Europe’s pending Digital Operational Resilience Act (DORA) should prompt fund managers in the US to review their third-party service relationships even if the legislation’s cross-border impact is ill-defined, warn legal and other experts.
Effective on January 17, 2025, DORA is Europe’s way of including more than just banks and insurance firms in multiple current regulations designed to mitigate data breaches. The legislation creates a uniform approach for cybersecurity risk management. What is different from current standards is that financial entities falling under DORA’s jurisdiction must follow a rigorous information, communication, and technology risk management program for not only themselves, but also for their third-party service providers. It is those third parties which could end up being the biggest problem in the financial supply chain. European regulators don’t believe current contractual arrangements are strong enough to prevent systemic risk and protect investors.
Alternative investment fund management firms and traditional investment funds are among the multitude of financial firms governed by DORA; the rest include banks, insurance firms, securities depositories, cryptoasset service providers, and exchanges. Broadly speaking, DORA affects any financial firm doing business in Europe. However, based on the legislation’s language no one knows how to apply DORA outside of the continent. “DORA is unclear on the extraterritorial impact for European alternative fund management firms managed by US fund managers or for US alternative investment funds (AIFs) marketed to European investors,” explains Nathaniel Lalone, a partner with the law firm Katten Muchin Rosenman in London. “Depending on how European regulators interpret DORA, US managers of European AIFs or US AIFs marketed in Europe could be affected at some level.”
In a recent article posted on the Alternative Investment Management Association’s website, the law firm of Simmons & Simmons also cites the difficulty in understanding DORA’s reach beyond European borders. “We are seeing mixed reviews on whether financial entities or managers with no presence in the EU are in scope or not,” writes Simmons & Simmons. In an article also appearing on its website the law firm of Arthur Cox states, “Non-EU AIFMs that manage and or market AIFs may also be in scope for DORA subject to the proportionality principle. It is hoped this may be clarified in a regulatory Q&A or other guidance.” The London-based AIMA and the Washington DC-based Managed Funds Association declined to comment for this article.
Proportionality is the European Union’s way of saying that the level of compliance would vary. In the case of US alternative investment fund managers that manage or market alternative investment funds in Europe, proportionality would mean the size of their footprint on the continent. The larger the size of the European fund the US manager — or subadvisor– handles or the higher the number of European investors in its US fund, the more rigorous the litmus test for compliance. The notion of proportionality could also allow European regulators to be more lenient for US fund managers which have minimal European investors or are subadvisors for a small European fund.
The answer about DORA’s reach appears to be clearer when it comes to third-party service providers. “DORA’s reach can extend extraterritoriality at an asset and service level in terms of a financial entity or manager’s ICT risk management framework,” writes Simmons & Simmons in its article. However, financial firms governed by DORA can only use a critical ICT provider which has a subsidiary in the EU or establishes one within 12 months of being designated as a “critical” service provider.
Given that European regulators could ultimately decide to include US-based fund managers under DORA’s jurisdiction in some fashion, they need to stay proactive. “European regulators are keen on data protection and based on their interpretation of the General Data Protection Regulation (GDPR), they are definitely likely to view US-based fund managers with European investors in scope,” says Brandon Hollinder, director of eDiscovery and Cyber Solutions for New York-headquartered Epiq, a legal technology firm. Effective in May 2018, GDPR governs how the personal data of individuals in the European Union may be processed and transferred.
For US fund managers servicing European fund management firms, DORA’s impact could end up being indirect yet still significant. “A US subadvisor for a European-domiciled fund may be forced to deal with DORA’s requirements because the European primary fund management firm will enhance its own cybersecurity or IT requirements for all service providers to comply with DORA,” says David Adams, an attorney with the law firm of Mintz in Washington,D.C. who specializes in US Securities and Exchange Commission-registered funds and non-registered private funds.
At a minimum, US-based fund managers must be aware of DORA’s provisions. Ideally, they should also be fully compliant because violating DORA could be costly. A fund management firm could pay a penalty of up to two percent of its total annual turnover while a critical third-party service firm could pay up to E5 million. Management level individuals directly responsible for DORA compliance could also be fined individually.
Few US-based legal experts are willing to publicly disclose how they are advising US fund managers with European clients or US subadvisors to prepare for DORA. European-based legal experts seem to be focusing their attention on European-headquartered clients. Reaction from a dozen compliance directors at US-based alternative investment fund managers contacted by FinOps Report was largely dismissive. Only four say that their European offices are coordinating a strategy with US business lines. The remainder say they haven’t gotten up to speed, because they are waiting for further guidance on its applicability from the European Securities and Market Association, the EU’s securities umbrella watchdog. All of the dozen fund management officials who spoke with FinOps Report work for either European-based funds or funds marketing to European investors.
Fund managers are likely not the only financial entities who might be behind the curve in preparing for DORA. However, they are the ones regulators are most concerned about because of their historically limited resources compared to their larger banking brethren. There simply wasn’t enough guidance on how to proceed and time is running out. “The largest banks, with strong compliance departments, were trying to understand the requirements of the new legislation,” says Konstantinos Andreopoulos, chief information security officer for London-headquartered regulatory reporting technology firm Regnology. “Even the proactive financial firms were in waiting mode for finalization of supplementary regulatory and implementing technical standards that weren’t complete until the end of July 2004.”
