In today’s unpredictable environment, shaped by global events, cyber threats, and regulatory shifts, resilience is a top priority for legislators and regulators around the world.
This series supports organisations in designing, reviewing, and refining their Resilience Frameworks through expert insights and actionable guidance.
- Regulatory expectations and supervisory priorities
- Core components of a resilience framework
- Workforce culture and accountability
- Incident response and recovery playbooks
Each video delivers actionable insights to help you strengthen your organisation’s ability to withstand disruption, adapt effectively, and recover swiftly.
To complement the series, we’ve also developed a resilience playbook, which is a hands-on resource to support your journey toward greater operational resilience.
How to respond to an ICT-related incident
In this episode of our Resilience Video Series, “How to respond to an ICT-related incident,” Denise Murray, Head of Financial Services Compliance and Regulatory Relations, is joined by Ian Duffy, Partner in our Technology and Innovation Group. They share practical insights on identifying and managing ICT incidents, from phishing attacks and supply chain compromises to large-scale cyber breaches. The discussion covers activating response plans, engaging stakeholders, and meeting relevant regulatory obligations including under DORA and GDPR. They also highlight why documenting decisions during fast-moving disruptions and conducting lessons-learned reviews are essential for an effective and compliant response to incidents.
Video Transcription
Denise Murray
Hello everyone, and welcome back to the Arthur Cox Resilience Video Series. My name is Denise Murray. I’m the Head of Financial Services, Compliance, and Regulatory Relations here at Arthur Cox. In our last video, we explored how you can document and map the interconnectedness and interdependencies that underpin your critical services. Today, we’re going to go a little bit further and we’re going to explore what happens when things go wrong. The shift to digital service delivery has fundamentally changed how firms build and manage their resilience frameworks, but it’s also changed the nature of the dependencies that firms face. In this session, I’m joined by my colleague, Ian Duffy, partner in our Technology and Innovation Group, and together we’re going to walk through how a firm might identify, respond to, and learn from an ICT-related incident. So, Ian, to get us started, could you walk us through some of the most common ways that firms typically identify or become aware of an ICT incident?
Ian Duffy
Yeah, thanks, Denise. Yeah, sure. Look, there are multiple different ways in which clients can identify incidents or become aware of them. And how that happens will, to a certain extent, depend on the nature of the incident. And to be honest, the structure of the client to a certain extent as well. For example, some incidents may originate as a result of a compromise in your supply chain. In that type of scenario, it’s pretty common for clients to become aware of it because they get notified by the relevant service provider. Conversely, it may be that an incident arises as a result of some human error. You could have a staff member clicking on a phishing email, for example. In that type of scenario, you may become aware of it because it’s self-reported. The relevant staff member will let you know, or it may be through your own monitoring of your systems, you actually see that that type of incident occurred. Another scenario, and perhaps the most dreaded of them all is a cyber-attack. That’s where a hacker effectively unlawfully accesses your ICT systems. They encrypt your data, and they issue a ransom demand for the decryption key.
It’s common in those types of scenarios for clients really only to become aware of the incident once they actually receive the ransom demand from the hacker. There’s a few different scenarios in terms of how an incident can occur, how a client can become aware of it, and the type of incident that can actually affect clients as well. There is a fair bit of variety there in terms of the nature of the incident. I guess in that vein, it’s also worth mentioning under legislation like DORA, the concept of an ICT-related incident is actually defined pretty broadly. Under DORA, it’s any incident that compromises the security of ICT systems and adversely impacts the integrity, the confidentiality, the security of services or data. From a client’s perspective, it’s important to ensure that your staff do actually have an understanding as to what actually constitutes an ICT-related incident, because doing so will help them not only from the perspective of being able to effectively identify these incidents and to mitigate their impact and effectively respond, but also in terms of actually being able to prevent certain types of incidents actually occurring in the first place.
Denise Murray
So knowing how the incident might come to light when we have had an incident, it’s been identified, what should we be thinking about or what should firms be thinking about in those first few moments, especially in terms of activating their response plans and engaging with the right people because we know it’s not just about assessing the damage.
Ian Duffy
Yeah, absolutely. Look, when a large-scale ICT incident does happen, I think in the first instance, it’s very much the case that clients should actually see at that point in time the value of the time and effort that they’ve invested into developing their structures, their controls around operational resilience, the ability to effectively respond to incidents, and really that effective response to a large-scale disruptive event is to a large degree focused on the effective deployment of a number of key policies and procedures. That’ll be things like your incident response plan, your crisis communication plan, your business continuity plan. Once you’ve actually deployed those different policies and procedures, it’s really important that key staff members understand what their role is in respect to them. Because to be candid, it’s not really enough just to write certain roles into a policy and assume that people will know what to do when the big incident does actually occur in practice. Really, what you want to do is ensure that those policies and procedures are battle-tested. That can be through things like tabletop exercises, other types of review and training, so that when the big ICT incident does actually happen, people understand this is what’s expected of me, this is my role, this is how as an organisation, we’re going to effectively respond and deal with this incident.
Another significant consideration when it comes to responding to ICT-related incidents is obviously regulatory reporting. From a DORA perspective, this will be focused on trying to establish really whether the incident satisfies the criteria and the thresholds to constitute a major ICT-related incident under DORA, which is reportable to the Central Bank. In simple terms, an ICT-related incident will be a major incident under DORA where it affects your critical services and it constitutes a successful malicious attack on your ICT systems that creates a risk of data loss, or it satisfies two of the other materiality thresholds prescribed by DORA. They relate to things like the number of clients affected, the number of transactions affected, duration of the incident, geographic spread, publicity, etc. If those materiality thresholds are satisfied, you will have to report the incident to the Central Bank on a staggered basis. The first phase of that will be an initial report, which needs to be made within 24 hours or within 4 hours of the incident actually being identified or within 4 hours of it being classified as major, if that doesn’t happen within the first 24 hours. After that, you’ll then have to submit an intermediate report.
The idea there is to provide a bit more information in relation to the incident to the Central Bank, and that has to happen within 72 hours of the initial report. Then thirdly, there’s a final report. That has to issue within one month of the incident, and that will include more substantive detail on the incident. It will be things like information on the cause analysis that’s being conducted, details of the costs associated with the incident, ultimately how the incident was resolved as well. In addition to those DORA regulatory reporting considerations, it’ll also be necessary to think about, well, do we actually need to report this incident under any other regimes? An obvious question to ask there is, is this incident a personal data breach that needs to be reported to the DPC pursuant to the GDPR? One helpful other point just to note when it comes to incident reporting is that if you are dealing with an ICT-related incident that affects payment-related data or payment-related services of, for example, a bank or any money institution, and you determine that it’s a major ICT-related incident that needs to be reported under DORA, hopefully that incident doesn’t also need to be reported under PSD2.
That’s good because there aren’t duplicative reporting obligations in that scenario.
Denise Murray
Lots of reporting, regulatory reporting, lots of consideration of the regulations, but there’s other practicalities as well, right. So maybe could you talk to us briefly about what they might look like?
Ian Duffy
Yeah, look, that’s absolutely the case, Denise. Look, after you’ve deployed the policies and procedures like we discussed, and you’ve thought about those regulatory considerations. There are multiple other practical steps that you need to think about when you’re dealing with a large-scale ICT-related incident. So for example, you’ll need to centralise your facts and then come up with a single version of the truth. You can use those facts and that information to then notify the board in relation to the incident and provide them with regular updates in relation to it as well. Also really key to reach out to your key external service providers at an early stage. So think about your provider of cyber insurance, also IT forensics, external counsel. In addition, if the incident occurred or originated in your supply chain, as a result of an act or something affecting one of your key ICT service providers, it’s really important to establish a clear line of communication with them at the earliest stage possible. So you get the information you need from them, you get relevant updates and regular updates, so as to help you effectively respond to the incident. Look, I think it’s probably implicit in all of what I’ve said there that really a key aspect of that effective response in taking those practical steps is ensuring that there are those clear lines of communication, both internally amongst key relevant staff and then upwards towards management and the board, but also outside the organisation to those key service providers.
Having that effective and clear line of communication to relevant parties will help in terms of your effective response, dealing with relevant regulatory reporting requirements and other relevant regulatory considerations.
Denise Murray
So we’ve had our incident. It’s clear that things are moving fast. We’re communicating and reporting really well. There’s a surge of activity. So teams are mobilised, systems are being assessed, there’s a response team put in place. I think probably, though, helpful just to reflect that it’s not just about that reactive response when we’re in that environment. I think what comes to mind for me in particular, Ian, is that you have to capture what you’re doing as you’re moving along. So that requirement to document what happened before, during, and after your disruption is just as important as those communication channels. It’s important maybe to spotlight that for a moment and maybe just pause on this particular point because it can be really, really difficult after the event to go back and document and remember what you knew at points in time that informed your decisions, that drove you through the process in what typically is quite a fast-moving, pacey environment. But nonetheless, the expectation is there that you will document and that you will have a good record, not just of your communications, but of how you managed during the process day to day.
