In our previous blog about the Digital Operational Resilience Act (DORA), we took a deep dive into three out of four technical standards that are part of the first batch that the European Supervisory Authorities (ESAs) have proposed to the European Commission. The Regulatory Technical Standard (‘RTS’) on criteria for the classification of ICT-related incidents and the RTS specifying the policy on ICT services performed by third parties, which we discussed in our previous blog, were published on 25 June 2024 in the Official Journal of the EU. In addition, the remaining RTS of that first batch: the ICT risk management framework was published on the same date. In this blog we will take a detailed look at the as yet unexplored RTS.
Two regimes
Almost all financial entities that are subject to DORA (e.g. credit institutions, payment institutions, investment fund managers and insurers) must adhere to the rules of the general ICT risk management framework (see paragraph 3). On the other hand, small and non-interconnected financial entities benefit from a simplified approach (see paragraph 4).
ICT risk management framework
A proper ICT risk management framework should consist of the following aspects:
- ICT security policies, procedures, protocols and tools;
- a human resource policy and access control system;
- an ICT-related incident detection and response system;
- an ICT business continuity management policy; and
- a review of the ICT risk management framework.
ICT security policies, procedures, protocols and tools
The first part of the RTS concerns the content of several ICT security policies. This includes the following.
ICT risk management policy
A financial entity must have an ICT risk management policy in place, including measures and management procedures to confront threats to the ICT system. ICT risks are potential threats that could impact the ICT infrastructure of a financial entity. Examples of ICT risks include software failure, human error or natural disasters. The policy starts with the establishment of procedures and methodologies to conduct an ICT risk assessment by means of which vulnerabilities and threats can be identified. The methodologies to assess ICT risks require quantitative and qualitative indicators to measure the impact and likelihood of occurrence of these vulnerabilities and threats, offering a more comprehensive view of the risk landscape. Once the ICT risks have been identified, measures must be implemented to ensure that the ICT risks do not materialise or, if they materialise, fall within the risk appetite. Furthermore, the effectiveness of those measures should be monitored. The management procedure should enable the financial entity to make timely adjustments or to implement additional measures, should existing measures prove insufficient.
ICT asset management
The ICT assets of a financial entity are identified and classified in the ICT asset management policy, containing information on its location or the identity of the owner of the ICT asset. A financial entity owns ICT assets that contain confidential data (e.g. email servers, customer data and sales information). A financial entity must correctly identify, classify and document their ICT assets to preserve availability, authenticity, integrity and confidentiality of the data. This information must be updated regularly.
Encryption and cryptography
Financial entities are obliged to use cryptographic keys and encrypt their data. Encryption of data is an important cyber security tool to ensure confidentiality and privacy of communication and information. When selecting cryptographic technologies, financial entities should consider leading practices and reliable techniques, and update cryptographic technology if necessary. To ensure the correct use and protection of cryptographic keys, a cryptographic key management policy should be established.
ICT operations security
To manage the security of ICT systems, an ICT operating policy should be established. Nowadays, financial entities are heavily dependent on ICT systems. The security of those systems must be guaranteed, but at the same time must remain easily accessible. This ICT operating policy needs to cover a description of the ICT assets on installation and maintenance, the capacity and performance of the ICT systems, as well as the control, monitoring and error handling of the ICT-systems.
Furthermore, the vulnerabilities of the ICT assets should be detected through automatic scans and patches should be deployed if necessary. Also, an obligation rests on the ICT third-party service providers to handle and report vulnerabilities. Part of the ICT operations security are the data and system security procedures protecting against intrusions and data misuse. Measures such as access restrictions, security measures and checks on security measures must be implemented. At last, financial entities must have logging procedures in place enabling them to investigate ICT security incidents.
Network security
Network security consists of two elements, 1. the management of network security and 2. security of data. The first element is developed in a policy, containing information on the segregation and segmentation of ICT systems based on their criticality, classification, and risk profile. Financial entities should have a separate network in place for ICT asset administration. The second element, the security of data, in storage and in transit, is regulated. During network transmission, data must stay available, authentic, integer, and confidential, and leakage of data must be prevented. Note that existing data protection laws (such as the GDPR) should always be taken into account when addressing data security.
