In the previous article written by my colleague Yulia Zhuleeva, from PwC Cyber&Privacy team, the key requirements for the management process to monitor and log ICT-related incidents were described.
The term resilience has already been used for a decade in many derivatives but, nevertheless, is still sometimes misconceived. By DORA, the definition stands “ … the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of the services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems that a financial entity makes use of, and which support the continued provision of financial services and subsequent quality”. What is hidden between the lines is the fact that assuring and reviewing operational integrity requires turning from ad-hoc to more matured processes when it comes to resilience testing. DORA also explains that vulnerabilities going undetected in financial entities and being “hence unaddressed” could threaten the stability of the financial sector and does not accept such reality. A remedy to the above-stated should come in the form of an integral testing program with the aim to identify and explore possible ways in which an organisation could be compromised.
DORA recognises a broad range of techniques respecting a risk-based approach, “including vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source-code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testing.” There are also mandatory specifics, which are listed in articles 21-24 when it comes to the nature and extent of testing:
- Implementation of a full-range program supporting testing of all critical ICT systems and applications at least yearly.
- Threat-led penetration testing (proportionality applied). Frameworks for threat intelligence supported testing should be further technically standardised by EBA, ESMA, EIOPA.
- Central securities depositories and central counterparties are obligated to perform vulnerability assessments before any deployment and in case of the redeployment of critical components
- Obligatory addressing of findings (that means nothing more than full remediation of discovered issues).
On top of that, the proposal includes requirements for testers, which encompass their indemnity insurance, reputability and industry certification; external testers shall provide mandatory assurance or an audit report regarding the sound management of risks associated with the execution of threat-led penetration testing.
The proposal indeed describes the fragmentation of the current rules, standards and regulatory overlaps as well as blind spots. Resilience testing would be standardised, and integral testing programs would be built.
What could be implied from DORA is that digital operational resilience is the ability of an organisation not only to prepare but also to adapt and withstand disruptions impacting the environment including but not limited to cyber attacks. Resilience testing programs should not be, therefore, perceived as a single goal. It would be a mistake to perceive that as a binary value concept (either you have it or not). Rather, it is about admitting that a breach might happen, could go undetected and preparing to withstand just such a possibility.
Michal Wojnar
PwC Cyber&Privacy