Reporting ICT-Related Incidents in Compliance with DORA
The increased need for ensuring digital operational resilience within financial entities, and hence the entire financial sector requires a solid way of working with ICT-related incidents. One of the building blocks to strengthen the digital operational resilience within the financial sector is to further harmonise how financial entities within the sector detect, manage and report on ICT-related incidents, as well as to be able to classify cyber threats that may result in a major ICT-related incidents. Most financial entities with a high maturity in their risk management already have a well-functioning incident management process implemented. However, DORA (The Digital Operational Resilience Act) is introducing new requirements for the management, classification and reporting of ICT-related incidents, challenging financial entities to take another maturity step.
All financial entities should have a mature incident management process for ICT-related incidents and cyber threats. As the requirements state that financial entities must be able to record all ICT-related incidents and significant cyber threats, they must have established routines and procedures to monitor, identify, categorise, classify and report ICT-related incidents. To establish a well-functioning and streamlined incident management regime, there are three main pillars that must be paid attention to according to DORA;
- Management of ICT-related Incidents
- Classification of ICT-related incidents
- Reporting of ICT-related incidents
Management of ICT-related incidents
Financial entities must ensure that their management of ICT-related incidents has appropriate processes consisting of certain building blocks required by DORA. The process must have early warning indicators in place, to give information to the financial entities about a potential incident before it has been materialised. There should also be procedures to identify, track, log, categorise and classify ICT-related incidents, preferably in a streamlined way that does not have an impact on available resources. Furthermore, DORA requires financial entities to assign roles and responsibilities for various incident types and establish communication plans to be activated in case an incident occurs.
A well-functioning management of ICT-related incidents must include detailed processes especially for the classification of ICT-related incidents as well as reporting of major ICT-related incidents as the requirements for mentioned areas are extensive and detailed as explained below.
Classification of ICT-related incidents
Classification of incidents is crucial for a financial entity as it helps determine which incidents may have potential impact not only on the entity and its customer but also on connected entities and possibly the entire financial sector. DORA and its accompanying regulatory technical standards (which are still proposed drafts) suggests what criteria should be considered when classifying an ICT-related incident, as well as what thresholds that should be met for classifying an incident as a major ICT-related incident.
The criteria that must be considered when classifying an incident are following;
- Clients, financial counteracts and transactions affected
- Reputational impact
- Duration and service downtime
- Geographical spread
- Data losses
- Critical services affected
- Economic impact
All the classification areas will have materiality threshold values that can be relative or absolute terms such as a set percentage of clients affected. The suggested approach for determining whether an incident is major or not involves designating certain criteria as so called primary, while the remaining are considered secondary. These criteria will guide financial entities in assessing whether the incident is major or not. If a threshold value is met in a so-called primary criteria, or if a combination of met threshold values in the secondary criteria, the incident is considered major.
For a financial entity to be able to ensure that all incidents are evaluated according to the set criteria and their threshold values in a way that does not lead to an increased administrative burden and resources, the entity must ensure that it has reliable data and definitions set for their data. Lack of access to reliable data will make the classification time consuming and involve more resources than necessary for each incident, resources that might be of better use in resolving the incident instead.
The classification should also be done on cyber threats. Financial entities should assess whether a cyber threat should be classified as significant or not. A cyber threat is considered significant based on the criticality of the services as risk. According to the proposed regulatory technical standards, a cyber threat is deemed significant if it has the potential to result in a major ICT-related incident or major operational or security payment-related incident.
Reporting of major ICT-related incidents and cyber threats
The requirements on reporting major ICT-related incidents state that all financial entities should report on major ICT-related incidents. The reporting on cyber threats is voluntary, where financial entities can choose to report if they conclude that the cyber threat could have an effect on the financial system or is major according to the classification requirements.
All financial entities should report all major incidents with undue delay after being aware of the incident, as well as informing their clients about it and how it is being managed. The reporting should be done in three separate reports.
The first report is the initial notification, which will be followed up by a secondary intermediate report as soon as the status of the incident reported in the initial notification has changed, or new information on the incident is available. Once the root cause analysis of the incident has been performed, the third and final report should be sent. This report should also use actual impact values if estimates have been used in earlier reports.
The reporting procedures are more extensive than what many financial entities are accustomed to. This requires financial entities to have an established processes for reporting to authorities, as well as informing their clients and handling potential questions that may arise from clients affected by the incident.
Conclusion
As described in this article, the requirements for how financial entities should handle ICT-related incidents are more extensive than they have been before. The aim is to harmonise and streamline the ICT-related incident reporting regime for financial entities but for the entities to be able to manage incidents in a compliant way without experiencing a strain on resources, they must ensure that their processes for incident management are streamlined and up to date, and that data needed for both classification of incidents and reporting of incidents is available and correct. To ensure a smooth incident management process, it is worth ensuring that all necessary steps are already up to date. This prevents the realisation of missing elements in the processes once the incident has happened.
On October 27th we will host a webinar exploring incident management and classification. Learn more and register here.
For more information please contact:
