Herculean efforts are underway across the financial services sector to ensure compliance with the Digital Operational Resilience Act, better known as DORA.
DORA, passed by the EU in 2022, aims to protect customers in Europe from cyber-security threats by creating uniform requirements for the security of network and information systems used in the financial sector. An estimated 22,000 financial entities with customers in the EU must be compliant with DORA by January 17, 2025.
It’s not enough for financial institutions to be DORA compliant within their own systems
This is a massive undertaking for compliance teams, in no small part because financial institutions are so reliant on third-party ICT services providers: Per DORA, it is not enough for financial institutions to be DORA-compliant with their own systems; they are also responsible for the security practices of their vendors and must register all contractual arrangements they have with ICT vendors.
As such, contracts themselves have emerged as a critical piece to the DORA compliance puzzle. In fact, Article 30 of DORA spells out the minimum terms that must be included in any ICT contract.
Yet even with regulators literally spelling out what is required in ICT contracts, compliance is anything but assured due to insufficient contract visibility.
What this means for governance, risk and compliance
In an age of rapid digital transformation across business processes and systems, contracts have remained notably analog for many financial organizations. Most organizations lack a single source of truth for contracts across the enterprise, and the contracts they do have access to are not digitized in a way that makes their contents easy to review in bulk or integrate with their governance, risk, and compliance (GRC) systems.
In the past, the only recourse in these cases would have been to hire large numbers of paralegals to find contracts scattered across the business, review them against their risk policies, and then initiate renegotiations for non-compliant contracts. The cost would be huge, and the chance for human error significant.
But in a stroke of good luck for any compliance manager, now we have generative AI.
Icertis is working with some of the biggest financial institutions in the world to leverage our Risk Assessment Copilot to analyze ICT vendor contracts at scale, specifically for DORA compliance.
Risk assessment with gen AI
The Risk Assessment Copilot leverages the highly secure Microsoft Azure OpenAI LLM to review contracts in bulk and then prompt them with a series of pre-defined questions about their data security provisions.
Users then get a dashboard report showing which required clauses are present, which are not, and which have language that deviates significantly from approved contract language and should be reviewed. In this example, we can see that the “IT locations description is not present,” violating a DORA provision and returning a risk score of 10 out of 10.
The Risk Assessment Copilot provides insights regarding the impact of risk aggregation across a corpus of contracts where individually the contract impact could be below a critical threshold but in aggregate, the impact exceeds a regulatory threshold.
Once risk is detected, Icertis streamlines corrective action.
Integrated risk discovery
A significant advantage of our Risk Assessment Copilot compared to eDiscovery point solutions is that it is embedded in the Icertis Contract Intelligence platform, which has end-to-end contract management capabilities. This improves operational resiliency and can ensure proper incident reporting per contract requirements.
Bulk actions auto-creates obligations to address noncompliance
Bulk actions can be taken regardless of contract volume: Our platform auto-creates obligations to address non-compliant cases, which can then be routed to the vendor for review and signing within a single system.
This kind of workflow is crucial for companies with tens of thousands of contracts with IT service providers. Often, remediation activities in these cases exceed 100,000 tasks, a volume manageable only with an intelligent system capable of assessing, recommending, and executing all the necessary tasks to become compliant before January 1, 2025.
New contracts automatically assessed for DORA compliance
New contracts can also be automatically assessed for DORA compliance, to ensure no new risks emerge. Post signature, vendor obligations can be tracked through automated alerts, workflows, and reports. As regulations change or new requirements are added, the Copilot can recommend updates to the contract.
At Icertis, we call this contract intelligence – the ability to ensure that every contract that a company enters into reflects the intended business and compliance outcomes; and that those outcomes are realized in practice.
While contract intelligence is hugely beneficial for managing operational risk such as DORA compliance, its applications are countless: Business continuity, GDPR compliance, credit/market risk, surfacing inflation clauses, Know your Supplier/Customer … the list goes on, and we can rest assured that regulators will be adding to this list well into the future!
To learn more about our unmatched approach to contract management and contract AI, contact us today.