DORA? It’s on my to-do list

Aug 2, 2024 by Duncan Alexander

 

  

In brief

  • Under DORA, there’ll be no passing the buck and blaming your supply chain for downtime. You're responsible for your ecosystem, so you’ll need an operational resilience plan. If you go down, the regulators will likely ask to see the plans you made for becoming operationally resilient, and if you're flying blind without a plan, you could be in deep trouble 
  • The global IT outage caused by an update from CrowdStrike has placed an intense spotlight on the vulnerability of IT supply chains 
  • In addition, the underlying cyber problem is that the bad actors are getting smarter all the time 
  • Therefore, a comprehensive risk management system, a proper digital twin searching in real time for weaknesses in your setup, and a sound cyber policy, securities and tools are critical operational building blocks that every bank should already have in place 

  

Got bigger fish to fry? Really? 

Well, you might have a lot on your plate right now, but in a few short months, if your bank is not completely on point with the Digital Operational Resilience Act (DORA), the EU regulators could hit you where it hurts most. 

Your pocket. 

DORA comes into effect on January 17, 2025, and holds European corporate management teams directly responsible for ICT management. These detailed act stipulations affect the people, processes and technology of every sizable financial organization. 

Board members, executive leaders and other senior managers are expected to define appropriate risk management strategies, actively assist in executing them and stay current on their knowledge of the ICT risk landscape, including third-party providers. 

 

Chart shows eleven requirements for DORA compliance

  

You’re on the hook

 

There’ll be no passing the buck and blaming your supply chain for downtime. You're responsible for your ecosystem, including suppliers such as CrowdStrike, so you must have a compliance plan ready. 

That’s the key. If you go down, the regulators are likely to investigate which could lead to potential fines to the scale of 1% of global revenue for every day for loss of service. They will likely ask to see the plans you have in play for becoming operationally resilient. If you're flying blind without a plan, you could be in deep trouble. 

We live in an increasingly dangerous world, and the regulators are concerned about the fear and scale of cyber war and its threat to critical infrastructure. The authorities need you to be responsible and operationally resilient, and those without an appropriate strategy will be heavily penalized. 

 

 

It’s not just about Europe

 

It’s not just European banks and their global collaborators that are under threat. When we surveyed Hogan clients in the United States (DORA is not a U.S. regulation), they had no idea that their regulators are thinking of adopting a similar act. After the global IT outage on July 19, 2024, a similar act is now even more likely to be in place, and soon. 

The financial ecosystem is global, and the regulators are worried about cross-border disruption. They want to ensure that critical operations and banking services can withstand the risk of seditious events or supply chain vulnerabilities. 

Here are the major risk management issues: 

 

Chart shows five critical areas of risk management concern

 

So, what can we do about it?

 

Adopt an SLA and prepare early 

It’s also important that our clients understand our capabilities around operational resilience even though DORA (or similar) doesn’t apply in the United States (for example). These are best practices. Preparing for this type of compliance can take an extremely long time, so it pays to plan early — operational resilience is a much broader subject than you might think. Our resilience framework, below, shows how our UMBplex solution supports continuity management and IT disaster recovery. 

 

Zoreza Global operational resilience framework 

This framework identifies 12 management disciplines that can be grouped in different ways to ensure appropriate operational resilience responses for different risks 

Chart shows 12 critical risk management disciplines for ensuring operational resilience

 

 

How else do we safeguard Hogan clients?

 

One of our critical operational resilience capabilities covers clients with mainframes operating IBM Geographically Dispersed Parallel Sysplex (GDPS©) active-active or trying to become active-active for operational resilience reasons (or active-passive a hot standby). 

 

Sysplex? What’s that?

 

A Sysplex (system complex) could be a single IBM mainframe divided into eight logical partitions (LPARs) that communicate and cooperate using the cross-system Coupling Facility (XCF) protocol (Basic Sysplex). Or it might be an IBM mainframe cluster acting as a single system image (SSI) with z/OS that interact with each other using the XCF protocol (Parallel Sysplex). 

