DORA: new security incident management rules for financial services

Incident management related to information and communication technology (ICT) is a critical aspect of ensuring the security and continuity of all important business services that financial institutions and other regulated service providers deliver to their clients. The ability to detect, manage, and notify incidents related to ICT can mean the difference between a minor disruption and a major catastrophe. To this end, to meet DORA’s requirements the ICT-related incident management processes that financial entities develop should cover all aspects of incident detection, management, and notification.

Internal steps

The first step in creating an effective incident management process is to carefully define it. In many cases, DORA will require the adaptation of existing processes rather than the creation of completely new ones. The scope should be established, all relevant stakeholders identified, and roles and responsibilities of each stakeholder documented. The process should be integrated and consistent across the organisation.

A key new part of the process will require financial entities to record all ICT-related incidents and significant cyber threats. This includes documenting the incident or threat, its severity, the impact on operations, and any follow-up actions taken. DORA does not explicitly set out a minimum threshold for the recording of incidents. However, if the incident will not have an impact on the service the financial entity provides to its clients it may not need to be recorded as it will fall outside the definition of an incident for the purposes of DORA. Recording incidents and cyber threats in compliance with DORA will allow for the identification of patterns and trends. This information can then be used to improve the incident management process over time.

To ensure that incidents are handled in a consistent and integrated manner, financial entities must adapt their specific incident response procedures to meet DORA’s requirements. This includes setting up early warning indicators, a system for identifying and tracking incidents, logging and categorisation mechanisms, and assigning roles and responsibilities for different incident types and scenarios all in accordance with DORA.

Communication is also a key aspect of incident management. Financial entities must have plans in place for communicating with staff, external stakeholders, and the media, as well as for notifying clients. Internal escalation procedures and the provision of information to financial entities that act as counterparties must also be established. Again, consideration should be given to which stakeholders need to be involved to ensure that all relevant communications are made.

Major incidents must be reported to relevant senior management and “the management body”, with an explanation of the impact, response, and additional controls to be established as a result of the incident. The objective is for this to allow for timely and effective responses to major incidents, both within the organisation and across the sector.

Incident response procedures should be designed to mitigate the impact of incidents and ensure that services become operational and secure in a timely manner. They need to focus on restoring services, as well as provide for additional controls to prevent similar incidents from occurring in the future.

Financial entities must also classify ICT-related incidents and cyber threats. Incidents should be classified based on the number and/or relevance of clients or financial counterparts affected, the duration of the incident, the geographical spread, the data losses, the criticality of the services affected, and the economic impact. Cyber threats are classified based on the criticality of the services at risk, the number and/or relevance of clients or financial counterparts targeted, and the geographical spread of the areas at risk.

The European Supervisory Authorities (ESAs) will have a significant role to play incident management. They are responsible for developing common draft regulatory technical standards for the criteria which will determine what should be considered a major incident, materiality thresholds for reporting incidents, and criteria for assessing the relevance of major incidents to member state regulators and the public.

Regulatory reporting and client notifications

Financial entities are to report major ICT-related incidents to their regulators, using templates the ESAs will make available. They will need to submit an initial notification, intermediate report, and final report within the time limits to be set out in the ESAs regulatory technical standards. Credit institutions classified as significant must also report the incidents to the relevant national competent authority, who will then transmit the report to the European Central Bank.

On a voluntary basis, financial entities may also notify significant cyber threats to regulators. They may choose to do this when they believe the threat is relevant to the financial system, service users, or clients. Clients are to be informed of major ICT-related incidents and the measures taken to mitigate the adverse effects. Financial entities must also inform clients of significant cyber threats and provide any appropriate protection measures.

Member states may also require financial entities to provide initial notification and reports to computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555.

ICT third party supplier contracts

For some financial services providers the incident management requirements of DORA will be consistent with their current practices and existing regulatory requirements. For others, DORA will require significant changes to be made.

All financial institutions will need to review their contracts with their technology suppliers to ensure that they meet DORA’s mandatory contractual requirements relating to managing incidents. They should also review these contracts to ensure that they are receiving all necessary cooperation, assistance and information from their suppliers and their subcontractors in order to meet their own incident management compliance obligations.