DORA: New EU Regulations for GPs

Context

In September 2020, the European Commission proposed the Digital Operational Resilience Act (DORA); a new regulatory framework for digital risk management in the financial sector.

‍

The primary objective of DORA is to improve digital operational resilience by managing risks associated with Information Communication Technology (ICT) systems, including the suppliers of such systems. The scope of DORA covers a wide range of players, including credit institutions, payment institutions, investment firms, insurance firms as well as asset managers together with their service providers.

‍

Though the details of how DORA will be implemented have not yet been issued, the DORA framework will go into effect starting 17 January 2025.

‍

Why it’s important

In most cases, fund managers don’t act on new regulations until they go into effect. This is due to several factors: sometimes the effective date gets pushed back, sometimes the rules are significantly amended, and sometimes the regulations are simply overturned (such as the recent decision by the US Court of Appeals to strike down SEC’s fee disclosure regulations for private markets fund managers.)

‍

In cases where regulations require firms to significantly alter their reporting or valuation methodologies, it makes sense for fund managers to wait until the very last moment to adopt the changes. DORA is different, in that it focuses on data security, not on calculations or financial reporting. This makes it more likely that DORA will go into effect without much pushback.

‍

Even though the onus of satisfying requirements falls on fund managers, providers of services or systems play an important part in enabling fund managers’ compliance. If firms are using providers that cannot satisfy the new requirements, then they will need to find and implement solutions that can. In cases where firms ignore DORA until the very last minute and need to switch solutions, they might face rushed implementations, higher prices, and disruptions to operations. To avoid issues like these, fund managers need to understand the key aspects of DORA and how it will affect them, so they can make more informed decisions in a timely planned manner.

‍

Key Aspects of DORA:

DORA focuses on ensuring that investment firms’ digital infrastructure, including in-house and 3rd party solutions, are resilient and secure, regardless of whether the solutions are offered by providers based inside or outside the EU. Depending on the DORA implementation details, actions potentially required of fund managers include:

‍

Risk Management:

Establishing proactive risk management programs to optimize operational resilience, including defining acceptable downtime metrics.

‍

Redundancy Measures:  

Implementing failover mechanisms to switch seamlessly to backup systems.

‍

Incident Response Plans:  

Having well-documented procedures for handling disruptions.

‍

Incident Reporting / Communication:  

Creating real-time incident reporting capabilities to ensure incidents affecting operational resilience are promptly communicated.

‍

Operational Resilience Testing:  

Conducting regular testing of fail-over system including incident responses/communications.

‍

Cybersecurity Measures:  

Ensuring software application developers (including from third parties) follow secure coding guidelines to minimize cyber vulnerabilities.

‍

Access Controls:  

Restricting access to systems to authorized personnel only.

‍

Encryption:  

Protecting sensitive data in transit as well as when at rest.

‍

Regular Security Testing:  

Conducting regular penetration testing together with regular vulnerability assessments.

‍

Given today’s digitized operating models across the asset management industry, the responsibility for DORA compliance in relation to software applications is therefore split.

‍

Asset Management Firms:

• Asset management firms are ultimately responsible for ensuring their overall operational resilience, which includes the software applications they use.

• They need to assess the risks associated with their software, implement security measures, then testing procedures with proper incident reporting in place.

• They must also scrutinize the resilience of their third-party suppliers, including their relevant capabilities.

‍

Software Vendors:

• While not directly responsible for the asset manager's DORA compliance, software vendors play a crucial role in facilitating compliance.

• Vendors need to provide software that meets DORA's security and developmental standards including building in resilience by design.

• They should be transparent about their own security practices, cooperating with asset managers during risk assessments and incident response testing.

‍

LemonEdge is fully prepared for DORA

The LemonEdge system has specifically been designed from the ground up to address many of the shortcomings of the legacy private equity fund accounting systems that are likely to be in scope of the DORA regulatory framework.

‍

Examples of where LemonEdge can meet the requirements of DORA include:

• The ability to fully support any level of accounting complexity for any level of fund structure complexity, i.e. no compromises such as use of other solutions required.

• The elimination of high-risk offline excel workbook workarounds, something that is likely to be high on the list of DORA issues to be addressed.

• The elimination of high-risk manual extract / export / import processes through the LemonEdge API, enabling secure, efficient interoperability with other systems / databases.

• The elimination of the need to reverse activities or transactions in the core accounting system through the use of a LemonEdge Canvas, a scenario modeling tool that allows any required scenario to be safely modelled in an instant copy environment before committing anything to a production environment.

‍

In terms of the specific ICT demands of DORA, LemonEdge operates with the following procedures:

‍

Redundancy measures:  

The standard LemonEdge implementation is built to a highly available specification designed to meet the redundancy needs of our clients. We deploy the application to your region of choice, including with the use of multiple datacenters, reducing the likelihood of regional failure. The underlying Azure SQL database we typically offer also provides the same robustness from a data management perspective.  We can also support clients who require a multi-region geo-redundant implementation.

‍

Recovery Time Objectives:  

The standard LemonEdge implementation adheres to the standard configuration settings of typical Azure for Recovery Time Objective (RTO) and Recovery Point Objective (RPO), ensuring efficient and reliable performance under typical operational conditions. These defaults are tailored to balance performance with cost-effectiveness, offering robust disaster recovery and high availability.

‍

Cybersecurity Measures:  

In the LemonEdge development process, we use SonarCloud and NuGet to ensure our code is secure and up to date, including automatically scanning the source code to identify vulnerabilities, bugs, and ‘code smells’ for every change, while also managing dependencies such as outdated or vulnerable libraries. This architecture ensures we incorporate the latest patches and improvements, minimizing the risks associated with outdated software components, ensuring each software release is secure and efficient.

‍

Incident Response Plans / Reporting / Communication:  

The advantage of the LemonEdge deployment model into our clients’ infrastructure is that all incident-related issues can be included in the wider corporate equivalents.

‍

Access Controls / Encryption / Testing:  

As with incident management, the LemonEdge deployment model into our clients’ infrastructure ensures access controls, encryption, and security testing can be included in the wider corporate equivalents.

‍

Next steps for fund managers

Evaluating both internal processes and security measures of external providers will take time, especially for larger firms with multiple funds, systems, or asset servicers in use. Firms need to start their review process now and avoid any potential operational disruptions.

‍

If you would like to know more about how LemonEdge’s security measures and protocols match DORA requirements or discuss any of the above points please contact us at sales@lemonedge.com.