I'm really happy to introduce our first speaker, Tobias Stähle, who will talk about Lessons Learned and Insights from DORA Implementation. Tobias, welcome on stage. Thank you so much. Thank you.
So, it's my first day on the conference, but I guess you have spent already the last two days here, so welcome also on the last day from my side. I hope it will be a nice session for you, some fruitful thoughts, maybe, and insights. DORA indeed is not the major thing, it's basically also about the transformation which we went through the last two and a half years, but I would like to share insights on how it went and obviously also then connecting the dots to DORA and NIS2 regarding the learnings, what we make and expect in the very close, let's say, future.
You see, ecosystem partner, let me just talk about this. Usually you talk about, or name it, third parties, end parties, supplier, vendors.
In German, we have the Dienstleister, I don't like it at all, it's a leistung, undienen, dienen, really a horrible word. We talk about ecosystem, we talk about partnership, and usually we have three partners. We have the service provider, so to say, the partners, we have the intern in the company, ecosystem, and last but not least, our clients and their partners, actually, who help their customers, so to say, to connect to our systems. So my name is Tobias Stähler, I'm Deputy Chief Security Risk Officer at Deutsche Börse.
I'm also head of section, and one of my units is basically dealing exactly with this topic, helping the Deutsche Börse group to become more secure and to manage these topics. Again, I'm going to ramp it up in the next few minutes, challenges and lessons learned. I think this is maybe something which you really most do care, and then we're going to, so to say, fly to Dora and Denise. Dora and Denise will be also basically moving in, and in the challenge and lessons learned, but you will see that in a minute.
So the last two and a half years, or two years, we are basically fully focused on rebuilding our ecosystem partner security risk management process. We started from an Excel sheet, we started from no risk segmentations, a very inconsistent framework, be it now contracts, be it now classification, criticality of ecosystem partners, and I'm not even talking about our Excel-based risk assessment, and there was almost no risk treatment decisions. So we were motivated by external drivers, as you can imagine, right?
But also from an internal and pushes to completely rebuild it, and that means we really started from the green field. Okay? And we had three major objectives. We wanted to optimize our framework, really contracts, methodologies, how we are doing the things, and also in terms of resources. We wanted to fully revise our way, how we understand the exposure of our partners against our own requirements, and last but not least, we wanted to get rid of emails and Excel sheets, and hence we wanted to embark on a cloud or a software-as-a-service solution, and so hence we did it.
When we now talk a little bit about the challenges in the project, I would like to just, let's say, recap or bring in front of you how this process itself actually works when you deal with such situations, ecosystem partners, right? So you have a need, business wants to engage with somebody, wants to buy a service from outside, then actually you start conduct negotiations.
You do the selections, actually, and then you negotiate, and then afterwards you assess the criticality of your provider, and when you are really lucky, you initiate the assessment and finish it before you go live, which is in Germany a regulatory requirement, assessments before go live. It's one of the most unfeasible things to implement, usually, when it comes to time to market, and then actually you have the reporting.
So DORA requires reporting, have a comprehensive reporting, actually, on a quarterly basis, and then actually do a refresh on a yearly basis, reaching out again against your requirements, and at the end of the day, actually, you do an off-boarding, okay?
When I'm now sharing lessons learned, we're going to focus on the contracts, because this is something which is really most important, also from a DORA perspective, and I will also talk about the assessment itself, because also the assessment process is against current and target expectations, is something which is really most important, also from a DORA perspective, but also from this perspective, and for all of those which are regulated. This is the standard thing which regulators expect from us. And there is one more elephant, actually, and this is the reporting piece.
We can, let's say, if you would like, also to talk a little bit about this, but this is maybe an on-session for us to talk about how our partners can report on a frequent basis about their SIS security status. Börse is, before we come into this, Börse is, again, highly regulated, right? We have basically a couple of regulators really sitting on our neck, and be it now Germany or be it Luxembourg, from a Deutsche Börse perspective, and they really take it serious, okay?
They have a long history of issuing regulations, and they really take it serious when they come to us, and they articulate loud and clearly what they want to expect from us, and they stick really to word by word, just putting some interpretations on this. That's what you need to keep in mind. This may not be always, let's say, the blueprint or the silver bullet, gold bullet for your organization, but this is giving you a flavor and feeling when you now, let's say, in the future have Börse exchanges or banks in mind, and you see what they are dealing with.
One of the key challenges actually was, and I call this here contract control framework and assessment paradox, is that you need to connect the dots, okay? Now, these three dimensions of contract and control framework, your internal one, and the assessment, by nature, have completely different attributes, characteristics, right? So the contract one should be, or is intended to be, as long as possible to stay there, right?
