SlideShare a Scribd company logo

01_Approach Cyber- DORA Incident Management.pptx

Download as PPTX, PDF
FinTech Belgium, profile picture
FinTech Belgium

Approach Cyber

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
FinTech Belgium Breakfast DORA Incident Management
01_Approach Cyber- DORA Incident Management.pptx
Table of content • DORA – setting the baseline • ICT-related incident management process • Classification of ICT-related incidents • Reporting major ICT-related incidents • Q&A 3
DORA – setting the baseline The Digital Operational Resilience Act is a European Union regulation enacted in December 2022 that will apply to the financial sector starting on 17 January 2025. It is an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber-attacks within the sector. DORA is a regulation, meaning it’s binding in its entirety and directly applicable across the EU. It targets a wide range of financial entities, including credit institutions, payment institutions, insurance and reinsurance companies, electronic money institutions, investment firms, etc, but also ICT third-party service providers. DORA’s goal is to ensure that the financial sector in Europe can handle and recover quickly from any type of technology-related disruptions or attacks, aiming to keep the financial system stable and trustworthy. 4
DORA – setting the baseline FIVE PILLAR S Key principles and requirements on ICT governance and risk management. These requirements concern specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, training and development, and communication) and underline the importance of an adequate policy and organisational framework. Requirements related to the management and classification of ICT-related incidents as well as provisions to harmonise and streamline the reporting of major incidents to the competent authorities Requirements for testing digital operational resilience and periodically assessing resilience to cyber-attacks and identifying weaknesses, shortcomings, or gaps, as well as the rapid implementation of corrective measures. Provisions to ensure proper management of third-party ICT risks by imposing rules on how financial entities should monitor these risks and by harmonising key elements of the provision of services and the relationship with external ICT service providers. Increase awareness of ICT risks and related aspects. This pillar focuses on allowing financial entities to establish mutual arrangements for information exchange on cyber threats. 5
6 DORA – setting the baseline DORA’s articles and requirements are further explained through two sets of standards, that serve distinct purposes: •Regulatory Technical Standards (RTS) Designed to detail, standardize, and evolve the legal framework, enhancing clarity and consistency. They specify the requirements set out in DORA and define how these are to be implemented in practice. •Implementing Technical Standards (ITS) Provide standard forms, templates, and procedures for financial entities to use when reporting to the Competent Authorities. In other words, the ITS supplement the RTS by specifying detailed implementation instructions and necessary processes to fulfil the requirements of the RTS.
7 DORA Chapter III ICT-related incident management process Article 17: • Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. • Financial entities shall record all ICT-related incidents and significant cyber threats. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
8 DORA Chapter III Classification of ICT-related incidents and cyber threats Article 18: • Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria: a. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact; b. the duration of the ICT-related incident, including the service downtime; c. the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States; d. the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data; e. the criticality of the services affected, including the financial entity’s transactions and operations; f. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.
9 DORA Chapter III Classification of ICT-related incidents and cyber threats Important RTS requirements: • An incident shall be considered a major incident where it has affected (e) critical services and where either of the following conditions is fulfilled: a. the materiality threshold regarding data losses is met; b. two or more of the other materiality thresholds are met. • Financial entities shall assess the existence of recurring incidents on a monthly basis. Recurring incidents that individually are not considered a major incident shall be considered as one major incident where they meet all of the following conditions: a. they have occurred at least twice within 6 months; b. they have the same apparent root cause; c. they collectively fulfil the criteria for being considered a major incident.
10 DORA Chapter III Classification of ICT-related incidents and cyber threats Materiality thresholds for determining major incidents: • The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met where any of the following conditions are fulfilled: a. the number of affected clients is higher than 10 % of all clients using the affected service; b. the number of affected clients using the affected service is higher than 100000; c. the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; d. the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; e. the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service. • The materiality threshold for the criterion ‘reputational impact’ is met where any of the conditions are fulfilled: a. the incident has been reflected in the media; b. the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; c. the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; d. the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident.
11 DORA Chapter III Classification of ICT-related incidents and cyber threats Materiality thresholds for determining major incidents: • The materiality threshold for the criterion ‘duration and service downtime’ is met where any of the following conditions are fulfilled: a. the duration of the incident is longer than 24 hours; b. the service downtime is longer than 2 hours for ICT services that support critical or important functions. • The materiality threshold for the criterion ‘geographical spread’ is met where the incident has an impact in two or more EU Member States. • The materiality threshold for the criterion ‘data losses’ is met where any of the following conditions are fulfilled: a. any impact on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; b. any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. • The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100.000 euro.
12 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Article 19: • Financial entities shall report major ICT-related incidents to the relevant competent authority. • Financial entities may, on a voluntary basis, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients. • Where a major ICT-related incident occurs and has an impact on the financial interests of clients, financial entities shall, without undue delay as soon as they become aware of it, inform their clients about the major ICT- related incident and about the measures that have been taken to mitigate the adverse effects of such incident. In the case of a significant cyber threat, financial entities shall, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking. • Financial entities shall, within the time limits submit the following to the relevant competent authority: a. an initial notification; b. an intermediate report after the initial notification, as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available, followed, as appropriate, by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority; c. a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates.
13 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats General information to be provided in the major incident initial notification, intermediate and final reports: • When submitting the initial notification, the intermediate report and the final report, financial entities shall provide the following general information: a. the type of report; b. name, LEI code of the financial entity and of all financial entities covered in the report; c. contact details of the contact persons responsible for communicating with the competent authority; d. reporting currency.
14 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of initial notifications: • Financial entities shall provide at least the following information about the incident in the initial notification: a. incident reference code; b. date and time of detection and classification of the incident; c. description of the incident; d. classification criteria that triggered the incident report; e. members States impacted by the incident, where applicable; f. information on how the incident has been discovered; g. information about the origin of the incident, where available; h. indication whether a business continuity plan has been activated; i. information about the reclassification of the incident from major to non-major, where applicable; and j. other information, where available.
15 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of intermediate reports: • Financial entities shall provide at least the following information about the incident in the intermediate report: a. incident reference code provided by the competent authority, where applicable; b. date and time of occurrence of the incident; c. date and time when regular activities have been restored, where applicable; d. information about the classification criteria that triggered the incident report; e. type of the incident; f. threats and techniques used by the threat actor, where applicable; g. affected functional areas and business processes; h. affected infrastructure components supporting business processes; i. impact on the financial interest of clients; j. information about reporting to other authorities; k. temporary actions/measures taken or planned to be taken to recover from the incident; and l. information on indicators of compromise, where applicable.
16 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of final reports: • Financial entities shall provide the following information about the incident in the final report: a. information about the root causes of the incident; b. dates and times when the incident was resolved and the root cause addressed; c. information on the incident resolution; d. information relevant for resolution authorities, where applicable; e. information about direct and indirect costs and losses stemming from the incident and information about financial recoveries; and f. information about recurring incidents, where applicable.
17 DORA Chapter III Time limits for reporting Where financial entities are unable to submit the initial notification, intermediate report or final report within the timelines, they shall inform the competent authority without undue delay, but no later than the respective time limit for submission of the notification/report, and shall explain the reasons for the delay. 72H 1M 2 3 5 4 1
TLP:AMBER - Limited disclosure, restricted to participants’ organizations. Got hacked? Contact us 24/7 Questions ? Approach Belgium Antwerp - Brussels - Louvain-la-Neuve Approach Switzerland Lausanne www.approach-cyber.com info@approach-cyber.com

