance efforts.
Key areas to assess when auditing suppliers
When conducting audits, it is important to focus on areas where suppliers should provide clear answers and evidence of compliance. Below are some critical considerations derived from the Regulatory Technical Standards (RTS):
- ICT security policies, procedures, protocols, and tools
Suppliers should demonstrate how they manage vulnerabilities, ICT operations, and the security of data in transit. We always encourage our clients to review these policies, protocols, and tools to ensure alignment with DORA standards. Certifications such as ISO 27001 and SOC 2 can serve as valuable indicators due to their overlap with DORA requirements. - Human resources policies and access control
We advise financial institutions to assess whether a supplier’s HR policies prioritize safety and security. This includes evaluating identity management, user access rights, and the timely revocation of access when roles change. Well-established processes in these areas help ensure both organizational and personnel security. - Incident response and anomaly management
It is critical to evaluate how suppliers detect and manage anomalies. We recommend asking for evidence of documented incident response processes and reviewing their plans to handle data loss. Understanding their approach to preventing recurrence is equally essential. - Business continuity and disaster recovery
Maintaining operations during disruptions is essential. We encourage financial institutions to request evidence of a supplier’s recovery capabilities, including acceptable downtime, recovery timelines, and allocated resources for disaster recovery. To validate these claims, we always advise conducting stress tests and penetration tests. This proactive approach ensures transparency and reliability, strengthening overall operational resilience.
Practical steps to ensure compliance
We encourage financial institutions to take a proactive role in verifying their suppliers’ compliance with DORA. Below are examples of practical steps that can help you stay in control:
- Understand the supplier’s ICT security setup
Begin by requesting detailed insights into the supplier’s ICT policies, tools, and protocols. Ensure they are equipped to handle vulnerabilities and maintain robust operational security. - Assess supplier recovery capabilities
Investigate whether suppliers have a clear and proven disaster recovery plan. This includes understanding their recovery times, resource availability, and measures to reduce downtime during an incident. - Conduct stress and penetration tests
Practical testing is key to verifying that suppliers’ security and continuity plans work in practice. Stress tests simulate high-pressure scenarios, while penetration tests uncover potential vulnerabilities in their systems. - Collaborate on compliance improvement
Compliance is not a one-time effort but an ongoing process that requires continuous attention and adaptation. We encourage financial institutions to collaborate closely with their suppliers to strengthen operational resilience and ensure alignment with DORA requirements. Joint efforts, like conducting regular audits, can help both parties stay ahead of regulatory changes and emerging risks.
BIQH as a Market Data Platform supplier
At BIQH, we have structured our processes, services, and contracts to fully align with DORA requirements. This ensures that financial institutions using our solutions can maintain compliance and operational resilience.
We prioritize:
- Regulatory alignment: Our contracts and practices meet the standards outlined by DORA, ensuring clarity and compliance in all interactions.
- Operational continuity: We adhere to robust business continuity measures, mirroring the requirements financial institutions must meet within their own operations. BIQH is ISO 27001 and SOC 2 type I certified, demonstrating our commitment to maintaining the highest standards of information security and operational resilience.
- Market data control: Understanding the critical role of market data platforms, we ensure that our BIQH Market Data Platform is secure, reliable, and ready to support your compliance needs.
Conclusion
DORA compliance emphasizes the importance of financial institutions holding their critical suppliers to high standards. By identifying suppliers that provide important functions, conducting regular audits, and verifying security and recovery practices, institutions can ensure that these suppliers meet regulatory requirements.
At BIQH, we recognize the importance of these relationships and are committed to supporting financial institutions in managing and auditing their market data suppliers effectively. Together, we can create a compliant and resilient foundation for the future.
Want to know more about how BIQH works?