And look, we always hope for a quick fix for issues, but unfortunately, that’s not often the reality. From experience, the scale of the effort that goes into managing the aftermath can be a little bit underestimated, whether that’s restoring the service or addressing the vulnerabilities and improving and enhancing arrangements and adopting or adapting to a new norm. What often sets firms apart, and you’ve mentioned this already, is that communication through the process, transparency being key, making sure stakeholders are managed and informed within the business through the board, because it’s not just about technical recovery. From my experience, it’s really about information, reassurance, and engagement with your key stakeholders. You’ve mentioned that, Ian, and that might be your board, it could be your regulators, external parties, but they need to know that you’re in control and that you’re aware of their concerns, that they’re being addressed, and particularly, I think, in financial services context. But interestingly, I think one of the really good examples we have recently is Marks & Spencer. The CEO, in that instance, used social media, which, let’s be frank, is probably their effective communication channel in good times, but they used that to keep their stakeholders up to date during their disruption.
Maybe a really good example to reflect on in terms of proactive engagement and evidencing that leadership to build trust and retain confidence.
Ian Duffy
Yeah, no, absolutely. Look, when you do get to the end of an incident and you’re getting back towards BAU and the incident is resolved. Obviously, there’s going to be a sigh of relief from all involved because these things are pretty intense. But to pick up on a thread you mentioned there, Denise, that’s not really the end of the road from a regulatory compliance perspective. There are multiple things that the affected firm needs to think about to ensure that they do see the journey through from a regulatory compliance perspective. One of those will be that final report to the CBI that we talked about in relation to the incident from a DORA perspective. So providing that information around the root cause analysis, providing information on how the incident was resolved, etc. There’s also requirements we need to be alive to under the CBI Operational Resilience Guidance as well. There is that expectation once you get to the end of the incident and it’s resolved and you’re looking back that you carry out a lessons learned session to figure out effectively what happened and how can we perhaps adapt in ways that help us to ensure that this doesn’t happen again, or if it does happen again, that we can respond more effectively.
As part of that, you should develop a set of predetermined questions that you ask yourself in that type of scenario. That will be things like, how did this incident actually occur? What vulnerabilities did it expose? How did it impact our critical services? How quickly and effectively did we respond and recover from this incident? Once you’ve done those final few steps, I guess the final thing you want to think about is any remedial actions you’re going to take off the back of that, right? Any remedial actions you are due to take, ultimately, you’ll want to make sure that they’re logged and that they’re monitored by senior management and the board so that there is that continuous improvement of your operational resilience profile. I guess if the incident did originate in your supply chain, which is a concept we’ve touched on a couple of times, you may need to think about, well, look, do we need to revisit our contract with the service provider? Do we need additional protections, controls, processes to try and help ensure that this doesn’t happen again through our supply chain, or that if it does, we’re better able and better prepared to respond to it?
Of course, look, when you get to the end of an incident, you also have to think about, well, how effective were all of our policies and procedures that we used in response to them? We have them on the shelf, they’re written down, they look great, but now they’ve actually been used in the real world and properly road-tested and were they effective or do they need to be adjusted and slightly adapted? So if something like this does happen again in the future, we have an even more effective process that we can roll out to help us respond to it.
Denise Murray
And that neatly takes us back to the starting line with policies and procedures that have been battle-tested and that are ready to be deployed the next time an incident occurs. And with that, we’ve come to the end of this video series today. And we’ve really explored what you do when you identify an incident, how you respond, and most importantly, how you learn from it. Our Resilience Playbook can provide you with some more information and it’s a useful resource as you are exploring your resilience frameworks and your resilience response. If you have any questions, please do reach out to us, to your usual Arthur Cox contact. Alternatively, you can send us an email at [email protected], or you can find more information on our website at arthurcox.com/resilience. Thank you very much, and see you next time.