More Related Content

PDF
Webinar Exploring DORA for Fintechs - Simont Braun
FinTech Belgium
 
PDF
Joint_ESAs_DORA_event_-_European_Commission_slides.pdf
pegek62452
 
PDF
ICT Risk Management and ICT third party risk Objectives
ssuser382ff5
 
PDF
Accenture Digital Operational Resilience ACT.pdf
StellaNguyen22
 
PDF
S4_3_1_Approach Cyber (OK to publish).pdf
FinTech Belgium
 
PPTX
03_Emmanuel Ndiaye_Degroof Petercam.pptx
FinTech Belgium
 
PPT
CTO-CybersecurityForum-2010-Jayantha Fernando
segughana
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
Webinar Exploring DORA for Fintechs - Simont Braun
FinTech Belgium
 
Joint_ESAs_DORA_event_-_European_Commission_slides.pdf
pegek62452
 
ICT Risk Management and ICT third party risk Objectives
ssuser382ff5
 
Accenture Digital Operational Resilience ACT.pdf
StellaNguyen22
 
S4_3_1_Approach Cyber (OK to publish).pdf
FinTech Belgium
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
FinTech Belgium
 
CTO-CybersecurityForum-2010-Jayantha Fernando
segughana
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 

Similar to 01_Approach Cyber- DORA Incident Management.pptx (20)

PDF
Sept 2012 data security & cyber liability
DFickett
 
PPTX
3-UnitV_security.pptx
SubhadipDutta36
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
PDF
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
Stefano Maria De' Rossi
 
