Beginning January 17, 2025, financial entities based in the European Union must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with the EU Digital Operational Resilience Act (DORA).
Tech & Sourcing @ Morgan Lewis
TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
The widespread technology outage on July 19, 2024 highlighted major potential issues that can arise when service providers rely on technology to provide critical services. The effects of the outage were felt by critical service providers across numerous industries, including airlines, banks, public transit, healthcare, and media. Because we live in a world that is increasingly reliant on technology, if a critical piece of technology fails or introduces a flaw to a system that relies on that particular technology, it can have extreme consequences, as many experienced on July 19.
Starting January 17, 2025, financial entities based in the European Union must have in place processes and policies, as well as mandatory contract provisions with their third-party technology vendors, that comply with the EU’s Digital Operational Resilience Act (DORA). Financial entities are currently at varying stages of updating their operational risk management frameworks and remediating contracts with technology vendors. For banks, the European Central Bank has signaled that resiliency will be a top priority on its supervisory agenda.
Beginning January 17, 2025, the European Union’s Digital Operational Resilience Act (DORA) will require financial entities to maintain and submit to EU regulators a comprehensive register of their contractual arrangements with third-party information and communication technology (ICT) service providers. Financial entities are being given the opportunity to sign up for a voluntary reporting exercise by May 31, 2024, running between July and August 2024, to help them prepare for one of the most challenging aspects of implementing DORA.
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently released draft rules that are set to reshape how critical infrastructure companies report cyberattacks to the US government. The rules are designed to improve the country's cybersecurity by making sure cyber incidents are reported quickly and thoroughly. This could help create a clearer understanding of cyber threats and may mitigate against future cyberattacks.
New ICT incident reporting requirements under Circular 24/847 (Circular) of the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator, will come into effect on April 1. This introduces a new ICT-related incident reporting framework and underscores the critical importance of proactive measures in safeguarding financial institutions against ICT and cyber threats.
The European Central Bank (ECB) has published data showing that banks are increasingly using third-party providers to support their critical functions. However, more than 10% of outsourcing contracts covering critical functions are not compliant with the relevant regulations. During a key year for EU financial institutions and their critical service providers—with implementation projects for the Digital Operational Resilience Act (DORA) well underway—the ECB signals that outsourcing and resiliency, particularly risks associated with cloud outsourcing and concentration risks, will be a top priority on its supervisory agenda.
In our January 2023 blog post, Study Finds Average Cost of Data Breaches Reaches All-Time High in 2022, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2022. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. Recently, Ponemon Institute published its Cost of a Data Breach Report 2023, showing an increase in data breach costs in many areas of business.
Despite Delayed Adoption of Final Regulations, CPRA Is Enforceable As of Initial Enforceability Date
The Court of Appeal of the State of California (the Court of Appeals) recently ruled that Proposition 24, the California Privacy Rights Act of 2020 (CPRA), is enforceable without any further delay. The CPRA contains important changes to the California Consumer Privacy Act, including with respect to online advertising.
Morgan Lewis partners Christopher C. Archer, Anastasia Dergacheva, and J. Daniel Skees as well as associate Arjun Prasad Ramadevanahalli will discuss developments and trends in cybersecurity and digital transformation for the energy industry on Wednesday, November 29.