Go for the low-hanging fruit: DORA readiness for pension funds

 But the idea of operational resiliency is pretty global. If you think about our clients in Australia, the CPS 230 is fairly onerous for them, in the UK, obviously DORA’s not necessarily applicable directly to our UK funds, but the pensions regulator in the UK is pushing trustees towards being more robust in their understanding of cyber risks that their scheme is potentially subject to. There’s obviously been some fairly public breaches recently.

So I think DORA is one example, but operational resiliency is certainly something we're seeing, and cyber risk more generally is something that trustees are increasingly having to become more comfortable with managing. We've had conversations with some of our larger clients and we've got specific DORA working groups that are actively looking at this.

But then at the other end of the spectrum, there are funds that are just at the start of their DORA journeys and might be looking for insights from us on what immediate steps they could or should be taking. What the biggest problem that they should be thinking about as it relates to DORA? Maybe that's a question for you, Shreeji, that you might be able to help them consider.

Whether it's firstly more broadly on cyber risk, what trustees should be thinking about, but then specifically as it relates to the DORA regulation. So maybe we think about cyber risks firstly, then.

Shreeji Doshi

Yes, the goal of DORA is to bring in operational resilience.

So the trustees that have been looking at cyber risk more broadly for some time may inherently be in compliance with DORA already. It’s a very interesting point that you make, as in my limited experience – and it's completely personal opinion and hypothesis – it’s my understanding that the funds industry, especially the trustees, would need to do a lot of catching up on cyber risk, there being a lot of incidents lately in the industry.

But you are working more closely with them. Your thoughts on that?

Andy Clark

I think the challenge for the pension funds that we see globally is that the administration of the pension fund, the teams that we normally speak to, they’re quite small groups of people that have to wear quite a number of hats in their daily jobs. So when they see another regulation coming over the horizon and they're having to deal with it, it depends how they want to prioritise it.

The thing about DORA is it’s actually a real live issue with pension funds we know of that have had cyber attacks in recent times. So it's a balance between, “do I need to do something about this, or can I put it on the back burner?” And I think this is a topic that you can't really just kick down the road. You're going to have to think about it and do something about – even though pension funds teams tend to be small, and they don't have large teams and plenty of time to think on these topics.

Steve Merry

So with that in mind, if I was one of our pension fund clients, as you said Andy, with a fairly streamlined team, and I haven’t had the resources to put against DORA yet, what could I be doing right now?

We’ve got January 2025 is when this comes in, and we think about the different requirements of DORA, whether it's resiliency testing or whatever it might be, or the governance framework that they need to review, is there any low-hanging fruit that should be their first step, do you think, to actually getting DORA ready ahead of January?

Shreeji Doshi

The low-hanging fruit can be determined through a process – what any new regulation compliance journey would look like, which would be determined with a gap assessment. That’s the first step. So if the fund has not yet done that, it’s highly recommended.

And in my experience I could say that there could be some existing gaps already because there are a few requirements which are, in my view, not very well pushed by regulations for the funds industry. For example, threat-led penetration testing is something that was pushed actively within the banking industry in Europe and in my view, because of that, banking is already compliant with that requirement.

But funds have not had a regulator pushing for those exercises, so need to plan for it if they have not actively done it as part of their proactive risk monitoring. That could be one thing that every fund should look into it. You mentioned the incidents in the pension fund sector. You know, with DORA coming in, they're being very prescriptive about how you classify an incident.

What are the criteria for calling it a critical incident or a high incident? And then there are notification timelines that are not yet drafted, but will come. But funds would need to meet those.

And we kind of touched upon it; the understanding of cyber risk at a trustee level, and DORA is quite prescriptive about what the management body would need to do, as in it’s pushing them to be accountable for cyber risk. So those are three things at a high level, which I think most funds would need to look into.

 Andy Clark

One of the things I picked up on, looking at some of the publications that have come out, is that one of the drivers for DORA is this phrase “the interconnectedness” across the financial entities. At Thomas Murray we look at the whole post-trade space, so from a pension fund investing with a global custodian, sub-custodian, right down to market level, and all of these entities are connected by SWIFT and other similar tools.

And I think what DORA is the driver for is to say, yeah, the global custodian might have very strong cyber protection, but the entities that connect into that global custodian i.e. the pension funds, their protection may not be as far advanced. So I think that is an interesting idea, that the pension fund must realise it is connected to this whole process, and it needs to make sure it’s as secure as all the other entities that it interacts with.