PDF
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
 
PPT
V
Tino Cionni
 
PDF
Final cyber risk report 24 feb
mharbpavia
 
PDF
Why Traditional Security has Failed
Steven_Jackson
 
ODP
Network security Topic 2 overview continued
Khawar Nehal [email protected]
 
PDF
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
PPTX
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Maxwell Ranasinghe
 
ODP
Network Security Topic 1 intro
Khawar Nehal [email protected]
 
PPTX
Understanding the security_organization
Dan Morrill
 
DOCX
12Cyber Research ProposalCyb
ChantellPantoja184
 
DOCX
12Cyber Research ProposalCyb
AnastaciaShadelb
 
PPT
CCNA Security 02- fundamentals of network security
Ahmed Habib
 
PPT
Ch01
Alitta Aisyawati
 
PDF
ZSAH Security - Web
Fahd Khan
 
PDF
CULCT Cybersecurity Workshop 2.10.15
E Andrew Keeney
 
PDF
Cybersecurity Workshop
Kaufman & Canoles
 
Sept 2012 data security & cyber liability
DFickett
 
3-UnitV_security.pptx
SubhadipDutta36
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
Stefano Maria De' Rossi
 
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
 
V
Tino Cionni
 
Final cyber risk report 24 feb
mharbpavia
 
Why Traditional Security has Failed
Steven_Jackson
 
Network security Topic 2 overview continued
Khawar Nehal [email protected]
 
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Maxwell Ranasinghe
 
Network Security Topic 1 intro
Khawar Nehal [email protected]
 
Understanding the security_organization
Dan Morrill
 
12Cyber Research ProposalCyb
ChantellPantoja184
 
12Cyber Research ProposalCyb
AnastaciaShadelb
 
CCNA Security 02- fundamentals of network security
Ahmed Habib
 
Ch01
Alitta Aisyawati
 
ZSAH Security - Web
Fahd Khan
 
CULCT Cybersecurity Workshop 2.10.15
E Andrew Keeney
 
Cybersecurity Workshop
Kaufman & Canoles
 
Ad

More from FinTech Belgium (20)

PPTX
04_Tamás Marton_Intuitech .pptx_AI_Barometer_2025
FinTech Belgium
 
PPTX
05_Jelle Baats_Tekst.pptx_AI_Barometer_Release_Event
FinTech Belgium
 
PPTX
03_Ariane BERCKMOES_Ethias.pptx_AIBarometer_release_event
FinTech Belgium
 
PPTX
01_Nico Vincent_Sailpeak.pptx_AI_Barometer_2025
FinTech Belgium
 
PPTX
00_Main ppt_AI Barometer.pptx_ReleaseEvent
FinTech Belgium
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PPTX
00_Main the CFO. of Tomorrow with AREApptx
FinTech Belgium
 
PPTX
05_Edouard Beauvois_AiVidensThe CFO of Tomorrow.pptx
FinTech Belgium
 
PPTX
03_Lieve Ringoot_ProximusThe CFO of Tomorrow.pptx
FinTech Belgium
 
PPTX
04_Bright Obeng_Host De CFO Podcast.pptx
FinTech Belgium
 
PPSX
02_Xavier Corman_FinrackThe CFO of Tomorrow.ppsx
FinTech Belgium
 
PPTX
00_Main ppt_DLA Piper AML Landscape(1).pptx
FinTech Belgium
 
PPTX
AML Package DLA Piper Event 15052025.pptx
FinTech Belgium
 
PPTX
00_FTBE Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
PPTX
03_MAGMA-ENABEL Ivory Coast Delegation Breakfastpptx
FinTech Belgium
 
PPTX
01_EnabelIvory Coast Delegation Breakfast.pptx
FinTech Belgium
 
PPTX
04_FinFlag Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
PPTX
05_iBanFirst Ivory Coast Delegation.pptx
FinTech Belgium
 
PPTX
06_Scudi Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
PPTX
02_Bond'innov Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
04_Tamás Marton_Intuitech .pptx_AI_Barometer_2025
FinTech Belgium
 
05_Jelle Baats_Tekst.pptx_AI_Barometer_Release_Event
FinTech Belgium
 
03_Ariane BERCKMOES_Ethias.pptx_AIBarometer_release_event
FinTech Belgium
 
01_Nico Vincent_Sailpeak.pptx_AI_Barometer_2025
FinTech Belgium
 
00_Main ppt_AI Barometer.pptx_ReleaseEvent
FinTech Belgium
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
00_Main the CFO. of Tomorrow with AREApptx
FinTech Belgium
 