Unchanged, you're going to sign it, it's there, and that's it. But the contract should deal, connect the dots with the control framework, right? And this control framework you have, you have hundreds and you have thousands of individual requirements, and you cannot bring that in the contract, because nobody will sign it. A very low level, a very individual level, right? And this framework is going to change, right? In Germany, it's expected that you review it every year, which IT doesn't like, and security as well, because you have permanently moving targets from your investment allocations.
But then you have your assessment. If you're not sending out questionnaires and asking for evidences, you're going to face the challenge that you again cannot ask your partner with 1,000 questions, but you cannot ask, but you are asked to understand how compliant is your partner against your own individual requirements. And there we are.
So 2,000, Deutsche Börse has run about 1,800 requirements. In Nexusheet, which is the number of the lines, you cannot ask for it, you cannot bring it in the contract. So you have a kind of a challenge. And we were asked by our beloved regulators to make it consistent and connect the dots at any time. So we built a tripod, and those who are in astronomy, cosmology, we send it to the Lagrange point, okay? In the orbit. And it stays there until the meteorite actually Doha is currently coming and really speeding up and maybe putting our system in an unbalanced situation.
So what we did is actually to sort this out was that we said, going to write a contract, which deals with general section, like audit rights, which is a no-brainer, it's backed up by regulations. The second one, what we did is we only wanted to have one contract, which is applicable for all. That means in that contract, we have different services, like cloud, like software development, like consultant, and we link it to the ISO.
That means we take the ISO 27.01, we take the control objectives, we face it as a control, as a high-level control, and then actually make, inject it in that table process. So that's stable. Why is it stable? Because our control framework is linked to ISO, and whenever you change on a lower level, the ISO remains at least for the next few years stable, okay? And then actually, we could say this framework agreement was the third dimension was that we wanted to disconnect the contract from the service contract and wanted to have a master one. Why?
Because the service contracts are coming in and going in a very high frequency. And this is really hard to negotiate all the time. When you have, at the year end, hundreds of contracts coming in, and you need to attach on each contract, like in the DORA world, by the way, your DORA or your information security contract, okay? That means we put it up to the master agreement. It stays there. It covers the legacy. It covers the SS, and will cover also the future. And it can stay there, so to say. Yes. Sorry to interrupt. You need to click here also.
Oh, really? I did?
Oh, sorry. You need to click here. Sorry. Sorry. That's the one. Sorry. You need to say something, right? So this was the process here, right? Okay. But you will see maybe the slides here. Sorry for that. This is the framework here, okay? Sorry. Thanks for this. Next time you say something quicker, yeah? More earlier. Yeah? Yeah. Yeah. I hope this is right.
But, you know, it was just a test, right? So that's the thing, right? So what I was talking about, the three components. Framework agreement, three sections, and the questionary and the control framework. So that's basically the thing, the tripod. I need to close this. It's fully irritating, yeah? Should I follow the recommendations of a colleague, yeah? Yeah?
Yeah, absolutely, yeah? So the assessment questionnaire is basically, and I'll come to that later on, is then an extract of our control framework, which is the basic number, the Roman three. And what we did is, and I have a slide if we would have time, is that we are sending out a questionnaire via our system, but we are not sending it out as the majority of the companies are doing, is having a question and an empty cell, where then usually companies have their standard answers, they copy and paste it, and then you get sort of everybody gets the same answers.
Because we believe it's too cumbersome for us to review, and we cannot actually, so to say, automatically understand the compliance against our requirements. So what we did is we basically took the ISO control objectives, rephrased it as a question, and then gave four complementary answers, multiple choice, which reflects our control requirements. So basically we have 100 questions and we have 400 answers. Each question, four answers. But what we realized in the meantime is that our partners don't like it so much. And you can imagine why. Because the copy and paste doesn't work anymore.
Because they have now standard answers, which they usually paste in, now they need to read 400 answers. They need then to assess whether they comply or not, and they need to always actively say yes or no. And this is another thing is our barfing, our regulators expect us to get evidences. It means whenever somebody says yes, the barfing expects us that we have a Word document, a PDF, and evidences that this is, so to say, evidences that the answer is, so to say, really right. Which means actually, so we have around about 250 companies in scope of our full population to execute risk assessments.
And that means our top number one provider sent us 256 documents. So currently we are, I think, 6,000 or so in our database, only for 85 companies, which we finished. It's a huge exercise. And DORA actually, and also NIST, what I'm hearing is quite close in the expectations. When we talk contract, because this is, now contract a little bit understood maybe, but the thing was when we deployed it, we had found about 700 partners which were contract relevant in scope of our deployment of the framework agreement for information security and the regulators.
