The Dutch Authority on Financial Markets (the ‘AFM’) performed an exploratory study with trading venues and traders for own risk and account (together the ‘capital market firms’). This to investigate whether the capital market firms have a resilient ICT incident management process and if they are compliant with the upcoming Digital Operational Resilience Act (‘DORA’). The results showed some gaps between the ICT management process in place and the requirements set by DORA.
The AFM performed this study after it observed an increase in ICT-related incidents occurring in the capital markets. As part of this study, the maturity of ICT incident management was assessed. The AFM found that the investigated entities had procedures and processes in place to identify, document, and manage ICT‑related events and incidents. Furthermore they saw a strong correlation between the size of the firm and the maturity of ICT incident management.
The AFM has provided an overview of controls identified in the study (by the investigated entities) that capital market firms can implement to improve their ICT incident management, including:
- use of ICT event categorisation and prioritisation.
- incorporation of a dedicated ICT security department that implements tools to identify cyber security events and a security event response plan to counter cyber threats.
- periodical review of the ICT-related risk management framework to ensure compliance with regulatory requirements and keep up to speed with technology developments.
- root cause analyses on ICT-related incidents and define action plans to prevent the recurrence of incidents by identifying and eliminating the underlying cause.
- identification and use of key performance indicators (‘KPIs’) concerning ICT events and incidents to showcase to the management whether certain goals are achieved.
- service level agreements to manage outsourced ICT functions (if any) on the basis of which these third parties report on KPIs and provide incident reports.
In 2025, DORA will come into force. By then capital market firms will have to comply with strict(er) rules regarding ICT risk management, including ICT incident management. To ensure compliance, the AFM calls on capital market firms to start with the implementation of DORA in a timely manner.
This call for action is also relevant for other financial institutions and ICT third-party service providers, as they also must comply with DORA. To support you with the implementation of DORA, we will continue to publish blog posts, in which we will address the requirements in more detail.
We are also available to assist with a deep-dive analysis of the needs of your organisation in respect of compliance with DORA and support your implementation programme.
It’s time to start exploring and get ready for action!