Operational Resilience
In our latest resilience episode, Ian Duffy, Partner in our Technology and Innovation Group, is joined by Denise Murray, Head of Financial Services, Compliance and Regulatory Relations, to explore how third‑party and intragroup arrangements are shaping operational resilience for regulated firms. With outsourcing deeply embedded across the financial services ecosystem, the conversation looks at:
- Why third‑party and sub‑outsourcing arrangements can significantly impact a firm’s resilience profile
- How regulators are increasing their focus on critical and important services under frameworks such as DORA and CBI guidance
- The importance of robust risk assessments, due diligence and ongoing oversight
- What firms should expect from vendors around resilience testing, business continuity and incident response
- Why contracts, governance and clear communication are critical when disruptions occur
- The discussion also considers concentration risk, chain outsourcing, and the often‑overlooked challenges of intragroup service arrangements, including autonomy, conflicts of interest and exit planning.
Video Transcription
Ian Duffy
Hello everyone and welcome back to our resilience series for regulated firms. My name is Ian Duffy and I’m a partner in the Technology and Innovation Group at Arthur Cox, and in today’s video we’ll talk about how third-party service providers in your supply chain can potentially have a significant impact on the resilience profile of regulated firms, and as part of this we’ll look to talk about how you can identify, manage, and mitigate some of that resilience risk in a way that aligns with regulatory expectations, and that’s consistent with good industry practice. And I’m delighted to be joined by my colleague, Denise Murray, who is our Head of Financial Services, Compliance and Regulatory Relations, to discuss this topic and to share some insights with all of you today. So welcome Denise, and thank you very much for joining me. Denise, I might start off with a reasonably broad question, and perhaps you can give us a sense of why it is that third-party service providers can potentially have quite a significant impact on regulated firms’ resilience profile.
Denise Murray
We might need to take a step back in before we crack that question directly. The financial services industry is really a highly globalised, interconnected ecosystem, and it’s an ecosystem in which outsourcing is already highly embedded, but that brings a vulnerability, the vulnerability that a disruption can have an impact that can very quickly ripple across borders, across providers, and across markets. That level of outsourcing that we see is evident in firms that continue to provide certain services internally within their own operations but also, rely on third-party providers or group entities to support the delivery of their regulated services on an ongoing basis. I guess more broadly in the financial services sector, we’re familiar with supervision in the context of outsourcing and third-party relations, because we see regulators engaged at the point of authorisation and on an ongoing basis for supervisory purposes, to understand how services are delivered and particularly how outsourced services are delivered. And in recent times, we’ve seen a really increased focus on resilience and outsourcing as part of the regulatory footprint and because of those more recent changes, we’ve become more familiar with concepts like ‘critical’ and ‘important’, and I’m sure many people listening today will have been involved in some of those criticality assessments under outsourcing or DORA or resilience requirements most recently.
So maybe back to your question, how can that third-party vendor have an impact on your resilience? And it’s really straightforward, whether it’s a critical or non-critical service, if your vendor can’t supply that service and if that service impacts on your delivery, then your resilience is compromised and understanding that is really what’s core to resilient organisations and arrangements, and it’s not only the long-standing outsourcing arrangements that need to be considered, it’s much more broad and it’s important that when you’re looking at those relationships with the vendors that you’re engaging with, that you consider things like the chain outsourcing and maybe any lack of visibility that you might have through the chain. So we’re very comfortable with third parties, but what about the fourth, the fifth, the sixth party that’s involved in delivering the service for you? What happens if something goes wrong there? And very often, through that chain of sub-outsourcing, you may not even be aware of that provider until it’s too late. I think it’s important also to consider things like the potential for reputational damage and negative associations, though, not withstanding the fact that you may have done all that you can in the context of your oversight of your outsourcing arrangement.
Nevertheless, if there’s a disruption and there’s an outage of service or there’s an impact on your operations, you can erode the trust and confidence of your clients and that can happen quite quickly and have quite long lasting effects and we’ve seen that and discussed that in our other video series. And I think moreover, I think particularly in the context of resilience and developments over the last number of years, we’re becoming more conscious of concentration risk and what that might mean for our financial services providers, so we know that there’s a number of industries that are quite concentrated, particularly around technology and cloud services. It’s not practical for firms to have multiple providers offering those services to their operations but it is important that we think about what happens if there is a significant operational issue with a provider that is in a concentrated area. How do you mitigate for that? How do you prepare for those kind of impacts as they may arise? They’re really important considerations when you’re considering the risk assessment phase of the work that we all have to undertake when we’re thinking about a third-party relationship. And really Ian, I think this goes to the importance of that risk assessment, and the due diligence at the outset, that a regulated firm is looking to complete but also that there’s kind of an enduring and an effective due diligence on an ongoing basis, because realistically, what is of benefit to firms is if we have a no surprise basis in terms of our outsourcing arrangements.
