ICT related incidents

Article 17 of the Regulation sets out the requirements for the ICT-related incident management process. The management process helps firms to adequately detect, report and handle ICT-related incidents. Firms should establish and implement appropriate policies and procedures to minimise the impact of these incidents. Chapter III (Articles 22 and 23) of the RTS on ICT Risk Management provides further information on what firms should include in their ICT-related incident management policy and what mechanisms they should implement to detect and respond to incidents.

The ICT-related incident policy should enable firms to implement technical, organisational and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours. In addition, firms should establish a list of persons with internal functions and external stakeholders that are directly involved in ICT operations’ security in the ICT-related incident policy. This should include the persons responsible for detecting and monitoring cyber threats, detecting anomalous activities and vulnerability management. Firms should establish and implement processes and methods to analyse significant or recurring ICT-related incidents.

The ICT-related incident management policy ensures the recording and consistent monitoring, handling and follow-up of all ICT-related incidents, to ensure that root causes are identified, documented and addressed. By establishing and implementing an effective policy in this area, firms can minimise the likelihood of incidents recurring. Another aim of the management policy is to put in place plans for communication towards internal staff, external stakeholders and the media, in accordance with the communication policy (see also Article 14 of the Regulation), and to ensure that major ICT-related incidents are reported to the relevant management staff.

To ensure an effective detection of and response to ICT-related incidents and anomalies, it is important that the roles and responsibilities in this area are clearly defined and communicated within the organisation. In addition, firms should implement detection mechanisms that enable them to:

• collect, monitor and analyse internal and external factors, including system log information;
• collect, monitor and analyse potential internal and external cyber threats, including frequent scenarios;
• collect, monitor and analyse information about third-party ICT-related incidents;
• identify anomalous activities and behaviours and put in place tools for generating alerts for anomalies;
• record, analyse and review relevant information on all anomalous activities.

As the incident reports contain important (and often confidential) information, it is crucial that this and other relevant information about the incident are stored securely and protected from unauthorised access and alteration. In addition, key information about the incident, such as the date and time the anomaly occurred and the type of incident, must be recorded in a log file. Finally, the ICT-related incident procedure must be initiated where there are indications of unauthorised activity on an ICT system or network or where there are indications that an ICT system or network is no longer secure. Other instances in which the ICT-related incident procedure should be followed are in case of loss of data and system or network outage. In this regard, due account must be taken of the criticality of the services affected.

A proper system of classification of ICT-related incidents and cyber threats is essential to ensure an effective management process. This helps firms to determine the resources needed to address and resolve the incident. It also helps in communicating the status and expectations to stakeholders within the organisation. Firms may determine their own incident classification criteria, provided that they enable a distinction to be made between major incidents, cyber threats and all other incidents (low impact, medium impact, etc.).

For the purpose of classifying ICT-related incidents, firms should use various criteria that help determine the impact of the incident on the organisation and external stakeholders. These criteria are:

• The number and relevance of clients affected by the incident. The clients concerned are those who use the firm’s services or the financial counterparts with whom the firm has a contractual arrangement. In addition, firms should determine the extent to which the impact of the incident affecting clients also affects the firm’s own business objective. Finally, the relevance of a client is determined by considering the client’s impact on the firm’s ability to achieve its objectives;
• The data losses that the ICT-related incident entails. For this purpose, firms need to determine whether data are still accessible (availability), whether the data are inaccurate or incomplete (integrity) and whether the data have been accessed or disclosed by unauthorised users (confidentiality);
• The criticality of the services affected for the firm’s operations. This is the case if the incident affected ICT services that support important or critical business functions;
• The reputational impact caused by the incident. Firms determine the reputational impact by considering how much market attention the incident received. This may include, among other things, investigating whether the incident received media coverage, whether complaints were received from clients or whether the firm is unable to comply with legal requirements as a result of the incident;
• The duration of the incident. The firm determines this by measuring the time that elapsed between the occurrence and the resolution of the incident. If the precise moment of occurrence cannot be determined, the firm can instead take the moment when the incident was established or the time it was recorded in log files or other data sources. If the precise time of resolution is unknown, firms may make an estimate to determine when the incident will be resolved;
• The geographical spread with regard to the areas affected by the incident. In order to determine the geographical spread, among other things firms assess the impact of the incident on the clients, other offices or institutions within the group in at least two EU Member States;
• The economic impact of the incident in absolute and relative terms, in particular direct and indirect costs and losses stemming from the incident.
If one or more of the criteria cannot be determined with certainty, an estimate should be made using the available data.

