Sowearegoingtohave a thisafternoonwe'regoingtogothroughtalkaboutDORAcomplianceforICTproviders, whatyouneedtodo, whatyouneedtoknow, someofthekeythingsyouneedtothinkabout, needtounderstandandwhatDORAis, howit's affectingthings, alltheseallthesewonderfullyinterestingtopics.
Sowewillstartoffin a coupleofminutes.
I'm goingtoaskyoutobe a bitinteractiveandrespondto a fewquestionsbecauseit's goingtobeusefulformetotounderstandwho I'vegotonthecalletc.
Sofirstofallwhoam I?
Verygoodquestion.
SomynameisAndrewPaterson.
I'm theheadofGRCconsultancyforITGovernanceEuropeand I'vebeenworkinginGRCforprobablyit's nearthe 30 yearsand 20 yearsanyway, probablyquite a lotcloserto 30 yearsand 20 years.
I'm a certifiedISACAtrainer.
I have a master's ininformationsystemsmanagementwhichwasquite a longtimeagobutweweren't justlookingatadvocacieswewerelookingatproperITeventhen.
I'm theSMEwithinthegroupinthingslikeNIS, NIS2 whichaswemayknowis a directive, thingslikecybersecurityframework 27001, SIS 18, ECCwhichis a SaudiArabianstandardandDORA.
I'veworkedinlotsandlotsofsectorsovertheyears.
That's just a fewexamplesofsomeoftheareas I'vebeenhelpingpeopleaffectedwithDORAforaroundthelast 12 months, helpingthemtogetreadyforthedeadlinewhichwe'lltalkaboutwhenthatis a bitlater.
I'm alsotheauthorof a DORA, a guidetotheDUDigitalOperationalsResilienceActandit's verymuchthatbookis a practicalguideaboutwhatyouneedtodoaboutit.
Ittalksaboutthesamesortofthings, there's a differentemphasisinsomeareasbutwe'llgothroughthat.
Sothat's whoweare, we'veworkedwithallofthesedifferentpeople, we'vegot 1300 projectsinISO, we'vegotourcyberessentialsandwe'vegotourgovernanceandrisktoolcalledcybercomplywhichhasgotalmosttwoand a halfthousandpeoplecustomersusingitglobally.
Youcanseealltheinformationonthere, just a littlethingontheslides, youwillbegivenaccessto a slidepackbecausesomeoftheslideshavegotquite a lotofdetailonthemandprobablymoreusefulifyoucomebackandreadthemlaterbecause I willnotbereadingeverysinglelineoneveryslide, I'llbetalkingaroundthem.
Sothisiswherewe'regoingtoaskyoutodo a littlebitofinteractionandvotingandit'llgiveme a littlebitideaaboutwho's onthecallandmaybe I willmakesure I mention a fewthingswhicharespecifictothoserequirements.
Okay, soonthiswe'vegot a prettymuch a split, wecouldbealmostacrossthethreeareasonthat.
Sothankyouverymuchforthat.
Andnowthelastquestion, hasyourorganizationallocated a budgetforDORAcompliancesolutions?
Yes, wehave a dedicatedbudget.
Budgetisunderconsideration.
Nobudgetallocatedyet.
Just a fewmoremomentsandthenwe'llclosethatpoll.
Okaythen, somainlynobudgetallocatedyetand a fewpeoplehavegot a budgetunderconsideration, butactuallyyouneedtobeabletoshowthatyouhavebudgetsforcybersecurityetc.
Sowe'lltalkaboutthat.
So a coupleofthings, youwillseethatyou'vegottheabilitytoaskquestions.
Soifyousupplyinto a financialentity, whichisintheEuropeanUnion, you'regoingtobecoveredbyDORA, okay.
Evenifyou'renotintheEuropeanUnion, okay.
Soifyou'reanICTthirdpartysupplierandyou'resupplyinginto a financialentityintheEuropeanUnion, you'recoveredbyit.