Ian Duffy
Yeah, I think that’s absolutely right Denise. I think, you know, even before you start focusing in on the specific service provider from a diligence perspective, it’s important to take the steps to understand the nature of the services that you’re looking to procure and how that interacts with your operations more generally. I think when you’re talking about the nature of the services that you’re looking to procure, a key factor or a key consideration there is well is the service that you’re looking to procure a critical or important service? And that will be an important factor when it comes to trying to think about what are your regulatory obligations that will be applicable to those services, so will things like DORA be relevant? Will things like the CBI operational resilience guidance be relevant? Will potentially the CBI outsourcing guidance be relevant? And once we understand that, we have a good baseline then to figure out well what are the rules and requirements we need to think about here from a resilience perspective and more broadly, when we’re procuring these types of services and from there, once you’ve done that, you can start to turn your attention a bit more towards the service provider itself and start to think about how you go about diligencing them to get the assurances you need that they can deliver those services in a way that’s operationally efficient and appropriate, and that’s also resilient and secure as well.
And when you think about the specifics of the nature of that diligence you’re trying to conduct, a lot of it really is, just trying to get the assurance around their track record, around their ability to deliver the services. So does the provider have the expertise, the experience, the resources to deliver those services. Also, as I touched on already, you want to ensure that they can give you assurances in relation to their ability to deliver them in a way that’s operationally resilient and that’s secure and that regard, you might want to look for confirmation, for example, that the provider is certified ISO 27001 or perhaps other NIS standards, and to the extent that you can get any assurances around their track record of minimising operational disruption for their clients and their ability to effectively respond to that as well, that will be helpful too. And once you’ve conducted all of that diligence, you’ve got comfortable with the supplier, you also need to make sure you’re comfortable with their service delivery model, and you understand how that’s going to be deployed and how that interacts with other functions that you’ll continue to provide in-house yourself, and with other services that you receive from other providers as well, so that you can start to map how those services will work and for example, you can figure out some of the interdependencies between those services and functions you retain in-house or services you receive from other providers. And of course, you know, all of that stuff that I’ve just discussed there Denise, ultimately has to be translated into a formalised regulatory and compliance framework. So could you give us a sense of some of the key aspects that we need to think about in this context?
Denise Murray
Absolutely, and I think with that regulatory compliance lens, there’s maybe three main considerations that are front of mind for me. So first is the risk management framework, the second being your vendor’s resilience and business recovery arrangements and the third piece really being the agreement, the underlying agreement that supports the outsourced activity. So if we take a look at the risk management framework, there’s a couple of aspects there. The first is whether you as the regulated entity, have developed the tools and the assessment capability to evaluate the third party in the context of the regulations that you just described or the guidance that we know is there and the evolving best practices, but also that it relates and that assessment, that it can relate to your business model, so it’s relevant to you, not just to the regulations. And then when we turn to the vendor, your assessment process has to be able to consider the information that the vendor has provided in relation to their resourcing, their risk teams, for example, but also their risk methodologies and their monitoring and measurement criteria. Ideally you want a vendor who has a similar risk outlook to the one that you have, where you can have trust and be confident that they’ll make risk-based decisions and take actions that won’t impact on how you deliver your service. That’s the risk framework considerations.
If we then look at the vendor’s own resilience arrangements and frameworks, there’s some important requirements in the context of the regulations themselves. Really what we want to make sure is that the vendor is undertaking its own resilience testing and exercises. That it has had a recent business recovery testing process in place, that it has documented procedures and processes to support that or certainly you want confirmation that those are in place. And then some practical things, so is there a secondary site in the event that there’s an issue with the primary site where services are delivered from? How is data maintained? Are there backups being taken? And again, is there a regular testing plan for those fundamental, particularly data-driven services? And I think we also need to reflect on the Central Bank’s regulatory expectation that for bigger and more substantive vendors, you should be engaged in their disaster recovery plans, you should be a party to that or be involved in that, and that you certainly have the right to do so in the context of your agreement and where you deem it necessary, particularly for critical services and the delivery of those.