ICT project and change management
ICT project and management is the organisation, preparations, planning and execution of a new ICT project replacing another. A well-functioning framework aims to maximise the benefits associated with projects, acquisitions and changes and minimise the negative impacts that can result from such change. Part of the framework is the establishment of an ICT project management policy that describes all the elements of the project, such as objectives, planning, risk assessment, milestones and change management requirements. ICT change management is an ICT practice designed to minimise disruptions to ICT services while making changes to critical systems and services. Changes to software, hardware or firmware components must be recorded, tested, assessed, approved, implemented and verified in a controlled manner.
Physical and environmental security policy
Physical components and infrastructure must be protected to ensure that all ICT assets are adequately protected from risks such as natural disasters and unauthorised access to physical places.
Human resource policy and access control
The second part of the risk management framework is the policy on human resource and access control. The first covers the main requirements related to the employment cycle of the staff of the financial entity and its ICT third-party service provider. This includes requirements on contracts, the employment phase, and on requirements to be considered after the termination of the contractual relationship. Additionally, the financial entity is required to control the access of persons and systems to information and ICT systems of the financial entity, including a unique identification of all persons having access.
ICT incident detection and response
Financial entities must have in place mechanisms to promptly detect anomalous activities. The third chapter of the RTS sets out further rules on ICT-related incident detection and response, which complements the rules in DORA. First, an ICT-related incident management policy, containing information on detection of anomalous activities and behaviour must be in place. Second, there must be a list of all contacts with internal functions and external stakeholders that are involved in the ICT operations security. Third, a financial entity must have mechanisms in place to detect and response to ICT incidents. The rules are similar to the ICT incident measures that credit institutions, investment firms and payment service providers have to adhere to in case of ICT incidents.
ICT business continuity management
The business continuity can be severally impacted by a disruption of the ICT services. Therefore, financial entities must ensure an adequate response and recovery of ICT systems by implementing a business continuity policy and response and recovery plans. The policy must contain criteria to activate and deactivate the ICT business continuity plan and provisions on the development, acting, testing and reviewing of ICT response and recovery plans. The rules are similar to the business continuity process that credit institutions, investment firms and payment service providers have to adhere to. However, this RTS sets out step-by-step what the policy should contain.
Report on the ICT risk management framework review
The ICT risk management framework must be reviewed every year. A report of the outcome must be generated and sent to the competent authority upon request.
Simplified ICT risk management framework
The requirements in paragraph 3 do not apply to small and non-interconnected investment firms, payment institutions that are exempted from PSD II, certain institutions that are exempted from CRD, electronic money institutions that are exempted from EMD II and small institutions for occupational retirement provision. For them the objective is to strike a balance between the security of the ICT systems, while avoiding excessive regulatory burdens. The elements of a robust ICT risk management for such entities are:
- a simplified ICT risk management framework;
- other elements of systems, protocols and tools to minimise the impact of ICT risks;
- ICT business continuity management; and
- reporting on the review of the ICT risk management framework.
Simplified ICT risk management
A key element - different from the general framework – of the simplified framework is that the governance and organisation aspect is a crucial part of the risk management framework. The financial entity must have clear roles and responsibilities. Also, policy should be established on the security on data and ICT assets. Similar to the general framework, the ICT assets must be identified, classified and documented. They must have an ICT risk management process, ICT incident management and ensure the physical safety of data against theft, natural disasters and environmental hazards.
Further elements of systems, protocols and tools to minimise the impact of ICT risks
Financial entities subject to the simplified approach still have to comply with numerous rules. Other elements of the ICT risk management framework consist of access control mechanisms to ICT assets and physical locations, the monitoring and management of ICT assets supporting critical functions, the assessment of capacity requirements, performance of vulnerability scanning, management of outdated assets, log events, monitoring and analysis of information on anomalous activities and behaviour. Furthermore, financial entities must remain informed about cyber threats and implement measures to detect security threats and vulnerabilities. Besides, the financial entities require ICT project and change management processes.
ICT business continuity management
Financial entities subject to the lighter regime must have documented ICT business continuity plans in place that are approved by the board to safeguard critical operations in case of severe ICT disruptions. Such plans must be tested at least once a year. Compared to the business continuity requirements in the general framework, the requirements here are less granular.
Report on the review of the ICT risk management framework
Similar to the general framework approach, entities under the simplified approach must submit a report on the review of their risk management. However, the requirements are less extensive compared to the general framework approach.
What is next?
The first batch of technical standards have all entered into force now. The second batch, comprising five technical standards and two sets of guidelines, were submitted to the European Commission on 17 July 2024. We will discuss the content thereof and any further developments in our upcoming blogs. Stay tuned!