05_Edouard Beauvois_AiVidensThe CFO of Tomorrow.pptx
FinTech Belgium
 
03_Lieve Ringoot_ProximusThe CFO of Tomorrow.pptx
FinTech Belgium
 
04_Bright Obeng_Host De CFO Podcast.pptx
FinTech Belgium
 
02_Xavier Corman_FinrackThe CFO of Tomorrow.ppsx
FinTech Belgium
 
00_Main ppt_DLA Piper AML Landscape(1).pptx
FinTech Belgium
 
AML Package DLA Piper Event 15052025.pptx
FinTech Belgium
 
00_FTBE Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
03_MAGMA-ENABEL Ivory Coast Delegation Breakfastpptx
FinTech Belgium
 
01_EnabelIvory Coast Delegation Breakfast.pptx
FinTech Belgium
 
04_FinFlag Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
05_iBanFirst Ivory Coast Delegation.pptx
FinTech Belgium
 
06_Scudi Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
02_Bond'innov Ivory Coast Delegation Breakfast.pptx
FinTech Belgium
 
Ad

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 

01_Approach Cyber- DORA Incident Management.pptx

  • 3. Table of content • DORA – setting the baseline • ICT-related incident management process • Classification of ICT-related incidents • Reporting major ICT-related incidents • Q&A 3
  • 4. DORA – setting the baseline The Digital Operational Resilience Act is a European Union regulation enacted in December 2022 that will apply to the financial sector starting on 17 January 2025. It is an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber-attacks within the sector. DORA is a regulation, meaning it’s binding in its entirety and directly applicable across the EU. It targets a wide range of financial entities, including credit institutions, payment institutions, insurance and reinsurance companies, electronic money institutions, investment firms, etc, but also ICT third-party service providers. DORA’s goal is to ensure that the financial sector in Europe can handle and recover quickly from any type of technology-related disruptions or attacks, aiming to keep the financial system stable and trustworthy. 4
  • 5. DORA – setting the baseline FIVE PILLAR S Key principles and requirements on ICT governance and risk management. These requirements concern specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, training and development, and communication) and underline the importance of an adequate policy and organisational framework. Requirements related to the management and classification of ICT-related incidents as well as provisions to harmonise and streamline the reporting of major incidents to the competent authorities Requirements for testing digital operational resilience and periodically assessing resilience to cyber-attacks and identifying weaknesses, shortcomings, or gaps, as well as the rapid implementation of corrective measures. Provisions to ensure proper management of third-party ICT risks by imposing rules on how financial entities should monitor these risks and by harmonising key elements of the provision of services and the relationship with external ICT service providers. Increase awareness of ICT risks and related aspects. This pillar focuses on allowing financial entities to establish mutual arrangements for information exchange on cyber threats. 5
  • 6. 6 DORA – setting the baseline DORA’s articles and requirements are further explained through two sets of standards, that serve distinct purposes: •Regulatory Technical Standards (RTS) Designed to detail, standardize, and evolve the legal framework, enhancing clarity and consistency. They specify the requirements set out in DORA and define how these are to be implemented in practice. •Implementing Technical Standards (ITS) Provide standard forms, templates, and procedures for financial entities to use when reporting to the Competent Authorities. In other words, the ITS supplement the RTS by specifying detailed implementation instructions and necessary processes to fulfil the requirements of the RTS.
  • 7. 7 DORA Chapter III ICT-related incident management process Article 17: • Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. • Financial entities shall record all ICT-related incidents and significant cyber threats. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
  • 8. 8 DORA Chapter III Classification of ICT-related incidents and cyber threats Article 18: • Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria: a. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact; b. the duration of the ICT-related incident, including the service downtime; c. the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States; d. the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data; e. the criticality of the services affected, including the financial entity’s transactions and operations; f. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.
  • 9. 9 DORA Chapter III Classification of ICT-related incidents and cyber threats Important RTS requirements: • An incident shall be considered a major incident where it has affected (e) critical services and where either of the following conditions is fulfilled: a. the materiality threshold regarding data losses is met; b. two or more of the other materiality thresholds are met. • Financial entities shall assess the existence of recurring incidents on a monthly basis. Recurring incidents that individually are not considered a major incident shall be considered as one major incident where they meet all of the following conditions: a. they have occurred at least twice within 6 months; b. they have the same apparent root cause; c. they collectively fulfil the criteria for being considered a major incident.
  • 10. 10 DORA Chapter III Classification of ICT-related incidents and cyber threats Materiality thresholds for determining major incidents: • The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met where any of the following conditions are fulfilled: a. the number of affected clients is higher than 10 % of all clients using the affected service; b. the number of affected clients using the affected service is higher than 100000; c. the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; d. the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; e. the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service. • The materiality threshold for the criterion ‘reputational impact’ is met where any of the conditions are fulfilled: a. the incident has been reflected in the media; b. the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; c. the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; d. the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident.
