Frequently Asked Questions (FAQs) on CyberArk’s DORA Compliance

The Digital Operational Resilience Act (DORA) is a regulation established by the European Union to enhance the resilience of the financial sector against information and communication technology (ICT) risks. It sets out requirements for managing ICT risks, reporting incidents, and ensuring operational continuity. As an ICT provider, CyberArk acknowledges that it has a responsibility to assist its financial sector customers’ own compliance with DORA, as detailed in these FAQs.

CyberArk has a Regulatory Addendum designed to supplement our terms, comply with DORA requirements imposed on ICT providers and support our financial sector customers in meeting their own DORA compliance obligations. Our Regulatory Addendum is incorporated by reference into our relevant customer-facing contracts, and a copy is available upon request to your usual CyberArk account relationship contact point. Our Regulatory Addendum is aligned to our services and internal processes, and we consequently find it much more straightforward for both parties to use our template rather than a customer’s version.

Our DORA addendum outlines the specific obligations and responsibilities of CyberArk in its role as a subcontractor to our financial-sector customers under DORA, in particular to comply with Article 30 of DORA. It includes provisions for ICT risk management, incident reporting, third-party risk management, and cyber threat information sharing.

CyberArk’s Business Continuity Management (BCM) program is designed to minimize the impact of disruptions on our essential business activities. It includes response, recovery, and resumption efforts for all aspects of our business, not just technology components. The program is regularly updated and tested to ensure its effectiveness.

In line with market practice, we provide a list of sub-contractors on our Privacy Center. Customers can subscribe to alerts to be notified of any change to this list. We use a variety of subcontractors to help host and deliver our services. The geographic location of those critical subcontractors is set out on the Privacy Center.

CyberArk implements a range of security measures to protect customer data, including physical security controls, employee training, secure software development life cycle, network security, cloud environment controls, and data protection policies. We also conduct regular security assessments and audits to ensure compliance with industry standards and regulations. Customers can stay informed by visiting our Privacy Center and Trust Center, where we provide updates on our compliance efforts, security practices, and any changes to our subcontractors. Additionally, customers can reach out to our support team for any specific inquiries or concerns.

We have a well-maintained and up-to-date internal incident response policy. We regularly follow emerging security risks through the expertise of our own people and the advice of leading external legal and professional consultants. We would report to the customer any breach impacting customer’s data without undue delay, in line with our legal obligations.

In addition to the internal measures set out in question 7, CyberArk assesses, monitors, and oversees the security of our third-party ICT service providers. We have designed processes to flow down DORA requirements to relevant third parties, including appropriate security measures to protect against ICT risks.

CyberArk services are developed and provided according to industry security practices, such as the practices prescribed by OWASP and NIST, which include, among other means, frequent security reviews and testing. CyberArk also conducts benchmark assessments to ensure compliance with the Continuous Audit Metrics Catalog issued by the Cloud Security Alliance. CyberArk conducts recurring security and resilience tests to identify and address vulnerabilities in line with our Product Vulnerability Management Policy. This includes penetration testing, vulnerability assessments, and other security evaluations to ensure the robustness of our ICT systems. In addition, our Regulatory Addendum reflects the mandatory requirements set out in Articles 26 and 27 of DORA which allow financial sector customers to conduct threat-led penetration testing (TLPT) of CyberArk’s services. The administration of CyberArk services is also protected by various security, compliance and governance measures, including data isolation and real-time monitoring of access.

Yes, CyberArk has an Exit Plan for its customers as detailed under our DORA Addendum. This Exit Plan is designed to support our customers’ business continuity upon termination including customers’ data export and support.

Last updated December 2024