Digital operational resilience has been a widely discussed topic recently. In December 2022, the European Union adopted the Digital Operational Resilience Act of the Financial Sector (DORA). This regulation significantly impacts the financial sector’s cyber threat preparedness in the European Economic Area. In this article, we present a framework of documents to help you ensure compliance with the regulations.
What is digital operational resilience?
In Article 3, DORA defines digital operational resilience as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems that a financial entity uses and which support the continued provision of financial services and their quality, including throughout disruptions.”
The regulation establishes uniform requirements for financial entities to secure network and information systems that support business processes. These requirements are divided into four categories:
- applicable to financial entities, including management of the risks posed by the ICT they use, reporting serious ICT incidents to the competent authorities, testing digital operational resilience, and sharing information on cyber threats and vulnerabilities
- related to contractual arrangements between financial entities and external service providers
- a defined framework for the supervision of key ICT suppliers whose customers include financial entities, and
- a framework for cooperation between competent authorities, rules for supervision and enforcement among financial entities.
What is a risk management framework?
It is a set of strategies, policies, procedures, protocols, and ICT tools that are critical to properly defending an organization’s information assets and ICT resources. These assets include systems, hardware, servers, and physical elements, such as server rooms and other restricted-access areas. Financial institutions must continuously identify ICT-related risks and establish protection and prevention measures. They are also responsible for detecting incidents and other problems affecting their ICT environment.
Risk management framework and DORA
Every financial entity covered by DORA is required to identify, classify, and adequately document all ICT-supported business functions, tasks, and responsibilities, as well as the information and ICT resources supporting these functions. They must also understand dependencies related to ICT-related risks.
These obligations can be met by implementing a robust, comprehensive, and well-documented risk management framework. The framework must be robust because it is an organizational tool that enables your company to address a range of ICT risks. It must also be comprehensive given the wide range of risks you face daily. Finally, it must be well-documented so that it can be easily used. An effectively implemented ICT risk management framework enables you to ensure a high level of digital operational resilience appropriate to your business needs, the size of your organization, and its complexity.
As previously mentioned, risk management frameworks should be well documented and reviewed at least once a year, as well as after a serious ICT incident. Remember to update the documentation with any conclusions and new information that arise during ICT environment tests, incidents, or normal system operation.
The proposed downloadable material lists all the documents that comprise the risk management framework.
Digital resilience strategy
A digital resilience strategy is part of the ICT risk management framework that defines how your organization will implement this framework. It includes methods for preventing ICT risks from materializing and explains how the risk management framework supports the business strategy. The strategy should define the risk tolerance limit and analyze the impact of ICT disruptions.
Another task of the strategy is setting clear information security objectives, including performance and key risk indicators. The document should explain the reference ICT architecture and describe all necessary changes to achieve the company’s objectives. Additionally, it should present the mechanisms introduced in the organization to detect, prevent, and protect against ICT-related incidents. Finally, it must present a plan for testing digital operational resilience and a communication policy for incidents.
It should describe the current state of digital operational resilience, taking into account the number of reported incidents and the effectiveness of the ICT environment’s defenses. DORA permits the development of a unified digital resilience strategy across multiple ICT providers but requires the disclosure of dependencies on individual partners.
Depending on their individual situation, each financial entity should create a set of documents related to its digital resilience strategy. As DORA mentions, these documents may include “ICT strategies, policies, procedures, protocols, and tools.” In this article, we propose those that should be prepared alongside the digital resilience strategy.
Risk management policy for external ICT service providers
One is a risk management policy for external ICT service providers.
Chapter V of DORA, “Managing of ICT third-party risk,” is a complementary and fundamental part of the regulation. It sets out principles for minimizing risk when working with external ICT providers. This is because there have been many cases of attacks on critical infrastructure through providers’ environments. Financial entities should determine if cooperation concerns critical or important functions, if there are conflicts of interest, and if the conditions in Article 28 are met. Suppliers should meet relevant information security standards, and those involved in critical or important functions should apply the most up-to-date and highest information security standards.
The Regulation requires the creation and maintenance of an organization-wide registry of all contracts with ICT suppliers and the services they provide. Consider which parts of the contract relate to critical, important, or non-critical functions. Remember that your company must provide the competent authorities with information on the categories of suppliers and new arrangements with them at least once a year, upon their request. This is no small task, as ICT suppliers include not only IT tools (SaaS, etc.) but also services and IT consultants. Supervisory authorities sometimes indicate in their materials that if you are wondering, “Is this an ICT supplier?” then the answer is yes.
Business continuity policy and business recovery plan
Even the best plan cannot prevent all events and incidents. For this reason, DORA places a strong emphasis on business continuity. An ICT service continuity policy can be part of an organization’s overall business continuity strategy. Its purpose is to ensure the operational availability of critical functions of a financial entity. This is possible thanks to a quick, appropriate, and effective response to incidents and their resolution in a way that limits damage.
Therefore, it is important to include the following in a business continuity policy:
- plans that use various measures to limit the effects of ICT-related incidents;
- procedures that allow systems to be restored in response to threats.
In addition, the document should include:
- a process for assessing the impact of an incident;
- a crisis communication process for employees and external parties;
- a plan for periodic audits.
Plan for digital operational resilience tests
Your organization cannot fully understand its level of digital operational resilience without periodically testing its ICT environment. For this reason, DORA devotes an entire chapter (IV) to this issue. The test plan should include specific descriptions of the tests, methodologies, and tools used to conduct them. The entity that will carry out the tests should also be indicated. This may be an external company with the appropriate qualifications or financial entity employees, provided they have sufficient resources and no conflicts of interest.
The frequency of testing should be specified, with critical and important functions tested at least once a year. Entities that are not micro-enterprises and others that may apply a simplified ICT risk management framework shall carry out penetration tests at least once every three years.
Risk management is the key to digital resilience
Ensuring digital operational resilience is a primary objective of the regulation. This can be achieved by establishing a risk management framework and a digital resilience strategy, among other things. In our article, we have described the documents resulting from DORA concerning this objective.
According to Article 6(10), the financial entity you work for may outsource the verification of compliance with ICT risk management requirements to external entities. Nevertheless, the ultimate responsibility for this task remains with your company. Therefore, you must be aware of the tasks arising from the regulation.
