OneTrust, the market-defining leader for trust intelligence, today announced the expansion of OneTrust solutions to help organizations drive operational resilience and risk management across their extended enterprise, as well as comply with regulations like the European Union’s (EU) Digital Operational Resilience Act (DORA). 

Through DORA, the EU seeks to strengthen the IT security of financial entities. The legislation affects not only banks, insurance companies, and investment firms in the EU, but also critical information and communications technology (ICT) vendors that contract with these financial entities. DORA joins several other regulations, including NIS2, FCA, and LkSG, which aim to strengthen operational resilience. The Act’s inclusion of ICT third-party risk as part of the overall risk management framework is a transformative requirement for many financial entities and the organizations they conduct business with, making them newly accountable for all downstream risk across third, fourth, and ultimately nth parties. 

“Lack of visibility across third and fourth parties is an all-too-common challenge that makes it difficult to manage risk effectively and drive operational resilience,” said Matthew Moog, General Manager, Third-Party Risk at OneTrust. “OneTrust offers our customers a data-driven risk-based approach, visibility into their extended enterprise, and robust capabilities to manage ICT risk and third parties proactively, and at scale. With these solutions, they can strengthen operational resilience and support compliance obligations for DORA and beyond.”

How OneTrust helps organizations with DORA today

OneTrust provides a comprehensive platform that can help organizations achieve resilience in the financial sector and operationalize DORA compliance – most notably for requirements under ICT third-party risk management and ICT risk management.

• Proactively manage third-party risk: With OneTrust Third-Party Management, centralize the end-to-end risk management lifecycle to identify, mitigate, monitor, and analyze third-party and supply chain risks while driving risk-informed contracting workflows. Continuous monitoring can also alert ICT management to weakness, data breaches and more.
• Scale technology risk management: With OneTrust IT and Security Risk Management inventory and connect entire IT ecosystems to identify, measure and monitor risk, and inform decisions to improve security posture and streamline compliance.
• Drive compliance efficiencies: With Compliance Automation, streamline ICT control implementations and oversight, and access out-of-the-box DORA framework with pre-mapped policies, controls, and evidence tasks unique to the new regulatory requirements.  
• Prepare for compliance audits: OneTrust Audit Management supports audit readiness by providing an integrated, yet independent workspace to centralize controls and workpapers. OneTrust connectivity makes it easy to streamline evidence collection while testing controls across systems.
• Gain real-time insights across hundreds of regulations and frameworks: With OneTrust DataGuidance, leverage the world’s most extensive regulatory library that delivers real-time insights across hundreds of regulations and frameworks, and built by a network of in-house researchers, hundreds of legal experts, and translators. 

Expanding OneTrust Third-Party Management to further help meet regulations like DORA 

To further help organizations strengthen their digital supply chain and enhance ICT resilience, OneTrust is delivering several new OneTrust Third-Party Management capabilities to more efficiently manage third-party risk, including:  

• AI Driven Assessment Auto Complete: Complete assessments faster on third-party ICT vendors by using AI to parse through SOC 2 reports, evidence, and other documentation. 
• Engagements and Contracts Reporting: Strengthen your ability to identify and assess relevant risk in relation to contractual arrangements by gaining visibility into key risk and performance metrics with customizable reporting and visualizations for engagements and contract attributes.
• Hack Notice Breach Alerts: Get early warning signs of critical ICT incidents and stay on top of third-party breaches with custom alerts when new breach information is flagged about any of your connected third parties, including SEC Disclosure documentation.

Today, OneTrust Third-Party Management helps organizations understand their fourth-party security risk posture, apply automated due diligence screening of fourth parties, and assess subprocessors through assessments. Along with these capabilities, OneTrust continues to expand its offerings that strengthen operational resilience, particularly around fourth and nth parties. OneTrust will soon introduce several advanced fourth-party management capabilities, including the ability to automatically identify, link, and assess fourth and nth parties to efficiently monitor concentration risk and demonstrate proportionality. 

Next steps

• Read our blog: Navigating the Digital Operational Resilience Act with OneTrust
• Attend the live demo: Building your third-party risk management program with OneTrust
• Learn about OneTrust’s latest innovations to enforce responsible use of data and AI

About OneTrust

OneTrust unlocks the full potential of data and AI, securely and responsibly. Our platform enforces the secure handling of company data, empowering organizations to drive innovation responsibly while mitigating risks. With a comprehensive suite of solutions spanning data and AI security, privacy, governance, risk, ethics, and compliance, OneTrust enables seamless collaboration between data teams and risk teams to enable rapid and trusted innovation. Recognized as the market leader in trust, OneTrust boasts over 300 patents and serves more than 14,000 customers globally, ranging from industry giants to small businesses. For more information, visit www.onetrust.com.

© 2024 OneTrust LLC. All rights reserved. OneTrust and the OneTrust logo are trademarks or registered trademarks of OneTrust LLC in the United States and other jurisdictions. All other brand and product names are trademarks or registered trademarks of their respective holders.