A Parallel Sysplex combines data-sharing and parallel computing, allowing a cluster of 32 systems to share a workload, producing exceptional performance and availability. The primary goal of a Sysplex (Basic or Parallel) is to enable data-sharing, allowing multiple databases for direct reads and writes to shared data. 

 

What does UMBPlex do?

 

UMBPlex enables you to replicate across your platform. It’s a collection of services provided by the Umbrella system that enables all Hogan applications and client applications written under the Umbrella system to run in a Sysplex. It's a key component of operational resilience. 

If a client bank wants to run their Hogan applications in a Sysplex operating environment, they must have UMBPlex installed with the latest version of Umbrella and Hogan applications. Other prerequisites include: 

CPUs: The UMBPlex environment requires only a standard Sysplex. Any collection of CPUs that can run a Sysplex may be used to support UMBPlex. However, any significant production use of the MVS Logger by UMBPlex (or any Sysplex exploiting system) requires either a non-volatile Coupling Facility (CF), e.g., UPS on CPU running the CF or dual CFs to ensure the integrity of the logged data within the CF. Once the Sysplex is intended for production use, most shops plan for a fault-tolerant Sysplex (dual Sysplex timers, CF and so on). While preparing for your Sysplex migration, consider UMBPlex like any Sysplex exploiting system. 

Coupling Facilities: A Coupling Facility is a piece of computer hardware that coordinates multiple processors in a Sysplex environment to enable communication and data-sharing between various systems. UMBPlex can run on any available CF, standalone (9674), LPARed (9672- or 711-based machine), or under an ICMF (511- or 711-based machines). Note that the performance characteristics of an ICMF are quite different from those of a CF. IBM does not recommend the use of an ICMF for production environments.  

System software: UMBPlex is supported on all operating systems supported by the base Umbrella product. 

Hogan software: For support and business continuity reasons, it’s highly recommended that clients be on the latest versions of Hogan applications, including Umbrella. 

Documentation: Documentation has been updated to reflect new functions and enhancements. UMBPlex documentation is included with the prerequisite Umbrella System 5.x documentation set of PDFs. 

Education: Zoreza Global offers technical and user training as well as other Hogan products. To get the latest training schedule and course descriptions or to sign up for a class, contact banking_support@dxc.com 

Consulting services: A full range of consulting services is available to help maximize the benefits of this software. Call your DXC Zoreza Global representative for details regarding consulting opportunities related to this or other products. 

Pricing: UMBPlex is separately licensed and requires additional fees and changes to existing license and maintenance agreements. Call your DXC Zoreza Global representative for pricing and licensing information. 

 

UMBPlex and Hogan’s Umbrella system

 

Hogan’s Umbrella system is the technical foundation and architecture for DXC Zoreza Global’s Hogan core banking software. The Umbrella system gives you:  

  • Environmental independence — applications are independent of technology change while exploiting its features  
  • Data independence — applications are not tied to internal data management schemes  
  • Flexibility — parameters govern both processing options and actual logic flow  
  • Longevity — a modern architected platform that has allowed for over 30 years of dynamic technical evolution 
  • Zero IPL downtime — Hogan applications continue to process and be available while LPARs within the Coupling Facility are individually calmed and undergo IPL. The workload is shifted to LPARs not being calmed and undergoing IPL 

  

Quantum security, Zoreza Global and IBM z16

 

Speaking of innovation, the prospect of quantum computing is already changing the way we think about one of the most critical banking considerations: How to secure sensitive information and maintain essential application and infrastructure integrity. 

Although practical quantum computing is several years away, we need to develop quantum-safe cryptographic strategies now while we still have time to consider the business and social impact. Integrating crypto-agility with system modernization will be a massive undertaking for top-tier banks, involving the entire cast of financial services players and standards bodies (e.g., NIST) and underpinned by cross-industry cooperation at all levels. 

Any classically encrypted (e.g., public-key cryptography) wire-tappable communications are already at risk, the idea being to “harvest data now, decrypt later” when quantum decryption solutions are finally realized. 

