Preparing for DORA Step 2 - ICT Related Incident Reporting
As discussed in a previous post there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with.
I. ICT risk Management Frameworks.
II. ICT-related incident reporting.
III. Digital operational resilience testing.
IV. ICT third-party risk.
V. Information sharing.
This post is the second of 5 that will set out five key steps that need to be taken to prepare for DORA compliance.
What are the DORA requirements for Incident Reporting?
DORA aims to both strengthen operational incident reporting across the EU whilst also aiming to simplify and streamline the reporting processes by consolidating and standardising the mechanisms for reporting within the multiple EU jurisdictions. There is a clear aim to reduce overheads across the multiple regulators involved to reduce efforts and overheads for firms.
The EU aims to consolidate all IT and cyber related operational and resilience related events in order for regulators and firms to better anticipate threats and act to address potential emerging risks.
How can firms prepare for the DORA requirements for Incident Reporting?
In order to achieve this and be ready to report into the proposed DORA incident reporting framework, firms will need to institutionalise their own threat and incident reporting processes within the organisation with a robust classification of threats and incidents. This will require clear documentation of procedures with corresponding training of staff in the required processes in order to be ready for the obligation for industry-wide sharing through the regulators. This will be a new requirement for some EU firms and will be an obligation on the key suppliers of outsourced services to the financial sector.
What information will DORA require sharing with the regulators?
The final formats and processes for sharing are still being finalised, but it is already clear that firms must be prepared to share and report externally all operational resilience related incidents as well as any observed threats that may have resulted in ‘near misses’. Root cause analysis must be undertaken and shared within one month of any incident, ideally quicker.
The need to report this information timely and externally will require firms to invest in robust internal reporting processes with corresponding early warning indicators and management information on IT disruption and operational events.
By encouraging the sharing of information within the marketplace DORA aims to benefit firms by raising awareness of emerging threats within the financial community. The stated aim is to ensure that firms can benefit from the knowledge of emerging cyber threats, improved data protection solutions, and operational resilience tactics.
Firms should already have the foundations of the requirements as part of their existing resilience programmes. While DORA is new, the underlying concepts are not and there has already been plenty of regulatory interventions including those from the EBA and several National Competent Authorities in the EU. BAIT from Germany in 2017, which has become the cornerstone of IT supervision for all credit and financial services institutions in Germany. The EBA Guidelines on ICT and security risk management in 2019, and also from the EBA the Revised Guidelines on major incident reporting under PSD2 in 2021. The compliance table for the latter can be found at this link.
Look out for our next publication about Digital operational resilience testing - mapping service dependencies – another of the five key areas of DORA.
At Shapes First we work with firms so that they have the tools they need to manage their operational resilience in a commercially sensible way while all the time complying with their regulatory obligations. We have already supported firms with the implementation of the regulations that came before and if you would like to hear more about what we can do to help you to implement DORA, please get in touch at info@shapesfirst.com