The good news is that US-based fund managers may not have to start from scratch. Those also operating in the UK will likely already be following the UK’s Operational Resilience Framework, which overlaps DORA. If not, they may have already implemented rigorous US IT and cybersecurity best practices so in some cases could be even more advanced than their European peers particularly if they are big players. “US-based fund managers may be 65 percent to 75 percent compliant with DORA,” says Hollinder. “The biggest gap with compliance could be in monitoring external vendors as third-party oversight is historically weak and overlooked by all financial entities, including US fund managers.” Epiq offers an automated platform and outsourced service for contract management and regulatory preparedness for DORA compliance.
While DORA puts the onus on boards of directors to take charge of DORA’s compliance, procurement departments, compliance departments, and business lines will likely do the heavy lifting under the umbrella of the chief information security department, predicts Hollinder. They must ensure that third-party service providers meet DORA’s standards, or their firms will be forced to switch providers. It remains to be seen whether service providers will want to provide US-based fund subadvisors with the same information they give European-domiciled managers due to DORA’s uncertain reach. None of the US-based fund management officials who say they are preparing for DORA would discuss their third-party strategy with FinOps Report.
ICT service providers aren’t only technology firms. “DORA does not base its definition of critical ICT service provider on the what, meaning the type of service provided, but primarily on the how, meaning the type of connectivity with the financial entity.” says Katten’s Lalone who specializes in cross-border regulation. “Fund administrators typically interconnect with their fund manager clients in an electronic fashion, so they are likely to be covered.” Other critical ICT service providers will include cloud services, network services, and hardware services.
A service provider could claim it is not “critical” to the operations of fund managers as a way of escaping DORA’s purview. However, fund administrators will likely have a hard time meeting that exemption as they perform important tasks such as calculating net asset valuations and providing shareholder services. Article 27 of DORA provides some criteria for determining criticality including whether a glitch at the service provider would create a “systemic impact” on the stability and quality of the financial institution.
Fund managers must quickly develop a vendor risk management program to encompass the sign-on of new vendors, changes to contractual agreements, continual monitoring of vendors, and exit strategies, say legal experts. Although there are plenty of technology platforms which claim to monitor third-party vendors, they appear to be used primarily by large banks and insurance firms. Many fund management firms are relying on the old-fashioned paper and pencil approach.
DORA requires fund managers falling under its jurisdiction to keep a list of all of their service providers and their functions. Depending on the size of the fund manager, the list could range from a handful of names to several hundred. If the fund management firm is in luck, such a list already exists in a centralized procurement department for easy access. If not, a legal or compliance department will have to collect the information from multiple business lines.
Once all the providers are identified, it’s time to read all of the contracts with existing providers. Procurement, legal, and compliance departments might have some type of data extracting technology to find the relevant paragraphs. If not, staffers will have to do a line-by-line analysis. DORA-compliant contracts must have specific clauses on how the service provider will prevent a cyberattack, will report to its client if one has occurred, and will return to business as usual as quickly as possible. They must also have provisions for ongoing monitoring, testing and audits.
The new requirements could put fund managers and their service providers in an awkward period of renegotiation. Service providers, such as fund administrators, could be hesitant to customize their agreements, instead favoring the same boilerplate provisions for all their clients or minimal change. Fund managers must make a calculated risk analysis. Under DORA, they can terminate a contract with a service provider which has a weak cybersecurity program and those with more rigorous standards could be more costly. “Service providers may decide not to absorb the entire expense of preparing for DORA so fund managers may experience higher administrative fees,” explains Epiq’s Hollinder.
Some critical third-party ICT providers are already getting up to speed. Regnology’s Andreopoulos says that instead of waiting for customers to come up with their own disparate templates and requirements his firm has created a DORA Amendment Agreement with all the necessary contractual terms. Those include TLPT access/permission and participation in customer testing. Regnology also provides tools for its clients to perform ongoing monitoring. It is unclear how much fund administrators already meet DORA’s requirements, but based on industry talk they may need to get up to speed on penetration testing and audits.
US subadvisors of European funds could also face some contractual heartaches with European fund management clients. At issue is whether the US subadvisor would be at risk for violating US privacy laws by giving confidential data to the European fund management firm. “The European fund management firm could ask the US subadvisor to comply with DORA’s provisions when it comes to mitigating cybersecurity risks, testing and reporting of data breaches,” says Mintz’s Adams. “The subadvisor will have to determine if it can fulfill the requirements, particularly if they involve sharing confidential customer data during testing or incident reporting.” The same data sharing could be required by fund administrators used by the European firm. Faced with a legal quandary, the US subadvisor may decide to either end its current relationship with the European fund management firm or not start one at all.
Yet another reason US subadvisors must be cautious when signing contracts with European fund management firms relates to potential penalties. Even if only the European firm is levied a fine for the cybersecurity shortcomings of the US subadvisor, the European firm could try to recoup the fine based on the indemnity or other portions of the agreement governing their relationship, cautions Adams.
For US-based fund managers concerned about how to prepare for DORA, the best line of defense could end up being the collective offense. “Engaging with peers in industry organizations on how to proceed could result in a community decision which could sway European regulators,” says Lalone. US fund managers could always claim that in the absence of any clarity they were following the industry practice.
Leave a Comment
You must be logged in to post a comment.