Webinar Recap: How Financial Sector Vendors Can Navigate New Financial Sector Regulatory & Contractual Challenges

In recent years, financial institutions have become more reliant than ever on third-party service providers for critical operations, creating complex interdependencies that require careful management. Regulators are now taking broad steps to address the risks that accompany the financial sector’s growing dependence on technology vendors.

Regulations such as the EU’s Digital Operational Resilience Act (DORA) – which becomes effective on January 17, 2025 – introduce significant requirements for financial institutions and their vendors in an effort to enhance the industry’s ability to withstand disruptions. In our recent webinar, KO attorneys Charu Ganesh and Wes Lang explored the concept of operational resilience, the implications  of new regulations impacting technology vendors serving financial institutions, and actionable next steps that technology vendors can take to be proactive and create a competitive advantage.

Understanding Operational Resilience

Operational resilience refers to an organization’s ability to maintain operations and essential functions during disruptions. This concept has gained traction due to increasing digital threats, including cyberattacks targeting third-party vendors.

Regulations like DORA and several others across the world seek to standardize operational resilience frameworks in their respective jurisdictions. While DORA directly regulates financial institutions, obligations flow down to “ICT third-party service providers” and vendors with “critical or important functions” via procedural and contractual requirements.

Financial institutions are looking for assurance that their vendors are able to help them meet their regulatory obligations. Vendors who understand and proactively address these obligations can reduce friction in their customer relationships by speeding up the diligence and onboarding process.

This webinar explores the expectations of financial entities and their regulators and how the changing regulatory landscape regarding operational resilience directly impacts vendors immediately and in the long term.

Next Steps for Vendors

Vendors can take several proactive next steps to navigate DORA and other operational resilience obligations, creating opportunities for competitive advantages over other vendors in this rapidly evolving landscape:

• Self-Assessments: Assess whether your services are used for critical or important functions and identify customers subject to operational resilience (OR) requirements.
• Conduct a Gap Analysis: Review DORA standards, evaluate your current reporting and compliance practices, and evaluate potential implementation costs.
• Update Contracts: Decide whether to proactively revise agreements, develop standardized addendums or contract clauses to expedite negotiations, or wait for customer requests, ensuring contracts meet DORA requirements while balancing risks and costs.
• Prepare for Customer Requests and Audits: Anticipate and address customer requests for compliance, audits, and tight deadlines, while managing costs effectively.
• Proactively Strengthen Compliance Measures: Obtain certifications like SOC 2 or ISO 27001, and share self-assessment results to build customer trust and facilitate procurement.

Tune in to the full webinar video recording below:

While operational resilience regulations certainly present challenges, this is also an opportunity for vendors to strengthen relationships with financial institutions by demonstrating readiness and compliance. By staying ahead of regulatory requirements, vendors can position themselves as trusted partners in an increasingly regulated industry.

For questions and more information on navigating DORA and other contractual obligations, reach out to KO Law attorneys Charu Ganesh and Wes Lang.