And then, as I said, to that third point around the assessment process, there’s a lot to be gained from the engagement that you have in the first instance with the vendor in negotiating the terms of the relationship that you’re going to have for the ongoing provision of services. So whether there’s opportunities to engage in the context of the reporting that you’re going to receive, the key performance indicators, the notification process and escalation processes. They’re really good indicators because you want that to support your own firm’s responsibilities around RTO and an RPO and impact tolerance objectives and we know that, for some of the more dominant service providers and some of those industries we mentioned already, it can be very difficult to get anything other than the templated contracts and SLAs and in that instance, really, it’s got to be about the firm making a determination as to whether they’re comfortable with the assurance that they’re going to receive in relation to those standard agreements or whether they need to look at alternative providers.
Ian Duffy
Yeah, absolutely Denise and I think that last point feeds nicely into you know something we’ve kind of skirted around a bit but maybe haven’t talked about as much thus far is the contract, right? So once you’ve actually done that piece around the type of diligence you need to carry out, you’ve put in place your oversight and monitoring framework so you’re comfortable that you have what you need there to effectively oversee the vendor, you still need to fundamentally ensure that you have a contract in place that gives you the assurances you need from a regulatory compliance perspective and also, you know, from an operational and commercial perspective too. When it comes to, you know, first steps in that regard, I think one of the really important things that needs to be done there is to actually classify these services, so what are they from a regulatory perspective? Are we talking about critical ICT services under DORA? Are we talking about non-critical ICT service providers or services under DORA? Are perhaps we talking about critical outsource services? Because I think fundamentally understanding that will help us figure out, well what is it that we need to put in our contract for regulatory compliance?
And of course, it’s also possible that none of these are relevant and the classification is that none of the foregoing will apply but fundamentally, figuring that out will give us our baseline in terms of what are the types of provisions we need to include here so we comply with relevant regulatory requirements in this space and of course, as we’ve already touched on, there’s then lots of operational and commercial aspects to the contract that will need to be addressed too. But once you have that contract in place, and like you’ve touched on already Denise, there is that ongoing monitoring and the oversight piece, and that is really, really fundamental and important and like you’ve touched on, having that sort of regular cadence of governance meetings and ensuring that you’re getting the reporting and the information you need from your key service providers will be really important in terms of having visibility, that the services are being delivered as they should be, that they’re stable, that there’s no obvious operational issues and ultimately that feeds into you having assurance as to the resilience profile of the service providers that are important to your business as well, but look, we all know even with the best and most robust contract in place and with having a thorough and effective oversight and monitoring regime that is applied in practice, things still go wrong.
Problems arise. There can be operational disruptions and we need to be aware of that and we need to be prepared for that, as well, because there is an air of inevitability to that. So, I guess in that sort of scenario, when something bad does happen, there is a significant operational disruption. In the first instance, you’ll want your third party service provider to tell you about it, right? And you’ll want to make sure that they’re providing you with the sort of assistance and information that you require and you’d reasonably respect and ultimately, all of that should be baked into your contract. They should have that obligation to notify you and to assist you, but, as you know well Denise, it’s not as simple, you know, as you get your notification and that’s it, and you get a bit of information and you’re all done. There are other factors we need to think about when operational disruption does actually happen, both before and after the event and maybe you could talk to us a bit about that?
Denise Murray
Yeah, you’re absolutely right and communication is core and critical but it doesn’t end there and I think it’s reasonable to expect your third-party vendor, your third-party outsource provider to have medium and long-term plans and they may evolve evolve as the crisis evolves because often you kind of have to respond as the issue develops but they should have those plans in place if possible but, very evolved as the issue continues on, particularly if the resolution of the issue is going to take a little bit longer than expected, or indeed, it’s a more severe event that might require some reformatting or reorganisation of the way the services are being delivered. I think we’ll all expect tactical workarounds when an issue arises and communication around that, clearly important, and that’s okay in the short term but I think as we move on beyond the short term, tactical solutions won’t work on a longer term basis so I think the third parties then, again need to demonstrate that they’re assessing the situation to determine the next best thing to be done, or the next plan and the appropriate steps to be put in place, and that might mean even considering their own subcontracting, so if there’s a fifth or a sixth subcontractor, it may be important to exit some of those relationships and re-establish them.