To determine whether the ICT-related incident should be classified as a major incident, the firm should consider the criteria on which the incident had a material impact. The first step is to determine whether the incident affected the firm’s critical services. If this is not the case, there is no major incident. If critical services are affected, the incident should be classified as a major incident in case of successful, malicious, and unauthorize access to network and information systems, which may result to data losses. In addition, an incident will be classified as a major incident if it has had a material impact on two or more of the criteria mentioned above. Detailed explanations regarding material impact are provided for each criterion in the RTS. Recurring ICT-related incidents, even if not individually classified as major, can still be classified as major if they occur more frequently within a three-month period. For this to be the case, the incident must occur more than twice, have the same cause and have a similar impact. Cyber threats are classified as significant when the threat has an impact on the critical or important business functions of the firm, other financial institutions, third parties or clients. In addition, the likelihood of the cyber threat materialising should be considerable. Finally, the cyberthreat must have material impact on the criteria in the list above, in the event that the threat materialises. If the cyber threat meets all the conditions, it must be classified as significant.

An ICT-related incident that is classified as major must be reported to the supervisory authority. Based on the report, the supervisory authority can implement the appropriate follow-up actions and measures and prevent the incident from having an adverse impact on the remainder of the sector. Where the incident also has an impact on the financial interests of their clients, firms must inform them about the major ICT-related incident and about the measures that have been taken to mitigate the adverse effects of the incident. In addition to mandatory ICT-related incident reporting, firms may also, on a voluntary basis, notify significant cyber threats to the supervisory authority when they deem the threat to be of relevance to the remainder of the financial sector, financial service users or their clients. The requirements for reporting ICT-related incidents and notifying cyber threats are set out in Article 19 of the Regulation and Articles 20(a) and 20(b) of the RTS/ITS for incident reporting. They also specify what firms should include in the incident report.

Initial notification

Once a firm determines (based on the criteria in the previous section) that a major ICT-related incident has occurred, it must submit an initial notification to the supervisory authority. The time limit for doing so is 4 hours from the moment the incident is classified as major, and a maximum of 24 hours after the incident is first detected. When submitting the initial notification, firms shall provide the general information about the incident, such as the description of the incident, the date and time of detection of the incident and the classification of the incident (including the assessment of the aforementioned criteria). Furthermore, it is important that the firm provides information on how the incident was discovered, whether the incident is recurring as well as information about the source (cause) of the incident. If possible, firms should also provide an indication whether a business continuity plan has been activated as a result of the incident and whether the incident has had an impact on other financial institutions and third parties.

Intermediate report

Following the initial notification, firms should also submit an intermediate report to the supervisory authority in the event of major ICT-related incidents. The intermediate report must be submitted within 72 hours of the classification of the incident or as soon as regular activities have been recovered to levels as they were prior to the incident. As with the initial notification, firms should include in the intermediate report information about the date and time of detection of the incident and the criteria that were used to determine that it concerned a major incident. The firm should also describe the type of incident and provide information about affected functional areas, such as business processes and infrastructure components supporting business processes. The intermediate report should additionally include an indication whether a communication about the incident to clients has taken place as well as information about temporary measures and actions taken by the firm to recover from the incident. Finally, it is important that firms provide information about the consequences of the incident. For this, firms must examine whether vulnerabilities have been exploited and whether there are any indications that IT systems or the IT infrastructure can no longer be used securely.

Final report

No later than one month after the classification of the incident, the firm should submit a final report to the supervisory authority. If the incident has not been resolved by that time, the final report should be submitted no later than one day after the incident is finally resolved. The final report should include the date and time when the incident was resolved, information about the root cause of the incident and information about the firm’s inability to comply with legal requirements and contractual arrangements/SLAs (where applicable). The final report should also include information on the measures and actions taken by the firm for the resolution of the incident and, together with additional controls, to prevent similar incidents in the future. It is also important for the firm to provide information about direct and indirect costs stemming from the incident.

In addition to (mandatory) major ICT-related incident reporting, firms may also, on a voluntary basis, notify significant cyber threats to the supervisory authority. If they choose to make a notification, it is important that key information about the cyber threat is shared with the supervisory authority. This information consists of the date and time of detection of the significant cyber threat, a description of the cyber threat and the status of the cyber threat. In addition, it is important that the firm provides information about the potential impact of the cyber threat on the entity and a description of the actions taken to prevent the materialisation of the threat. Where clients have potentially been affected by the cyber threat, firms have an obligation to inform them of appropriate protection measures and actions they can take.