In the previous article written by my colleague Veronika Šípošová from the law firm PwC Legal, the Regulation on digital operational resilience for the financial sector (“DORA”) proposal published by the European Commission has been introduced. This article outlines the main requirements of ICT Risk Management, which should be stated based on this proposal.
DORA, as with the General Data Protection Regulation or ISO/IEC:27001 standard, has its core in a strong risk-based approach. It has the minimising of cybersecurity risks for financial institutions as its goal. This approach is maybe best reflected in Chapter II of DORA, - the ICT risk management. DORA lays down strict obligations to management bodies of financial institutions since they play an integral part in ICT risk management and they are responsible for designing the ICT risk management framework.
The first part of Chapter II addresses the risk management governance and organisation requirements including in particular those for setting roles and responsibilities, planning and periodic auditing.
The second part of Chapter II introduces the ICT risk management framework itself as a critical component of the regulation. The roots of the framework are inspired by the international, national and industry-set standards, guidelines and recommendations that will significantly reduce costs of DORA implementation for institutions that did their information security compliance homework. he ICT risk management framework defined in DORA introduces the following phases:
- Identification: The financial institution is obliged to identify and classify the ICT-related business functions, information assets and supporting ICT resources (not limited to production applications, but including hardware, software and network infrastructure or legacy systems) based on which risks posed by current cyber threats and ICT vulnerabilities are identified and assessed.
- Protection, prevention and detection: Financial entities shall (based on the risk assessment) design, procure and implement ICT security strategies, policies, procedures and technologies that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems, maintaining high standards of security, confidentiality, integrity and availability of data and to ensure ongoing monitoring and detection of the anomalies, threats and compromises of the ICT environment.
- Response and recovery: The financial entities are obliged by DORA to establish the policies and procedures to adequately react to identified security incidents including additional “ICT-Related Incident” requirements, (an area that will be described in the next article) and establish Business Continuity Policy and Disaster Recovery Plans and testing.
- Learning and evolving: As the cyber threat landscape is not static, organisations are obliged to include continuous learning and evolving in the internal processes in order to be able to decrease cyber security risks.
- Communication: DORA requests that financial institutions define the communication strategy, plans and procedures for communication of the identified ICT-related risks and incidents.
As described above, the structure does not significantly deviate from standard Information security risk management as defined in industry standards – e.g. in ISO/IEC:27005.
What can be found questionable, is Article 5 (4) of the proposal. Based on this provision, financial entities other than microenterprises are obliged to, as part of the ICT risk management framework, further implement an information security management system based on recognised international standards (e.g. ISO/IEC 27001: Information Security Management System) and in accordance with supervisory guidance and regularly review it. This requirement will, for some institutions, lead to additional complexity around DORA implementation and, at the same time, will increase the costs of the implementation of additional processes and procedures in the information security management system.
The next article will focus on Chapter III of DORA – ICT-Related Incidents.