 

We’re working on it

 

Zoreza Global and IBM are working to help banks optimize and transform their core banking systems, anticipating lifestyles and offering forward-thinking solutions. The IBM z16 provides extra protection by encrypting data wherever it resides — at rest, in flight or in use — with fully homomorphic encryption.  

Currently, the combination of Hogan and IBM z16 — with its robust data-processing capabilities and enhanced security features like fully homomorphic encryption — enables banks to protect data, ensure compliance and improve the customer experience through faster, frictionless processes.  

 

Why homomorphic encryption?  

 

Homomorphic encryption is a unique mechanism that resolves security and privacy issues. It allows third-party service providers to perform specific operations on the user's encrypted data without decrypting it. Homomorphic encryption accelerates our clients’ innovation and collaboration with third parties without the risk of compromising sensitive information. In other words, it helps them deliver better outcomes for their customers. 

    

Ready and able

 

Furthermore, as quantum computing becomes a reality, laws, policies and DORA-type global regulations will be in an even greater state of flux. Hogan platform compliance is boosted by the IBM Z Security and Compliance Center, now an integrated capability of IBM z16. It enables clients to be always compliance-ready. Banking compliance is viewed in near-real via dashboards and reporting, which reduces the number of employees focused on audit preparations. 

Banks improve the customer experience by guaranteeing the tightest data security, developing faster, frictionless processes and providing innovative products and services that are easy to deploy and personalize. 

Now, seduced by the benefits and challenged by the growing threat of quantum computing, the ever-increasing computing power of IBM’s z16 puts our banking clients in the security driving seat. 

 

 

DORA transformation areas 

 

Chart shows the surprising scale of transformation necessary to secure operational resilience

 

You need the basics to survive

 

I think the underlying problem is that crooks and bad actors are getting smarter all the time. Therefore, a comprehensive risk management system, a proper digital twin searching in real time for weaknesses in your setup, and a forward-looking cyber policy, securities and tools are operational fundamentals in the modern world — critical building blocks that every bank should already have in place. 

 

Chart shows a DORA Graph data model for building a digital twin to allow “What if?” risk analysis of

 

Recently, in the UK, several major banks had all their mobile apps down. Whether that would really trigger a fine under DORA is up for debate. But that's one of the elements we need to get to grips with fast, and it won't be tested until someone is given (and accepts) a fine. 

The regulators are saying, “You know the risks, you know the threats. How could you be down? How come you can’t deliver vital services when your customers need them most?” The CrowdStrike outage will put IT supply chains under intense scrutiny. 

 

We’re here to help

 

Our experts maintain mainframe environments to create the robust, high-performance and continuously available systems essential for “always-on” banking (even during upgrades) 

That said, Zoreza Global doesn’t just support your Hogan and UMBPlex technologies. We also ensure business continuity from a skills-based standpoint by training internal people via the DXC Zoreza Global Academy. We're seriously committed to developing our academy, and as a result, we've been able to train more than 70 client employees and around 100 DXC Zoreza Global team members so far. In addition to expanding that capability, we’re currently revamping our support methods and processes to raise client service and benefit levels even higher. 

 

Chart shows five of DXC Zoreza Global’s third-party risk management capabilities

 

DXC Zoreza Global is investing heavily across the board, and many of those cash injections are helping to make clients operationally resilient, such as Academy training, UMBPlex, working with IBM’s z16 to tackle quantum threats and so much more. 

 

Don’t risk a DORA fine, talk to an expert now

 

To discuss cyber exposure, the DORA deadline and how you can protect both your career and the bank’s reputation by urgently preparing for compliance with the new Digital Operational Resilience Act, contact us.

 

 

Duncan Alexander , Product Director, Core Banking

Duncan Alexander author linkedin

Product Director, Core Banking

Duncan leads several existing and new core banking products and services within DXC Zoreza Global’s Global Banking Division. He has over three decades’ experience in the application of business technology to achieve strategic goals across multiple industries, including banking, insurance, retail, travel and logistics. Duncan has provided strategic advisory services and delivered mission-critical systems as a strategic partner to clients and held senior positions within several large enterprises. His main area of focus is the realization of business benefits for our clients from digital transformation.