So again, ensuring that’s a consideration becomes really important in those scenarios, and then I think we really do need to think about the types of resilience events, and that, you know, we should be expecting our third parties to conduct those really detailed “lessons learned” exercises after there has been an event. Often we get to the finish line and think it’s done. There’s a huge amount to be gathered from those exercises post-event and ensuring them that appropriate steps are taken. Maybe new KPIs are put in place or new controls are established, and again, that demonstrates the ongoing due diligence and oversight process as well that when an event has happened, your next due diligence will incorporate some consideration around that, and I think after all, we have to remember that this cycle of outsourcing is an ongoing and evolving process, because not only will the vendors will change and issues arise, but also the entity outsourcing will perhaps change during its lifetime, so t’s important that at onboarding but really particularly on an ongoing basis, that there’s a real kind of considered view given up to the relationship and the requirements of that relationship to ensure that it remains fit for purpose.
Ian Duffy
Yeah. Yeah absolutely Denise. And I think, look, when we talk about third-party service providers, and resilience, I think it would be remiss of us not to talk about intragroup services agreements as well, because the Central Bank has been very clear that, you know, that level of robust oversight and monitoring in relation to third-party service providers and third-party services agreements equally applies in the intragroup context as well. So the same high standards will apply but nonetheless, there are additional considerations that are worth bearing in mind and taking into account when you’re thinking about intragroup services agreements in a resilient in this context. So can you perhaps speak to some of them, please?
Denise Murray
Yeah, absolutely. I’m going to give you four kind of areas that I think of when I think about that kind of intragroup relationship. The first is around local oversight and ownership of an intragroup arrangement, which may sound odd because typically we think of our groups as being one family but in the regulations, I think we need to ensure that where there are established centres of excellence, and we see that particularly around HR, finance, technology sometimes. Those arrangements need to be treated in the same way. We know that from the regulations. So at a fundamental level, there needs to be an agreement, there needs to be an SLA that needs to be documented and there needs to be reporting, so even though it’s within group, there needs to be reporting coming across into the local entity, and that there is some form of formal oversight discharge so again, the ongoing due diligence is performed, and that there isn’t a lesser standard to the point that you’ve just made for an intragroup arrangement. And again, we know the regulations are ever-evolving and there may be some forbearance coming in the context of what those intergroup arrangements look like or what the oversight of them looks like in particular but we’re not there yet so we have to operate within the context of the regulations as they are today. Secondary is around conflict of interest and we know within group structures that we have the local chains of command, but we often have matrix reporting as well for individuals. Our organisations are good at documenting where there could be potential for conflicts and looking to mitigate those but I think it’s important to give consideration to under stressed circumstances, how some of those arrangements may manifest themselves and whether a conflict could actually be heightened in the context of a resilience event where perhaps an individual may be maybe torn in different directions in the context of that matrix reporting so, an area to demonstrate our evolving thinking around our outsourcing arrangements. I think it goes without saying that autonomy is probably the third item that I’d raise because all regulators in each jurisdiction will want to see that their local entities can demonstrate their autonomy in the selection, the appointment, the review, and the oversight of vendors, and in the decision making around that so we can’t ignore that step of selection process evaluation and then appointment of a vendor. And then finally, I guess it’s exit planning, which again can be quite tricky in the context of a group arrangement but nevertheless it’s important that it is considered, it’s documented, and that there is some meaningful evaluation of how or when, there may be a decision taken to exit a group relationship and often, I think we need to think practically because sometimes it’s the bigger arrangements that we think of first but actually it might be smaller arrangements that you may have had with group and have moved since or moved from an external to a group and that might give you just some useful areas to examine in terms of answering that particular question. Just a final point though before leaving that, I said four but I’m going to give five. I think it’s important that we talk about the principle of proportionality, and that it really is not a defence in the context of your third party arrangements and particularly when you’re on an intragroup basis so, the proportionality of you within the local environment or within your group won’t offset that you’ve complied with the obligations more fullsomely.
Ian Duffy
Okay, that’s great. Denise, thank you very much., and thank you to all of our listeners online for listening in today. Separately, we’ve developed a resilience playbook that’s available on our website, that sets out some more information on some of the topics we’ve discussed today, and provides some further practical insights and information in relation to resilience for regulated firms, so please do feel free to check that out on our website, and please also feel free to contact myself, Denise or your usual Arthur Cox contact for more information on any of the topics we’ve discussed today. And thank you again for listening.
Digital Resilience
In this episode of our resilience series, Siobhán McBean, Partner in our Asset Management and Investment Funds Groupand Vivian Spies, Senior Associate in our Technology and Innovation Group, explore the evolving challenges facing regulated firms as they navigate increasing ICT complexity, heightened cyber threats, and rising regulatory expectations.