In our previous blog about the Digital Operational Resilience Act (DORA), we took a deep dive into three out of four technical standards that are part of the first batch that the European Supervisory Authorities (ESAs) have proposed to the European Commission. The Regulatory Technical Standard (‘RTS’) on criteria for the classification of ICT-related incidents and the RTS specifying the policy on ICT services performed by third parties, which we discussed in our previous blog, were published on 25 June 2024 in the Official Journal of the EU. In addition, the remaining RTS of that first batch: the ICT risk management framework was published on the same date. In this blog we will take a detailed look at the as yet unexplored RTS.
Two regimes
Almost all financial entities that are subject to DORA (e.g. credit institutions, payment institutions, investment fund managers and insurers) must adhere to the rules of the general ICT risk management framework (see paragraph 3). On the other hand, small and non-interconnected financial entities benefit from a simplified approach (see paragraph 4).
ICT risk management framework
A proper ICT risk management framework should consist of the following aspects:
- ICT security policies, procedures, protocols and tools;
- a human resource policy and access control system;
- an ICT-related incident detection and response system;
- an ICT business continuity management policy; and
- a review of the ICT risk management framework.
ICT security policies, procedures, protocols and tools
The first part of the RTS concerns the content of several ICT security policies. This includes the following.
ICT risk management policy
A financial entity must have an ICT risk management policy in place, including measures and management procedures to confront threats to the ICT system. ICT risks are potential threats that could impact the ICT infrastructure of a financial entity. Examples of ICT risks include software failure, human error or natural disasters. The policy starts with the establishment of procedures and methodologies to conduct an ICT risk assessment by means of which vulnerabilities and threats can be identified. The methodologies to assess ICT risks require quantitative and qualitative indicators to measure the impact and likelihood of occurrence of these vulnerabilities and threats, offering a more comprehensive view of the risk landscape. Once the ICT risks have been identified, measures must be implemented to ensure that the ICT risks do not materialise or, if they materialise, fall within the risk appetite. Furthermore, the effectiveness of those measures should be monitored. The management procedure should enable the financial entity to make timely adjustments or to implement additional measures, should existing measures prove insufficient.
ICT asset management
The ICT assets of a financial entity are identified and classified in the ICT asset management policy, containing information on its location or the identity of the owner of the ICT asset. A financial entity owns ICT assets that contain confidential data (e.g. email servers, customer data and sales information). A financial entity must correctly identify, classify and document their ICT assets to preserve availability, authenticity, integrity and confidentiality of the data. This information must be updated regularly.
Encryption and cryptography
Financial entities are obliged to use cryptographic keys and encrypt their data. Encryption of data is an important cyber security tool to ensure confidentiality and privacy of communication and information. When selecting cryptographic technologies, financial entities should consider leading practices and reliable techniques, and update cryptographic technology if necessary. To ensure the correct use and protection of cryptographic keys, a cryptographic key management policy should be established.
ICT operations security
To manage the security of ICT systems, an ICT operating policy should be established. Nowadays, financial entities are heavily dependent on ICT systems. The security of those systems must be guaranteed, but at the same time must remain easily accessible. This ICT operating policy needs to cover a description of the ICT assets on installation and maintenance, the capacity and performance of the ICT systems, as well as the control, monitoring and error handling of the ICT-systems.
Furthermore, the vulnerabilities of the ICT assets should be detected through automatic scans and patches should be deployed if necessary. Also, an obligation rests on the ICT third-party service providers to handle and report vulnerabilities. Part of the ICT operations security are the data and system security procedures protecting against intrusions and data misuse. Measures such as access restrictions, security measures and checks on security measures must be implemented. At last, financial entities must have logging procedures in place enabling them to investigate ICT security incidents.
Network security
Network security consists of two elements, 1. the management of network security and 2. security of data. The first element is developed in a policy, containing information on the segregation and segmentation of ICT systems based on their criticality, classification, and risk profile. Financial entities should have a separate network in place for ICT asset administration. The second element, the security of data, in storage and in transit, is regulated. During network transmission, data must stay available, authentic, integer, and confidential, and leakage of data must be prevented. Note that existing data protection laws (such as the GDPR) should always be taken into account when addressing data security.
