The digital resilience framework for the financial sector
DORA is the new Digital Operational Resilience Act for the financial sector. It follows on from the Basel Accords, which were designed to strengthen regulation, supervision and risk management in the sector in the wake of the 2007 financial crisis. Having focused on risk management, the European Union is now providing the financial system with unified and strengthened regulation to move towards digital resilience.
The question now facing financial sector players is: “How can we achieve this famous digital resilience?”
We’ve tried to summarise the main principles of DORA to give you some guidance and some priorities. Follow our lead!
DORA's 5 Pillars of Operational Digital Resilience
A cyber crisis can have a major impact on a company’s operations. Recent cases of ransomware demonstrate this: from one day to the next, a company can find itself completely paralysed, with data inaccessible, workstations inoperable, services suspended, etc.
It is therefore essential to be prepared to determine the criticality of your activities, to prioritise your essential and vital activities, to be able to continue them in a degraded manner in a crisis situation and to ensure their gradual resumption. This is why the DORA regulation addresses operational risks through the essential issue of business continuity. Financial institutions will have to guarantee the supply and quality of essential services. This involves both assessing and developing the operational technological integrity of financial institutions and third-party service providers. The regulation is based on 5 pillars to achieve digital resilience:
- Information and Communication Technology (ICT) risks ;
- Incident reporting ;
- Resilience testing (crisis exercises, simulations, etc.) ;
- Third party risks ;
- Information sharing.
To achieve this objective, the Regulation requires, among other things, a contingency plan. This plan must be tested and updated on an ongoing basis to ensure operational resilience. In particular, the crisis management plan makes it possible to anticipate possible crisis scenarios and ways of dealing with them.
The development phase of the crisis management plan is an opportunity for collective reflection on everyone’s roles and responsibilities in advance of the crisis. The Alcyconie team’s priority when drawing up the crisis management plan is to ensure that the plan is adopted by the teams: it must become a reflex, known and mastered by all.
The concept of financial entity: who is concerned by DORA?
Article 2 of the Regulation gives us a long list of entities that fall within its scope, with the latest version taking care to exclude certain entities. All the entities concerned are grouped together under the generic term “financial entities”. Third party IT service providers to financial institutions will also be subject to DORA.
Risk management obligations
DORA contains various obligations and recommendations relating to the digital resilience of the financial sector. We will focus in particular on the provisions relating to crisis management, which is Alcyconie’s core business.
Governance – Training in digital operational resilience
With DORA, executive management will be obliged to take responsibility for IT risk management. Indeed, cyber and digital crisis management is no longer the sole preserve of the CISO: it is gradually becoming part of high-level crisis management by “non-experts”. Senior management must therefore take responsibility for adopting a risk management framework and, more broadly, a governance and internal control framework. To ensure the effectiveness of this framework, DORA requires training.
Framework for managing IT risks
The risk management framework must be documented and reviewed annually. To complete the framework, financial institutions are required to identify tangible and intangible elements that will subsequently form part of the framework. In particular, the identification includes the mapping of operational functions, information assets and IS. This will enable entities to identify the elements that need to be protected and also to identify and assess risk scenarios as part of the contingency plan.
In addition, organisations need to establish a real security protocol, which, in order to remain effective and preventive, needs to be updated and reviewed whenever changes are made to the IS.
Once the risk management framework is in place, the risk remains. The Regulation therefore requires the implementation of an IT Business Continuity Policy, which in turn is part of the Business Continuity Policy. Priority is given to IT recovery, while damage and losses are estimated using mechanisms already in place.
In the event of a crisis that disrupts the structure’s activities, it will be necessary to plan for a gradual, organised and concerted resumption of operations. This recovery strategy must be thought through in advance and not improvised. To support this resumption of activity, DORA also requires the prior definition of crisis management communication measures to facilitate the dissemination of information in a worsening crisis situation.
To ensure that these measures are put in place, companies must establish a crisis management function and test their procedures once a year. To find out more about Alcyconie’s crisis management exercises and training, please contact us.
Training in digital operational resilience
Digital resilience must also include learning and capitalising on the entity’s experience. Organisations are therefore expected to conduct post-incident reviews to identify the causes of incidents and the improvements that need to be made. In addition, staff and management need to be trained and made aware of operational resilience and IT security.
Communication as part of risk management
In a rather short and not very precise article, the Regulation refers to communication in the context of risk management. It provides for responsible communication of incidents and vulnerabilities, both to customers and to the general public.
This raises a number of issues for communicators. When IT teams are mobilised to solve the problem, how do they get the information they need to explain a highly technical subject to the general public, while at the same time being able to communicate with specialist media and experts? How can you communicate transparently and reassure your stakeholders without giving valuable information to hackers? Helping your communications teams understand these technical issues will give them an operational and pragmatic view of their role and help them find their place and the most effective stance.
(You can read our contribution to one of the analyses by Marc-Antoine Ledieu, who did us the honour of asking us to comment on this topic, here).
Incident management obligations
To manage IT incidents, the regulations require the implementation of an IT incident management process that includes a risk management process. The idea is to know where to go and what to do in the event of a crisis. The regulation specifies the content of this process:
- Procedures for qualifying incidents according to criteria defined in the regulations ;
- Roles and responsibilities to be activated depending on the scenario ;
- Internal and external communication plan ;
- Incident escalation procedures ;
- Management notification procedure ;
- IT response procedures.
Financial institutions are now required to notify the authorities of major IT incidents using a specific template.
In the event of a crisis likely to affect their interests and services, financial institutions will be required to communicate the situation to users and customers (in the event of an impact on their interests and services).
What do we need to remember about DORA?
In short, DORA makes it mandatory to apply crisis management and business continuity standards in anticipation of cyber risks. The aim of DORA is to prevent a crisis of cyber origin from affecting one or more financial actors to the point of destabilising the markets and the economy of the European Union.
To learn more about cyber crisis management, read our article “Preparing for and communicating a cyber crisis”.