And we also wanted that we have everybody is on the same level of the versioning. So we reached out in a big bang, 500 was the first phase and the rest was then later, and reached out to all of these partners globally and asked them to sign with a team of around about 10 over 14 months. And I'm proud to say that we had signatures two a day, okay, over 220 days, two a day we brought us round about to 500 within 14 months. And these are the eight answers, my top eight answers, when partners didn't want to sign. And it's a hierarchy.
Because they are not bad, okay, they don't have no bad intent, but they are usually told not to sign. They don't want to sign, obviously, because it's a regular bind document. But I am in the situation that I have to get a document, which is a contract. The first four is basically the answers, which is usually the big ones, the US, and the other five to eight is so to say the answers, which is usually small and medium companies, okay, because we all have small and medium companies.
And so I love number four, by the way, if you want to read one, then number four is maybe the best from a security perspective, it's maybe the one which you would really not don't like. But this is what you hear, because you hear usually we don't sign. Can you please sign ours?
And I say, obviously, no. Then they say, but we have a SOC or two report or ISO certificate.
And I say, this is not a contract, as you know. And then they say, look, but the software is under your governance, we don't sign, okay. And then usually it follows basically to the one which can you pay us is number five, okay. A lot of small, medium sized companies don't have lawyers. And they ask for two, five, 6,000 euro to pay. And obviously, we are NIST and we are DORA. The same thing, right? At the moment, there is a wave going out from DORA in scope companies, and they are hitting the mailboxes, all of the companies across the globe, and they have all different contracts.
And they have all to be signed, the most important ones in the middle of Chen. We had also number eight, which is, I think, quite interesting, is they said we cannot sign.
Okay, no chance. Either you take it or we leave it. We just talk exit. Not that many, fortunately, but we had this as well. And we indeed exited in some cases, very few, but we did, we could not, or then afterwards. So when you meet DORA, and I'm not sure who's in the negotiations, but I jumped on 20% of our cases went to my plate on escalations, we don't want to sign. This was the top eight. And all of them were basically, as you can read, they're not really motivated that they cannot sign the contract itself. It just shows that they really cannot, they don't want to.
The contract was defendable to almost 100%. There was no reason why you would have redlining. But it was basically, we cannot sign, we don't want to sign, which is, I guess, for the DORA one also the same thing, right? When we talk risk assessment, we will have data discussion, I think, on blockchain and how the modern fancy stuff. This one is about what we did on risk assessment. So we did really categorize our ecosystem partners, we gave them a scoring, all, and we do the diligence only for a really tailored one.
And they get, if they are really important also, that we send auditors to them, and partners, and we select them, and then they get, and so to say, a current target assessment on site. And we really then check whether they really implemented what we would expect. We'll see here, the thing. How much time do we have? Two minutes, two and a half minutes, right? One minute. One minute.
Okay, fine. I want to share this because this goes back, we did a survey two years ago with Bertolt and this is basically the distribution of more than 100, or in this case here, 93 companies, global, highly regulated, and how many questions they sent out, okay? So Deutsche Börse currently has up to 100 at the moment, so we are up to 75 percentile. But you see that there are also companies who send questionnaires out with up to 250 questions and more.
And this is really tough, really tough for the organization because it's not standardized and you can imagine what that means because it's just the first thing, that mediation, and then risk treatment comes next. This is the multiple-choice thing example. Before we come to DORA, last thing on this one and a half minutes, this is DORA. If you want to subscribe to DORA, you can just take three numbers, okay? DORA can be categorized as 40 documents. It's more than 1,000 pages and it's more than 1,400 requirements.
And the good thing is it basically replaces the former BIT or the FIIT, which is the banking or the insurance regulations for security, and each document has just 15 pages. This is cool, okay? So at least we are now getting 1,000 pages, which is basically even deployed globally and replacing the 15 pages with the current SS, okay? So not all of you may be relevant for DORA, but obviously if you're working for financial institutions, I guess sooner or later you will be hit by a request to sign a contract or B, to contribute to a risk assessment, yeah? You can answer that and be confessed.
It's not only about answering it, when we answer our questions and you are failing in comply with all these four multiple choices. One is a breach already, and you must always say yes to all. Then we go back and we say, please remediate. And then we are managing the remediation. Not managing, but we will go back and say remediate because BaFin says to us, you must give it a try before we go risk treatment. Thanks for the attention. Perfect. Thank you very much, Tobias.