ICT project and change management
ICT project and management is the organisation, preparations, planning and execution of a new ICT project replacing another. A well-functioning framework aims to maximise the benefits associated with projects, acquisitions and changes and minimise the negative impacts that can result from such change. Part of the framework is the establishment of an ICT project management policy that describes all the elements of the project, such as objectives, planning, risk assessment, milestones and change management requirements. ICT change management is an ICT practice designed to minimise disruptions to ICT services while making changes to critical systems and services. Changes to software, hardware or firmware components must be recorded, tested, assessed, approved, implemented and verified in a controlled manner.
Physical and environmental security policy
Physical components and infrastructure must be protected to ensure that all ICT assets are adequately protected from risks such as natural disasters and unauthorised access to physical places.
Human resource policy and access control
The second part of the risk management framework is the policy on human resource and access control. The first covers the main requirements related to the employment cycle of the staff of the financial entity and its ICT third-party service provider. This includes requirements on contracts, the employment phase, and on requirements to be considered after the termination of the contractual relationship. Additionally, the financial entity is required to control the access of persons and systems to information and ICT systems of the financial entity, including a unique identification of all persons having access.
ICT incident detection and response
Financial entities must have in place mechanisms to promptly detect anomalous activities. The third chapter of the RTS sets out further rules on ICT-related incident detection and response, which complements the rules in DORA. First, an ICT-related incident management policy, containing information on detection of anomalous activities and behaviour must be in place. Second, there must be a list of all contacts with internal functions and external stakeholders that are involved in the ICT operations security. Third, a financial entity must have mechanisms in place to detect and response to ICT incidents. The rules are similar to the ICT incident measures that credit institutions, investment firms and payment service providers have to adhere to in case of ICT incidents.
ICT business continuity management
The business continuity can be severally impacted by a disruption of the ICT services. Therefore, financial entities must ensure an adequate response and recovery of ICT systems by implementing a business continuity policy and response and recovery plans. The policy must contain criteria to activate and deactivate the ICT business continuity plan and provisions on the development, acting, testing and reviewing of ICT response and recovery plans. The rules are similar to the business continuity process that credit institutions, investment firms and payment service providers have to adhere to. However, this RTS sets out step-by-step what the policy should contain.
Report on the ICT risk management framework review
The ICT risk management framework must be reviewed every year. A report of the outcome must be generated and sent to the competent authority upon request.
Simplified ICT risk management framework
The requirements in paragraph 3 do not apply to small and non-interconnected investment firms, payment institutions that are exempted from PSD II, certain institutions that are exempted from CRD, electronic money institutions that are exempted from EMD II and small institutions for occupational retirement provision. For them the objective is to strike a balance between the security of the ICT systems, while avoiding excessive regulatory burdens. The elements of a robust ICT risk management for such entities are:
- a simplified ICT risk management framework;
- other elements of systems, protocols and tools to minimise the impact of ICT risks;
- ICT business continuity management; and
- reporting on the review of the ICT risk management framework.
Simplified ICT risk management
A key element - different from the general framework – of the simplified framework is that the governance and organisation aspect is a crucial part of the risk management framework. The financial entity must have clear roles and responsibilities. Also, policy should be established on the security on data and ICT assets. Similar to the general framework, the ICT assets must be identified, classified and documented. They must have an ICT risk management process, ICT incident management and ensure the physical safety of data against theft, natural disasters and environmental hazards.
Further elements of systems, protocols and tools to minimise the impact of ICT risks
Financial entities subject to the simplified approach still have to comply with numerous rules. Other elements of the ICT risk management framework consist of access control mechanisms to ICT assets and physical locations, the monitoring and management of ICT assets supporting critical functions, the assessment of capacity requirements, performance of vulnerability scanning, management of outdated assets, log events, monitoring and analysis of information on anomalous activities and behaviour. Furthermore, financial entities must remain informed about cyber threats and implement measures to detect security threats and vulnerabilities. Besides, the financial entities require ICT project and change management processes.
ICT business continuity management
Financial entities subject to the lighter regime must have documented ICT business continuity plans in place that are approved by the board to safeguard critical operations in case of severe ICT disruptions. Such plans must be tested at least once a year. Compared to the business continuity requirements in the general framework, the requirements here are less granular.
Report on the review of the ICT risk management framework
Similar to the general framework approach, entities under the simplified approach must submit a report on the review of their risk management. However, the requirements are less extensive compared to the general framework approach.
What is next?
The first batch of technical standards have all entered into force now. The second batch, comprising five technical standards and two sets of guidelines, were submitted to the European Commission on 17 July 2024. We will discuss the content thereof and any further developments in our upcoming blogs. Stay tuned!