From 2025, the Digital Operational Resilience Act (DORA) will go live and represents1 an industry-wide realisation to prioritise2 operational resilience at financial institutions3. Third-party dependencies providing managed services are a focus4 after successful attacks on firms that may not have met the required standards5, which resulted in severe and repeated outages or worse, cybercrime6. By design, DORA ensures financial institutions have correctly categorised the importance of third-party dependencies and the dependency has relevant processes, controls and reporting in place.

What Short- and Long-Term Impact Will DORA Have?

Multiple clients have already begun incorporating DORA, categorising CJC as a critical vendor and requesting confirmation and transparency on CJC's ICT (Information and Communications Technology) processes and controls - windows into any potential threats detected, managed, and resolved.

In the long term, there is an emerging trend where aspects of client infrastructure and data are migrated from a CJC-hosted environment back into a client-hosted one, with little to no impact on the client-CJC relationship. The client sentiment is if their data and infrastructure are hosted in a proprietary cloud environment, enabling the capability to control third-party dependency connectivity, they are in a better position to meet the new standards.

CJC IT Infrastructure Managed Services square bannerThe client data and infrastructure preference for over a decade is moving back to the client, which Peter Williams, CJC's Chief Technology Officer, touched on in a recent panel discussing "The Future of Capital Markets Technology7."

The preference change is not unheard of. When CJC first embraced the cloud8 with AWS in 2011, obtaining client support for the technology was challenging. 'Cloud' was a dirty word with 'hosted' as the preferred recommendation. Ironically, 'hosted' was largely unheard of just a few years before.

The low-latency explosion during the mid-2000s, wonderfully played out in Michael Lewis's must-read "Flash-Boys" changed all that with client computer rooms getting smaller and instead deploying the technology at Equinix, BT Radianz, CenturyLink, Interxion, etc. While CJC supported these migrations, a base of operations was implemented from Equinix and by 2013, providing a managed service9 without this component was rare.

Is DORA a Concern For CJC Clients?

CJC has a long-standing ISO 27001 certification10, embedding these standards into our DNA, and is vital for an industry already embracing cloud, open source, and next-generation AI technologies. Many of DORA's requirements are already part of CJC's standards and we look forward to further enhancing transparency and client reporting.

With CJC's 25th anniversary fast approaching, the team has witnessed and moved alongside the technology trends and regulatory changes in the capital markets for a quarter of a century. Also, CJC does not derive revenue from infrastructure-as-a-service (IaaS), which means CJC is capable of scratching infrastructure costs from services to continue supporting clients reverting to this model. DORA is another way to demonstrate CJC's world-class, multi-award winning11, 24x7x365 managed service12.

Security is CJC's top priority, and since 2018, all services have complied with ISO 27001-based standards. The business is well-positioned and ready to support client requirements around DORA and its global equivalents. All CJC services enjoy state-of-the-art security tooling, like Google Chronicle AI, and we work with leading security partners like SEP 213 to ensure the latest standards are met.

Footnotes

1 FinExtra (2023), "DORA: The drive towards better operational resilience" https://bit.ly/3uOefjY " [Accessed 26 February 2024].

2 McNamee P. (2023), "Operational Resilience preparation a top priority for f inancial institutions" at " https://bit.ly/3ORO1DN " [Accessed 26 February 2024].

3 FinExtra (2023), "Bank regulators warn over operational resilience challenges" at " https://bit.ly/3uEvhRE " [Accessed 26 February 2024].

4 Wilbraham S. (2023), "UK Regulators Consult on Proposals to Strengthen Resilience of Services Provided by Critical Third Parties" at " https://bit.ly/48us7xB " [Ac cessed 26 February 2024].

5 Basar S. (2024), "Equilend Ransomware Attack Puts Focus on Operational Resilience" at " https://bit.ly/4bPXK7w " [Accessed 26 February 2024].

6 FinExtra (2023), "Cybercrime marketplace shut down" at " https://bit.ly/3uPKcsb " [Accessed 26 February 2024].

7 CJC (2023), "TradingTech Panel: Buy & Build - The Future of Capital Markets Technology" at " https://bit.ly/3UQrATl " [Accessed 26 February 2024].

8 CJC "Cloud Solutions" at " https://bit.ly/3QgBcEW " [Accessed 26 February 2024].

9

10 CJC "Managed Services" at " https://bit.ly/44cz58y " [Accessed 26 February 2024]. CJC (2018), "CJC Secures ISO 27001 Information Security Certification" at "https://bit. ly/49jESw9" [Accessed 26 February 2024]

11 CJC "Awards and Recognition" at " https://bit.ly/3SVbc1i " [Accessed 26 February CJC "Managed Services" at " https://bit.ly/44cz58y " [Accessed 26 February 2024].

12 CJC "Managed Services" at " https://bit.ly/44cz58y " [Accessed 26 February 2024].

13 CJC (2023), "CJC Boosts Cybersecurity with Google Chronicle Security via SEP2" at " https://bit.ly/3IbLfpm " [Accessed 26 February 2024].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Steve Moreton
CJC
31-41 Worship Street
London
EC2A 2DX
UK

© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing