Mid-sized banks face a unique challenge in how to improve their Information and Communication Technology (ICT) risk management programs to meet the Digital Operational Resilience Act (DORA) requirements for resiliency against evolving digital threats.

These banks will need to make huge investments. Those will come in the human resources and IT infrastructure required to implement DORA and detailed technical plans to identify, measure, and mitigate ICT risks. These will involve everything related to cybersecurity, using robust incident response plans and 24/7 monitoring.

Traditionally, mid-sized banks have struggled to adapt to changes across a range of asset sizes. While larger banks have more resources, mid-sized banks have smaller budgets and teams that prevent them from fully complying with many regulations.

The technicalities of these standards add an additional layer of complexity. In many cases, confusion can arise as the regulations are unclear and difficult to read and implement for many banks.

In this blog, we’ll dive into unique issues across asset classes, providing an outline of how mid-market banks can tactically optimize their ICT risk management programs to meet regulatory requirements and create resilience to attack in a ever-changing digital age.

Asset Class: $10–$50 billion

Regulatory Adherence Requirements:

• ICT Risk Management: Create a governance process with clearly defined ICT risk oversight roles and functions.
• Exceedance: DORA issues general guidelines, but not precise recommendations to smaller institutions for the exact risk levels and criteria that must be applied for ICT risk.
• Banks’ Incident Reporting: Banks must notify the authorities of large ICT incidents in specific time periods (e.g., 72 hours in EU regulations).

Key Limitations:

• Resources Shortages: Smaller banks lack ICT resilience teams which causes them to take longer to respond and rectify. They also usually lack powerful monitoring and are unable to deliver incident detection and notification times.
• Uncertainty About Testing Requirements: DORA calls for resilience testing but hasn’t articulated what the minimum acceptable conditions should be for mid-sized banks, leaving room for interpretation that could result in audit collapses.
• Regulatory Ambiguities: DORA’s small institution ICT governance guide does not define the right amount of manual versus automated processes, which causes inconsistencies in the compliance methodologies. It is also not fully explored on a technical level for incident reporting best practices (form, content, detail) making it difficult for regulatory tests.

Asset Class: $50–$150 billion

Regulatory Adherence Requirements:

• Third-Party Risk Control: Banks need to control risks from important third-party providers. DORA emphasizes third-party risk monitoring, but it provides no common evaluation methods for vendors.
• Operational Resilience testing: DORA requires annual resilience testing of ICT infrastructures to prevent disruption. Hybrid ICT environments (legacy + cloud) make testing more difficult since DORA doesn’t provide any guidance on how to connect legacy systems to the new frameworks.

Key Limitations:

• Oversight of Vendor Risk: Mid-sized banks are dependent on 3rd party service providers, but DORA lacks explicit responsibility requirements for failures in such relationships.
• Resources Availability: Mid-tier banks don’t have the economies of scale to shop for specific services from vendors in compliance with DORA.
• Regulatory Ambiguities: DORA’s requirements for ICT resilience scenario testing are general and do not contain detailed scenarios for mid-sized banks’ operational risk, so their testing frameworks are not aligned. The act does not explicitly define what constitutes “critical” third-party services, so under-preparing for compliance reviews might be an issue.

Asset Class: $150–$250 billion

Regulatory Adherence Requirements:

• Data sharing: Financial organizations will need to participate in shared resilience measures such as sharing of information about cyber threats and events. Small banks are left out of mature information-sharing systems run by large banks, which is a zero-sum game.
• Disaster Recovery: DORA establishes pre-established disaster recovery objectives (RPO/RTO). Legacy systems are difficult to align with today’s RPO/RTO due to technical debt and inflexible regulatory benchmarks on banks.

Key Limitations:

• Higher scrutiny: Banks of this asset type are subject to more regulatory scrutiny than large banks, but not the same resources.
• Complex ICT Infrastructure: There is a big challenge with resilience in multi-cloud and hybrid environments because DORA doesn’t specify integration frameworks.
• Regulatory Ambiguities: DORA’s definition of “significant operational impact” is fuzzy, leading to reports of incidents being under- or over-reported during regulatory exams. Minimum compliance requirements for cybersecurity resilience standards (e.g., sophisticated threat management, machine learning analytics) are too general to apply consistently.

Regulatory Uncertainty and Cross-Asset Challenges / Regulatory Inaccuracy:

1. Incident Reporting:

• Ambiguity: DORA sets dates but not details about the level of detail that an incident report should contain. Banks can fail the compliance tests if the incident reports are not complete.

2. ICT Risk Assessment:

• Ambiguity: The act in principle establishes a risk management process but leaves blanks for the minimum acceptable risk levels. Banks can build systems that don’t meet regulatory standards in examinations.

3. Testing Frameworks:

• Ambiguity: Annual resilience testing is required but no one clearly specifies what tests are allowed (i.e., penetration vs. red team exercise). Banks run the risk of missing the compliance exams due to unintended testing requirements.

4. Third-Party Management:

• Ambiguity: DORA sets no standard of what is considered “critical” vendors. Banks may focus on the wrong vendors and miss real risks.

5. Cybersecurity Standards:

• Ambiguity: DORA will require strong security, but doesn’t meet certain international (e.g., ISO 27001) requirements for smaller banks. This can lead to gaps in cybersecurity controls that are implemented adequately.

Recommendations for Addressing Limitations

1. Collaborate with Regulators:

• Get involved with regulators, proactively, and clear confusion about compliance metrics, testing requirements, and reporting.

2. Leverage Industry Standards:

• Implement ICT infrastructures based on existing, widely understood frameworks like NIST CSF, ISO 27001 and COBIT to plug the holes in DORA’s recommendations.

3. Invest in Automation:

• AI-powered incident detection, third party risk management and reporting to optimize compliance and reduce resource consumption.

4. Strengthen Vendor Relationships:

• Add explicit resilience criteria into vendor SLAs and audit regularly to ensure you are compliant with DORA requirements.

5. Scenario-Based Testing:

• Design and run specific test scenarios based on bank size, process and systemic impact.

Final Thoughts

The Digital Operational Resilience Act (DORA) offers mid-tier banks more business stability and provides a way to mitigate cyber risk and disruption. But mistakes and vagueness in the act can be compliance headaches.

One of the best ways for mid-tier banks to overcome these challenges is to be proactive with regulators. That means finding regulators, knowing what they expect, and executing accordingly. Standards and best practices will be a legal requirement and drive efficiency.

Operational risk is better managed with preparation. Modern technology investments like cybersecurity and data backups aren’t just a suggestion, it’s necessary. Smart integration will automate processes, mitigate impact, and enable compliance, giving your bank an operational rock-solid foundation.

By engaging with regulators, executing on international best practices, and taking the lead in technology, mid-size banks will not only have better chances of DORA compliance but also set themselves apart from their competitors in a rapidly changing financial landscape. It’s the future-forward thinking that can make your bank strong and competitive.

Learn more about Pentaho for Financial Service.