Building a Resilient Digital Economy: The Power of Standardized Organizational Identity
In an increasingly digitalized world, cyberattacks are becoming more frequent and sophisticated. With all critical infrastructure relying heavily on third-party ICT service providers, enabling the consistent and unambiguous identification of these providers through standardized, verifiable organizational identifiers is key to ensuring trust and cyber resilience. The European Union's Digital Operational Resilience Act (DORA) marks an important regulatory precedent that addresses this challenge for the financial sector and should be adopted globally to secure all digital ecosystems worldwide.
Author: Alexandre Kech
Date: 2024-12-18
Views:
Cyberattacks present an immediate and growing threat to global financial stability.
A 2024 report from the International Monetary Fund (IMF) found that over the past 20 years, the financial sector has been subjected to more than 20,000 cyberattacks, resulting in direct losses of $12 billion – not to mention the indirect costs caused by reputational damage.
Worse is to come. The IMF report reveals that attacks have doubled since the COVID-19 pandemic, with the rapidly increasing frequency and sophistication posing "an acute threat to macro-financial stability through a loss of confidence, the disruption of critical services, and because of technological and financial interconnectedness."
The issue of "technological interconnectedness" is of particular concern. While financial firms are widely recognized as cybersecurity leaders, digitalizing financial services means institutions increasingly depend on third-party ICT service providers to support critical functions and deliver core services directly.
An analysis by the three European Supervisory Authorities found that around 15,000 of these providers serve financial institutions across the EU alone. This poses challenges to operational resilience on two fronts. Financial institutions' reliance on multiple providers may introduce various points of weakness and fragment operations. It also has the potential to create complicated, opaque supply chains that are difficult to unpick – particularly in the event of a cybersecurity incident. Conversely, the widespread use of certain providers (in, for example, cloud computing services) raises the risk of individual attacks or issues spilling over to become systemic problems.
Given the stakes involved, ensuring ICT service providers are subject to a certain level of regulatory oversight is a key policy aim across multiple jurisdictions. The European Union has taken a leadership role in this regard by introducing the Digital Operational Resilience Act (DORA), which aims to strengthen the operational resilience of financial entities by improving their ability to manage ICT-related risks.
Bolstering Operational Resilience Through Standardized Organizational Identity
Identifying the ICT service providers used by financial entities is key to managing such risks, highlighting the importance of standardized, verifiable organizational identifiers such as the Legal Entity Identifier (LEI).
As a global public good, the LEI is a standardized identifier that can be applied to all ICT third-party providers worldwide. By enabling the consistent and unambiguous identification of entities across borders, the LEI addresses fragmentation and:
Enhances corporate structure detection: The LEI allows the identification of corporate links between ICT third-party providers, both within and outside the EU. This helps institutions and supervisors detect interconnectedness and potential operational risks that are otherwise obfuscated by complex corporate structures.
Joins the dots: The LEI acts as a data connector, enabling automated integration with other essential data sources such as local registration authorities (e.g., the local business register, chamber of commerce, etc), financial services providers, and securities markets. This facilitates a more comprehensive view of ICT dependencies.
Enables digital integration and automation: The LEI's fully digital ecosystem allows for seamless data reconciliation through freely available API access and full-file downloads. This digital framework eliminates manual intervention and allows for rapid data collection and analysis, giving institutions and supervisors the tools they need to monitor ICT dependencies and make more informed decisions.
Streamlines due diligence, compliance, and incident reporting: Accurate LEI-based identification minimizes reporting errors, enhances data quality, and supports more reliable compliance submissions. In the event of ICT-related incidents, LEIs provide a clear, standardized reference for all parties involved. This simplifies incident reporting, ensures consistency, and aids quick resolution efforts.
Creating a Resilient Digital Economy
It is apparent that the increasing velocity and sophistication of cyberattacks have implications that extend far beyond financial services. The complexity of today's digitalized world means that all critical infrastructure heavily relies on ICT service providers. Therefore, global supply chains, healthcare provision, energy and utilities, telecommunications, and transportation are exposed to the same significant vulnerabilities.
DORA offers a framework to start addressing this challenge. Acknowledging the importance of standardized, verifiable organizational identification as a critical enabler of cyber resiliency and trust in digital ecosystems marks an important regulatory precedent that should be replicated across all corners of the global economy.
If you would like to comment on a blog post, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion board you agree to abide by the terms of the GLEIF Blogging Policy, so please read them carefully.
Alexandre Kech is the CEO of the Global Legal Entity Identifier Foundation (GLEIF).
Prior to joining GLEIF, Alexandre Kech was Head of Digital Securities at the SIX Digital Exchange. As a member of the Executive Board, Alex had full executive responsibility for the Digital Securities business vertical, including sales and relationship management, product development, business design, and ecosystem expansion.
Over the past 25 years, Alex has constructed a unique career combining finance at BNY Mellon, payments/securities infrastructure and standards at SWIFT, and blockchain and digital assets at Onchain Custodian (ONC) and, most recently, Citi Ventures. As co-founder and CEO of ONC, Alex led the Singapore and Shanghai-based team that built custody and prime brokerage services for crypto and other digital assets from scratch. As Blockchain & Digital Asset director at Citi Ventures, he built a team to engage the European ecosystem on emerging use cases for blockchain technologies and digital assets.
Alex is also involved in industry and standardization initiatives. As the convenor of the ISO TC 68 / SC8 / WG3, which produced the ISO 24165 Digital Token Identifier (DTI), he is a member of the DTI Foundation Product Advisory Committee. He also recently served as co-chair of the Global Digital Finance (gdf.io) custody working group.
Alex earned a bachelor’s degree in translation and an Executive MBA from the Quantic School of Business and Technology while building Onchain Custodian, putting theory into practice in real-time.
