ICT risk management
ICT risk management is an important means of detecting and managing ICT risks in a structured way. DORA describes both the process side of risk management and its implementation in technical measures.
The requirements are set out in Chapter II (Articles 5 to 16) of the Regulation. These articles deal in detail with, among other things, the ICT risk management framework, Business Continuity Management (BCM) and employee learning and evolving in relation to ICT security and digital operational resilience.
Alongside the requirements set out in the Regulation, various topics are further elaborated in Regulatory Technical Standards (RTS). These RTS provide details of both the ICT risk management framework and the simplified risk management framework. The regular framework applies in this regard to all companies, as described in Article 2(1), while the simplified ICT risk management framework only applies for a number of specific types of companies.
ICT risk management framework (ICT RMF)
The ICT risk management framework must include, among other things, the strategies, policies, procedures and ICT tools that are necessary to protect all ICT assets and relevant physical components.
The ICT risk management framework must be reviewed at least once a year (or periodically in the case of microenterprises) and any adjustments to the framework must be documented. The framework must be continuously improved on the basis of lessons derived from implementation and monitoring. Finally, the framework must be subject to independent audits on a regular basis. The conclusions from the audits must be acted upon.
Business Continuity Management (BCM)
Business Continuity Management (BCM) in IT is important to ensure the stability of a company’s services. DORA states that BCM plans must be periodically tested and that the necessary crisis communication arrangements must be in place.
These requirements are set out in Articles 8 to 12 of the Regulation:
• Companies must clearly map their ICT landscape. For this, it is important that all ICT-supported business functions, roles and responsibilities are identified, classified and documented. The same also applies to the ICT assets and applications supporting these business functions.
• Institutions must continuously monitor and review the security and functioning of ICT systems. This aids the protection of ICT systems and reduces the risk of cyber incidents.
• Companies can further reduce their ICT risks on ICT systems by implementing ICT security tools, policies and procedures that aim to ensure the resilience, continuity and availability of ICT systems. Since not all incidents can be prevented, it is important that financial institutions have in place detection mechanisms to promptly detect anomalous activities and to identify single points of failure. Institutions must respond appropriately upon the detection of an anomaly.
• Companies need to develop and implement an ICT business continuity policy. This policy must include arrangements, plans, procedures and mechanisms aiming, among other things, to ensure that the continuity of critical functions is safeguarded, that ICT-related incidents are appropriately resolved in a way that limits damage and that all relevant internal and external stakeholders are informed of the incident that has occurred.
Certain topics related to BCM, such as testing of the BCP and the response and recovery plan, are elaborated further in the RTS.
Reactive measures
In addition to prevention, reactive measures also play an important role. For example, DORA requires companies to establish detection mechanisms, as well as processes and techniques to deal with detected deviations. An important part of this is the production of back-ups in case risks nevertheless materialise.
In the event of an ICT-related incident, it is important to analyse the cause or causes of the disruption and to identify any required improvements to prevent any recurrence of the disruption.
It is also important for companies to have in place crisis communication plans enabling an adequate response in case of major ICT-related incidents. This includes, among other things, the responsible disclosure of vulnerabilities to staff, clients and other direct stakeholders.
Training and awareness
Employees play an important role in the implementation of IT policy. DORA therefore also focuses on the development of IT awareness programmes, which must take account of the differences in employees’ work.
As regards learning and evolving, it is important that companies have in place adequate capabilities and staff to gather information on vulnerabilities, cyber threats and ICT-related incidents. Financial entities must take account of technological developments, the results of digital operational resilience testing and ICT incidents that have occurred.
Further elaboration of the RTS
We will further explain a number of topics from the RTS here. These topics are a further elaboration of Article 15 in the regulation.
Simplified framework
In art. 16 describes a simplified framework for ICT risk management that applies to a number of exempt institutions.