  • 11. 11 DORA Chapter III Classification of ICT-related incidents and cyber threats Materiality thresholds for determining major incidents: • The materiality threshold for the criterion ‘duration and service downtime’ is met where any of the following conditions are fulfilled: a. the duration of the incident is longer than 24 hours; b. the service downtime is longer than 2 hours for ICT services that support critical or important functions. • The materiality threshold for the criterion ‘geographical spread’ is met where the incident has an impact in two or more EU Member States. • The materiality threshold for the criterion ‘data losses’ is met where any of the following conditions are fulfilled: a. any impact on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; b. any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. • The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100.000 euro.
  • 12. 12 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Article 19: • Financial entities shall report major ICT-related incidents to the relevant competent authority. • Financial entities may, on a voluntary basis, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients. • Where a major ICT-related incident occurs and has an impact on the financial interests of clients, financial entities shall, without undue delay as soon as they become aware of it, inform their clients about the major ICT- related incident and about the measures that have been taken to mitigate the adverse effects of such incident. In the case of a significant cyber threat, financial entities shall, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking. • Financial entities shall, within the time limits submit the following to the relevant competent authority: a. an initial notification; b. an intermediate report after the initial notification, as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available, followed, as appropriate, by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority; c. a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates.
  • 13. 13 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats General information to be provided in the major incident initial notification, intermediate and final reports: • When submitting the initial notification, the intermediate report and the final report, financial entities shall provide the following general information: a. the type of report; b. name, LEI code of the financial entity and of all financial entities covered in the report; c. contact details of the contact persons responsible for communicating with the competent authority; d. reporting currency.
  • 14. 14 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of initial notifications: • Financial entities shall provide at least the following information about the incident in the initial notification: a. incident reference code; b. date and time of detection and classification of the incident; c. description of the incident; d. classification criteria that triggered the incident report; e. members States impacted by the incident, where applicable; f. information on how the incident has been discovered; g. information about the origin of the incident, where available; h. indication whether a business continuity plan has been activated; i. information about the reclassification of the incident from major to non-major, where applicable; and j. other information, where available.
  • 15. 15 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of intermediate reports: • Financial entities shall provide at least the following information about the incident in the intermediate report: a. incident reference code provided by the competent authority, where applicable; b. date and time of occurrence of the incident; c. date and time when regular activities have been restored, where applicable; d. information about the classification criteria that triggered the incident report; e. type of the incident; f. threats and techniques used by the threat actor, where applicable; g. affected functional areas and business processes; h. affected infrastructure components supporting business processes; i. impact on the financial interest of clients; j. information about reporting to other authorities; k. temporary actions/measures taken or planned to be taken to recover from the incident; and l. information on indicators of compromise, where applicable.
  • 16. 16 DORA Chapter III Reporting major ICT-related incidents and voluntary notification of significant cyber threats Content of final reports: • Financial entities shall provide the following information about the incident in the final report: a. information about the root causes of the incident; b. dates and times when the incident was resolved and the root cause addressed; c. information on the incident resolution; d. information relevant for resolution authorities, where applicable; e. information about direct and indirect costs and losses stemming from the incident and information about financial recoveries; and f. information about recurring incidents, where applicable.
  • 17. 17 DORA Chapter III Time limits for reporting Where financial entities are unable to submit the initial notification, intermediate report or final report within the timelines, they shall inform the competent authority without undue delay, but no later than the respective time limit for submission of the notification/report, and shall explain the reasons for the delay. 72H 1M 2 3 5 4 1
  • 18. TLP:AMBER - Limited disclosure, restricted to participants’ organizations. Got hacked? Contact us 24/7 Questions ? Approach Belgium Antwerp - Brussels - Louvain-la-Neuve Approach Switzerland Lausanne www.approach-cyber.com [email protected]

Editor's Notes

  • #7: The ICT-related incident management process shall: put in place early warning indicators; establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios; set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate; ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents; establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.
  • #10: Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods.
  • #11: Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods.
  • #12: Financial entities may outsource, the reporting obligations under this Article to a third-party service provider. In case of such outsourcing, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements.
  • #17: The time limits for the submission of the initial notification and the intermediate and final reports shall be as follows: the initial report shall be submitted as early as possible within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the moment the financial entity has become aware of the incident; An intermediate report shall be submitted the latest within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed. Financial entities shall submit without undue delay an updated intermediate report, in any case, when regular activities have been recovered. the final report shall be submitted no later than one month from the submission of the latest updated intermediate report.