Regulation on digital operational resilience for the financial sector (DORA) - Part III: ICT-Related Incidents
In the previous article written by my colleague Petr Šimsa, from PwC Cyber&Privacy team, the key principles and requirements for the ICT Risk management framework of DORA proposal were described.
According to DORA’s requirements, financial entities will have to establish a management process to monitor and log ICT-related incidents and classify them based on the criteria detailed in DORA that will be developed by the relevant European Supervisory Authorities. Only major incidents must be reported to the competent authority. Let us take a closer look at what the most important steps the evaluation and reporting process should consist of.
- Classification of ICT-related incidents
Proper evaluation and reporting of ICT-related incidents help us to understand the basis of those incidents and mitigate the subsequent adverse impacts. All ICT-related incidents should be properly classified and their impact must be evaluated based on the number of users, criticality of the services affected along with continuation, severity and geographical spread of the incident. The next important step here is to evaluate the impact of the incident on the confidentiality, integrity and availability of the data. It is also necessary to take into account, in particular, the economic and reputational impact which may be caused by these types of incidents.
- Reporting of major ICT-related incidents
Reporting is one of the key parts of DORA's incident management process requirements. After collecting and analysing all relevant information about the incident, the financial entity needs to create an incident report and submit it to the competent authority. This process is divided into 3 stages: an initial notification, an intermediate report, and a final report after the root cause analysis has been completed. If an incident has or may have an impact on the financial interests of service users and clients, financial entities must notify them without undue delay. Finally, the major incident details are provided to European Supervisory Authorities or to other relevant public authorities. Based on that information, the competent authorities can take all the necessary steps to protect the stability of the financial system. DORA further sets the following objectives for the reporting process:
- Harmonisation of reporting content and templates - The European Supervisory Authorities, through the Joint Committee and after consultation with ENISA and the European Central Bank, are supposed to develop common draft regulatory technical standards and common draft implementing technical standards for the major incidents reporting purposes. The Joint Committee is a forum of the three European Supervisory Authorities (European Banking Authority, European Insurance and Occupational Authority and European Securities and Markets Authority) ensuring, besides other things, the cross-sectoral coordination.
- Centralisation of reporting of major ICT-related incidents - Centralisation should be achieved by creating a single EU Hub for major ICT-related incident reporting. The Joint Committee in consultation with the European Central Bank and ENISA shall prepare a report assessing the feasibility of the establishment of the single EU Hub and shall devise ways to facilitate the flow of incident reporting and reduce associated costs.
At the end of the process, the competent authority has to provide its feedback and guidance to the financial entity to discuss remedies and ways to minimise adverse impacts across sectors. The European Supervisory Authorities should also report ICT-related incidents annually, indicating the number of major incidents, their nature, the affected operations and the measures taken to remediation of the situation. The European Supervisory Authorities must issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments.
Harmonising and streamlining the reporting of incidents is achieved via a general standard for financial entities to maintain and implement an ICT-related incidents management process. Only incidents deemed to be major will be reported to the competent authorities, and it should be processed using a common template and consistent procedure developed by the European Supervisory Authorities. However, with growing reliance of the financial sector on information and communication technologies and increasing cyberattacks and other ICT-related incidents, no ICT-related incidents should be underestimated. By adhering to this process and to other rules, financial entities together with competent authorities can reduce the security risks of the financial system as well as reduce the cost of the remedial measures.
The next article will focus on chapter IV of DORA - Digital Operations Resilience Testing.