Ifyou're a largeorganization, whichissupplyingservicesto a partofyourorganization, whichisintheEuropeanUnion, okay, youhavetocomplywiththerequirementsofDORA.
Sothisslideisthesortofslide, butwhenyou'vegotitbackandyoucanzoomitup, butitgivesyouthe, youknow, it's about a risk, systemicriskacrossfinancialservicesintheEuropeanUnion.
Weallknowthatwith, I mean, I'm oldenoughtorememberwhen, youknow, youhadtobephysicallyon a, infrontof a machinewith a cablecomingoutthebackofitinthesamebuildingtogetaccesstothings.
Andwedon't workinthatworldanymore.
We'vegot 24 sevenaccess.
Everythingisinterrelated.
Sothere's somuchinterconnectivitywithinallsectorsandwithinfinancialservicesthatifyouget a problemsomewhere, it's multiplecountries.
And I mentionedthisbriefly, andthisis a slidethatthenext, thisnexttwoslides, youcanlookat a littlebitmoredetailyourself, butit's aboutmakingsurethatthere's joinedupapproach, youknow, understandinghowandwherethirdpartiessitinthesupplychain.
Andtheyarealsohave a viewthatwhatthey'regoingtodoaswell.
Soifyouare a thirdparty, sayexample, they'reMicrosoft, AWS, Google, they'reactuallygoingtoviewthemon a EUwidelevel.
Sothere's goingtobe a, anindividualorpersoncalled a leadoverseer, andtheywillbelookingatthe, theircomplianceat a EUpointofview.
Andyoumaybe, ifyou'relookingatit, and I'm helpingpeoplewhere I goinanddo a gapassessmentofwheretheyareatthemomentandwheretheyneedtobe.
And, youknow, a lotoforganizationsmightbedoingsomeofthis, oryou'vegottodo a bitmore, you'vegottodocument a bitmore, youneedtobeabletoshow, ifrequired, thatyou'redoingthesethings.
Sohaving a tool, we'regoingbeyondspreadsheets, okay, particularlyforrisk, having a spreadsheetworkto a certainpointofview, I usedthemforyears, gotverycomfortablewiththem.
Soifyougoandlookatthelinksonthisinformation, orgoonto a website, youcanseethatontraining, wedo a foundation, whichis a daycoursewhereyousitthereandgo, thisiswhatDORAis.
Sotake a bitoftimetolookthroughtheslideswhenyougetthem.
That's thecontactthings.
Sowe'llworkanywhere.
Wedon't carewhattimezoneyou'rein.
Andweworkwithallovertheworld.
Wedocustomersallovertheplace.
Andwecandolotsofthings.
Sofirstofall, questions.
Sohasanybodygotanyquestions?
So I'vegotonehere.
Sohowwould I definemythirdpartyrisks?
Andhowwould I setthoserequirements?
Andagain, theeasiestthing, I mean, withrisk, ifanyonewantstodo a fivedaycourseonthat, I teach C-risk, whichistheISACAqualificationonenterpriseriskmanagement.
Sohowbigis a finegottobetomake a majorbankdecidethattheydon't wanttogetfined?
Okay.
Youknow, it's so I thinkwe'regoingtobethefinancialentitieswhoaregoingtobefinedinthis, butthenagain, you'vegotcontractualimplicationsifyouare a supplierintothat.
So I thinkit's workontheprincipleisgoingtobelikeGDPRandsomeofthethingsonGDPR, youknow, BAorInternationalAviationGroup, wasit 180 milliontheygotfinedortriedtofind?
Okay.
Let's see.
Now I didseesome, justbearwithme a second.
I thought I sawsomemorequestions.
But, ah, yes.
Okay.
Whowillenforce?
Right.
Soenforce.
Soit's downtocompetentauthorities.
Andthere's a requirementonauditinginthereofyourriskmanagementsystembeingauditedannually.
Ifyouare a thirdpartysupplierto a financialentityandyouareprovidingservices, whichtheysupport, they'recritical, importantservicesastheydefinethem, theywillbewantingtodopentestingonthose.