They share practical, experience‑driven guidance on strengthening resilience, from eliminating legacy systems to improving patching discipline, enhancing employee awareness, and ensuring boards maintain meaningful oversight. They also discuss the Central Bank of Ireland’s expectations around local accountability, including the growing emphasis on CIO and DPO roles.
Video Transcription
Siobhán McBean
Hello everyone and welcome back to our video series exploring some of the more nuanced and complex areas of digital resilience. My name is Siobhán McBean, and I’m a partner in the Asset Management and Investment Funds Group here at Arthur Cox. In today’s video, we will look at what firms, and in particular regulated firms, should consider in assessing their digital resilience. I’m joined by my colleague Vivian Spies, who is a Senior Associate in the Technology and Innovation Group, and she will share some of her insights with us. So turning to you, Vivian, many watching this today will have gone through the experience of implementing DORA in the not too distant past. From your experience in supporting and advising firms through that process, what makes digital resilience such a complex area for firms to manage?
Vivian Spies
Nearly all services these days have some sort of technological component, and there’s an even greater shift in this direction with the rise of AI. This shift presents several challenges for a few different reasons, including the sheer volume of ICT services that firms rely on now for their businesses. The fact that the digitisation of services has created an even greater level of dependence on ICT service providers, but has also increased the interdependencies between systems which firms deploy across their operations and many locally regulated firms do not benefit from in-house technology expertise, so they may need external support to help them oversee arrangements with third-party ICT service providers in line with legal requirements.
Siobhán McBean
And we can’t talk about digital resilience without mentioning the rise in the number of sophisticated cyber attacks, data breaches, occurring both within and outside of financial services. What are some of the most common events that we’ve seen that have impacted on firms digital resilience, and in response to those threats, how can firms shore up their digital resilience?
Vivian Spies
There have been several high impact data breaches recently, with the examples of Marks Spencer and Jaguar Land Rover coming to mind. The root cause of both of these attacks was credential theft via by social engineering, and so something that continues to be of the utmost importance is employee awareness and training. While there is a huge push at the moment to raise AI literacy levels across organisations, there should also be a continued focus on identifying phishing and social engineering ploys, because these attacks can be particularly particularly sophisticated these days and difficult to spot. Firms can also shore up their digital resilience through eliminating legacy systems from their ICT infrastructure where possible, to eliminate any weak links, keeping up to date with patches and updates and being mindful of when these patches and updates are applied, making sure that regular backups are taken and stored securely and looking to recovery point objectives to make sure that they understand what it would take to get critical and important functions back up and running quickly. Undertaking security audits against recognised standards like ISO, for example, and then also deploying vulnerability testing, vulnerability assessments like penetration testing against firm’s own systems.
Siobhán McBean
And I’d add to that, I suppose from a governance and the board’s perspective, it’s a case of ensuring that digital resilience is a topic that is discussed and considered at board meetings so that directors understand those steps that you’ve mentioned that are being taken within the business to ensure that the business is adequately protected from a digital resilience perspective. And in this regard, you mentioned that many firms look to their group’s technology function for support when it comes to oversight of ICT third party service providers and as it relates to digital resilience generally. For those firms, what should they be doing locally to evidence their involvement in the process? And I suppose to ensure that they have ultimate ownership of those arrangements?
Vivian Spies
Sure, there are a few things firms can do here. We’ve seen a recent push from the CBI for firms to appoint CIOs and DPOs locally, so it’s a good idea to have someone locally with technical expertise who can challenge information and reporting coming from group. Further, the local firm needs to be involved in the design of any due diligence and centralised oversight programmes to make sure that those programmes are fit for purpose, aligned with CBI expectations and EU legal requirements. On the subject of due diligence, the local firm should be conducting detailed due diligence on any technology support services which are coming through intragroup service arrangements and ensuring that there is robust oversight and due diligence programmes being applied to any subcontracting. And finally, information flow will be important. Information needs to be forthcoming from group to allow the local entity to complete their business service and function mapping.
Siobhán McBean
Thanks Vivian, you’ve shared some very helpful steps there that firms and their boards can take to demonstrate appropriate oversight of their digital resilience framework. As ever, please feel free to get in touch with your usual Arthur Cox contact, or you can send us an email at [email protected] on any issues or topics that we’ve covered here today.
