This document provides an in-depth analysis of 5X's current compliance status with the Digital Operational Resilience Act (DORA) and outlines our strategy for achieving full compliance by mid-2025. As a provider of critical Information and Communications Technology(ICT) services to financial entities, we are committed to meeting DORA's stringent standards for digital operational resilience.
This document details our current strengths, areas for enhancement, and a clear roadmap towards full DORA compliance. This assessment is structured around the following key areas of DORA:
ICT risk management, incident management and reporting Digital operational resilience testing Third-party risk management For each area, we provide a detailed analysis of our current status and specific enhancements planned to meet DORA requirements.
Data Residency
At 5X, we have a unique approach to data management that provides a significant advantage in terms of DORA compliance and overall data security:
Customer Data Residency: All primary customer data remains within the customer's own data warehouse (e.g., Snowflake, Google BigQuery). This means that 5X does not directly store or process our clients' sensitive financial data. Metadata Processing: 5X only processes metadata, such as usernames, emails, and connection details to data warehouses. This minimizes our data footprint and significantly reduces the risk profile of our service. Flexible Infrastructure: Our platform is designed to accommodate various data residency requirements. While our primary infrastructure is hosted in AWS US East 1 (North Virginia), we can deploy to additional regions upon request to meet specific regulatory or customer needs. This approach offers several benefits in the context of DORA compliance:
Reduced Risk Exposure: By not directly handling sensitive financial data, we minimize the risk of data breaches and the associated regulatory implications. Enhanced Data Protection: Customers maintain control over their data, aligning with DORA's emphasis on data protection and sovereignty. Simplified Compliance: Our model simplifies compliance with data localization requirements, as customer data remains in their chosen locations. Transparency: Clear separation between customer data and our processed metadata enhances transparency and auditability. Current DORA Compliance Status and Enhancement Areas
The following section provides a comprehensive overview of 5X's current alignment with DORA requirements across key operational areas. For each area, we detail our existing strengths and identify specific enhancements needed to achieve full DORA compliance, offering a clear picture of our compliance journey.
1. ICT Risk Management Framework
Current Compliance:
✅ Comprehensive risk assessment and management processes
Annual risk assessments covering threats and changes to service commitments Documented risk management program including threat identification, risk rating, and mitigation strategies Clear risk tolerance levels established and reviewed annually ✅ Established control environment
Defined organizational structure with assigned roles and responsibilities Regular review and updates of information security policies and procedures Management oversight of risk management activities Enhancement Areas:
Develop ICT-specific risk management strategies aligned with financial sector requirements Enhance risk assessment methodology to include DORA-specific risk scenarios Implement more granular risk reporting mechanisms for financial sector-specific ICT risks Establish a dedicated ICT risk management function with direct reporting to senior management Develop comprehensive ICT asset management processes, including dependencies and interconnections 2. ICT-Related Incident Management, Classification, and Reporting
Current Compliance:
✅ Established incident response procedures
Documented incident response policies and procedures Incident logging, tracking, and communication processes in place Defined roles and responsibilities for incident management Clearly defined root cause analysis processes and documentation ✅ Monitoring and detection capabilities
Use of intrusion detection systems for continuous monitoring Log management tools to identify potential security events Regular vulnerability scans and security assessments Enhancement Areas:
Adapt incident classification and severity thresholds to align with DORA's major incident criteria Implement automated reporting mechanisms to meet DORA's strict timeframes (e.g., initial notification within 4 hours) Develop financial sector-specific incident scenarios and response playbooks Establish formal communication channels with relevant financial supervisory authorities for incident reporting 3. Digital Operational Resilience Testing
Current Compliance:
✅ Regular security testing
Quarterly vulnerability scans on external-facing systems Annual penetration testing with remediation plans for identified vulnerabilities Continuous monitoring and patch management processes ✅ Testing documentation and review
Documented results of security tests and assessments Management review of testing outcomes and remediation actions Enhancement Areas:
Implement a formal Threat-Led Penetration Testing (TLPT) program as per DORA requirements Enhance scenario-based testing to include financial sector-specific attack vectors Establish partnerships with DORA-accredited testing providers Develop a comprehensive resilience testing strategy covering all critical ICT systems and processes Implement advanced testing methodologies, including simulations of large-scale cyber attacks 4. ICT Third-Party Risk Management
Current Compliance:
✅ Vendor management program
Critical third-party vendor inventory maintained Annual review of critical third-party vendors Due diligence processes for vendor selection ✅ Contractual safeguards
Written agreements with vendors including confidentiality and privacy commitments Right-to-audit clauses for critical service providers Enhancement Areas:
Develop more granular risk assessment criteria for financial sector ICT services Enhance monitoring and reporting mechanisms to meet DORA's oversight requirements Implement more rigorous testing of exit plans and transition arrangements Establish processes for continuous monitoring of critical ICT third-party providers Develop comprehensive sub-outsourcing policies and controls 5. Information and Intelligence Sharing
Current Compliance:
✅ Established communication channels
Procedures for notifying customers of critical system changes External-facing support system for reporting issues and concerns Enhancement Areas:
Establish formal processes for sharing information with financial supervisory authorities Develop mechanisms for secure and timely sharing of incident-related information with affected clients Expand participation in financial sector-specific threat intelligence sharing platforms Implement secure communication channels for sharing sensitive information Develop policies and procedures for responsible disclosure of vulnerabilities 6. Data Protection and Processing
Current Compliance:
✅ Strong data protection measures
Data classification policy to ensure proper security of confidential data Encryption of sensitive customer data at rest Access controls and monitoring for systems processing customer metadata ✅ Data minimization and purpose limitation
Processing limited to metadata; customer data remains in their own data warehouses Clear data handling and processing activities documented ✅ Flexible data residency options
Primary infrastructure in AWS US East 1, with ability to deploy to other regions as needed Customer data remains in client-controlled environments, enhancing data sovereignty Enhancement Areas:
Enhance data protection impact assessments to specifically address financial sector risks Implement more granular data lineage tracking for financial transaction-related metadata Develop specific data protection measures for financial data processing Enhance data breach notification processes to align with DORA requirements 7. Business Continuity Management
Current Compliance:
✅ Documented business continuity plan
Annual testing of the business continuity plan Defined recovery time objectives (RTOs) and recovery point objectives (RPOs) Detailed communication plans for various disruption scenarios ✅ Backup and recovery processes
Regular backups of critical data Documented and tested recovery procedures Enhancement Areas:
Enhance business continuity plans to specifically address ICT-related disruptions Establish alternate sites and redundant systems for critical ICT services Enhance resilience of critical ICT systems to meet DORA's stringent uptime requirements 8. Cloud Computing and Outsourcing
Current Compliance:
✅ Cloud service provider management
Due diligence processes for cloud service provider selection - 5X currently uses AWS as the cloud provider. Monitoring of cloud service provider performance and compliance Enhancement Areas:
Implement stronger controls for data portability and interoperability Develop comprehensive exit strategies for cloud services Enhance monitoring and auditing capabilities for cloud-based services Roadmap to Full Compliance
5X is fully committed to achieving comprehensive DORA compliance by Q2 2025. While our current SOC2 Type II certification and GDPR compliance provide a strong foundation, we recognize the enhancements required to fully meet DORA's specific requirements for critical ICT third-party providers in the financial sector.
We maintain a proactive stance on regulatory compliance and are dedicated to transparency throughout our DORA compliance journey. Our compliance team is available to provide further details or discuss specific compliance aspects. For any compliance-related inquiries, please contact us at . This document will be regularly updated to reflect our progress and any relevant regulatory developments.
Last Updated: October 7th, 2024
