Building a Resilient Digital Economy: The Power of Standardized Organizational Identity

Cyberattacks present an immediate and growing threat to global financial stability.

A 2024 report from the International Monetary Fund (IMF) found that over the past 20 years, the financial sector has been subjected to more than 20,000 cyberattacks, resulting in direct losses of $12 billion – not to mention the indirect costs caused by reputational damage.

Worse is to come. The IMF report reveals that attacks have doubled since the COVID-19 pandemic, with the rapidly increasing frequency and sophistication posing “an acute threat to macro-financial stability through a loss of confidence, the disruption of critical services, and because of technological and financial interconnectedness.”

The issue of “technological interconnectedness” is of particular concern. While financial firms are widely recognized as cybersecurity leaders, digitalization of financial services means institutions increasingly depend on third-party ICT service providers to support critical functions and deliver core services directly.

An analysis by the three European Supervisory Authorities found that around 15,000 of these providers serve financial institutions across the EU alone. This poses risks to operational resilience on two fronts. Financial institutions' reliance on multiple providers introduces various points of weakness and fragments operations. It also creates complicated, opaque supply chains that are difficult to unpick – particularly in the event of a cybersecurity incident. Conversely, the widespread use of certain providers (in, for example, cloud computing services) raises the risk of individual attacks or issues spilling over to become systemic problems.

Given the stakes involved, ensuring ICT service providers are subject to the same stringent requirements and regulatory oversight as financial institutions is a key policy aim across multiple jurisdictions.  The European Union has taken a leadership role in this regard by introducing the Digital Operational Resilience Act (DORA), which aims to strengthen the operational resilience of financial entities by improving their ability to manage ICT-related risks.

Bolstering Operational Resilience Through Standardized Organizational Identity

Identifying the ICT service providers used by financial entities is key to managing such risks, highlighting the importance of standardized, verifiable organizational identifiers such as the Legal Entity Identifier (LEI).

As a global public good, the LEI is a standardized tool that can be applied to all ICT third-party providers worldwide. By enabling the consistent and unambiguous identification of entities across borders, the LEI addresses fragmentation and:

• Enhances corporate structure detection: The LEI allows the identification of corporate links between ICT third-party providers, both within and outside the EU. This helps institutions and supervisors detect interconnectedness and potential operational risks that are otherwise obfuscated by complex corporate structures.
• Joins the dots: The LEI acts as a data connector, enabling automated integration with other essential data sources such as local registration authorities, financial services providers, and securities markets. This facilitates a more comprehensive view of ICT dependencies.
• Enables digital integration and automation: The LEI’s fully digital ecosystem allows for seamless data reconciliation through API access and full-file downloads. This digital framework eliminates manual intervention and allows for rapid data collection and analysis, giving institutions and supervisors the tools they need to monitor ICT dependencies and make more informed decisions.
• Streamlines due diligence, compliance, and incident reporting: Accurate LEI-based identification minimizes reporting errors, enhances data quality, and supports more reliable compliance submissions. In the event of ICT-related incidents, LEIs provide a clear, standardized reference for all parties involved. This simplifies incident reporting, ensures consistency, and aids in quick resolution efforts.

Creating a Resilient Digital Economy

It is apparent that the increasing velocity and sophistication of cyberattacks have implications that extend far beyond financial services. The complexity of today’s digitalized world means that all critical infrastructure heavily relies on ICT service providers. Therefore, global supply chains, healthcare provision, energy and utilities, telecommunications, and transportation are exposed to the same significant vulnerabilities.

DORA offers a framework to start addressing this challenge. Acknowledging the importance of standardized, verifiable organizational identification as a critical enabler of cyber resiliency and trust in digital ecosystems marks an important regulatory precedent that should be replicated across all corners of the global economy.