Shreeji Doshi

Yeah, indeed, indeed. To a certain extent this interconnected nature of DORA can also be correlated with the requirements they have on ICT third parties, because they use the same ICT third parties across this value chain of post-trade lifecycle and DORA pushes very significantly on the ICT third-party risk management and pushing them with standard contractual clauses.

There's an initiative of categorising critical ICT third parties, which will have an independent overseer or oversight framework by the CISO. So indeed, the interconnected nature of the world that we live in is something that DORA is looking to manage the risk of.

Andy Clark

Yeah, I mean, one of the countries where we have clients is the Netherlands, and for some years now where the pension funds interact with any third party there's quite a lot of oversight of all those third parties they use. So we see the Netherlands as being quite advanced in that respect. I think other markets have got a bit of catching up to do on this, that you have to make sure that the parties that you interact with have robust controls in place as well.

Steve alluded to each market having slightly different regulatory requirements.

Shreeji Doshi

The regulatory requirements would be the same, but I think where compliance would vary is on the market side. One thing we've covered in the other podcast episode on ICT third-party risk management is DORA is being so prescriptive.

It is giving you the clauses that need to go into an ICT third-party provider contract, which from a regulation point of view I've never seen, which is kind of great because there is no grey area. They're saying these are the mandatory clauses that you need to have. So all these organisations would need to redo their standard contracts with ICT third parties and the good thing is that ICT third parties also see it, they know it's coming.

So in my view, there would be limited resistance. Most organisations would need to make those changes on their procurement process.

Steve Merry

Shreeji, we talked a little bit about how some of the funds are further along their DORA journey than others. What about, I guess, the size and scale of some of the organisations and the principle of proportionality?

Have you seen or heard anything on proportionality that would be worth sharing?

Shreeji Doshi

Interestingly, Pensioenfederatie has made a comment on proportionality, that it is not adequately considered in the DORA regulation. I have a slightly different take. I believe they have considered proportionality, to an extent. For example, the pension schemes that do not have more than 15 members are excluded from the scope of DORA regulation.

Additionally, the regulation allows for proportionality to be considered based on risk profile, but this would have to be the financial entity’s own assessment, and with substantial evidence that the risk profile is low. So they have covered it in a way, at least in my personal opinion.

Steve Merry

I think it probably comes back to Andy's point at the start about thinly resourced pension funds and I’m sure them being held to the same standards as a larger organisation, that wouldn't sit well with any organisation. So yeah, I think we probably might see more on that one.

We spoke earlier on about the low-hanging fruit, Shreeji, and if there's some of our clients who haven't necessarily got that far along with their DORA journey that the threat-led and penetration testing might be relatively low-hanging fruit for them to take as a first step.

But what about the funds that are more developed? You know, they've got their own DORA teams, just from our perspective, what, if anything, might we do as an independent organisation? What about you? What do we add? We are aware that we've created a questionnaire where clients can go and perform a self-assessment to see where they are with regards to DORA. We've done that and that's available free.

But for some clients who are well developed that might not be a requirement. And what, if anything, might we be able to offer those clients who are actually quite far along that DORA journey?

Shreeji Doshi

I think that's a great question. It's a low-hanging fruit because it gives proactive risk management. Penetration testing could be a very good exercise to undertake because it not only aids compliance, but it also proactively helps organisations reduce risk.

So, you know, there is a huge gain to have both from a compliance and a proactive risk management point of view. The entire chapter of digital operational resilience testing pushes organisations to perform technical testing, identify vulnerabilities, and fix them. So, even if it's not from a compliance point of view, it will definitely help reduce the cyber risks that the funds would have.

On the other part of the question, as to if the fund is significantly mature in the DORA compliance journey, our tool can still be useful. It could be a way to sense check how they are progressing – as in, typically, when you get into the weeds, you have to stop and check whether you're on the right path.

Most organisations could use it in two ways. One is to actually know where to start off from. But if someone is already off and running towards DORA compliance, they could just take a pause and get a sense check of whether they're heading in the right direction.

We can additionally give an independent view for trustees if their team believes they are in a great position, we can come in and independently provide a view on that. So there are various ways for our clients to leverage what we have to achieve their DORA compliance.