Enhancing Digital Resilience: A Call to Action for Swedish Fund Managers

Preparing for DORA: Building Digital Resilience and Compliance for Fund Managers

The modern financial industry, including fund managers, relies on lean and effective digital solutions, data sharing, and data management. Therefore, it is unsurprising that regulators have established a supervisory framework
to ensure European consumers can access innovative financial products while maintaining customer protection and financial stability. The Digital Operational Resilience Act (DORA) will take effect in the European Union starting January 2025, making it increasingly urgent for Swedish fund managers to update their information management processes.

DORA sets new standards to ensure digital operational resilience across five pillars: ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, managing of ICT third-party risk and information-sharing arrangements. It establishes uniform requirements for network security and information systems supporting financial businesses, necessitating significant improvements in how fund managers handle and present their data. According to DORA, financial institutions must develop an internal governance framework for ICT risk management.

Hence, board members must assume responsibility for the strategies, policies, procedures, ICT protocols and tools to manage such risks. This implies:

• Managing new reporting and disclosure requirements in case of incidents or new contracts with third-party ICT service providers
• Setting specific roles for new responsibilities within the fund manager and, at the board level, the board’s duty to ensure that it can understand and assess the ICT risk and its impact on operations (specialist board member, specialist training, etc.).
• Adhering to the new requirements for contractual provisions with ICT service providers and obligations for fund managers in case of breaches by the service providers.

Our research revealed critical transparency gaps pertinent to DORA compliance. For instance, 78% of fund managers do not disclose their data sources, and 62% fail to provide environmental information. These shortcomings underscore the urgent need for enhanced information management. Aggregating, updating product data, and displaying it online
on time remains a manual process for many fund managers in Sweden. This approach to the information management system may make compliance with DORA more costly and inefficient than necessary.

DORA introduces comprehensive requirements for ICT risk management, demanding that financial entities, including fund managers, develop robust capabilities to manage and mitigate ICT-related risks. While common and
convenient, spreadsheet-based solutions often present data integrity and security hazards, as well as risks related to the propensity for errors. The more data is stored and managed in spreadsheets, the more difficult it is to run
these processes, summarise, analyse, and compare the data to empower efficient investor decision-making. Therefore, fund managers should consider more robust solutions to create one source of truth for DORA compliance purposes, internal management, and external reporting to configure the required reporting automatically. Although the Excelbased format is appropriate for researching and testing compliance-driven or operational data analysis, once the architecture of these processes is well-researched, it is
possible to convert them into a more robust format that would significantly reduce operational risks associated with running them.

Modern analytical solutions like KidbrookeONE can aggregate data from multiple sources and update it regularly, ensuring transparency and accessibility of the information within the firm. In this format, generating the
required audit or regulatory compliance documentation could be largely automated, leaving fund managers’ teams additional time to focus on more productive tasks. Adopting the contemporary API-driven solutions supports other important pillars of the Act, which mandates regular testing and monitoring of ICT systems, strategic management of third-party risks, thorough documentation, reporting, and auditability and compliance with regulatory standards.

The mounting regulatory burden on portfolio managers and investors underscores the need for greater data visibility and processing efficiency. The upcoming Digital Operational Resilience Act (DORA) demands a change in ICT risk management and information processes for Swedish fund managers. Without robust data capabilities, compliance demands will continue to drain critical resources. Firms that hesitate to embrace digital transformation risk falling behind as regulations evolve. Our research reveals weaknesses in current practices, emphasising the need for automated, robust solutions to ensure compliance and operational efficiency in the Swedish fund management industry. Transitioning from manual, spreadsheet-based systems to API-based analytical platforms will streamline data management, enhance decision-making, and automate compliance reporting.