ICT risk management frameworks

Under DORA financial entities are required to have a comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. Some financial entities are subject to lighter requirements due to their size and complexity of the services offered and these entities must implement a simplified ICT risk management framework.

The new draft regulatory technical standards set out details for these ICT risk management frameworks:

• ICT security policies must address governance, risk management, asset management, encryption, operations security, network security, project and change management, physical security and awareness and training
• ICT-related incident management policies must address detection and response, post-event analysis and testing
• Business continuity management policies must address triggers, recovery objectives, escalation mechanisms and testing

Helpfully, the technical standards refer to the principle of proportionality which recognises that financial entities can tailor their ICT risk management framework depending on their size, risk profile and complexity of their services. Certain financial entities will only be required to implement a simplified ICT risk management framework which is also described in these technical standards.

Incident handling

Under DORA financial entities are required to report major ICT-related incidents to their competent supervisory authority.

The new draft regulatory technical standards set out the criteria for classifying incidents, and particularly for classifying incidents as “major”. “Major” incidents are those which involve at least two primary criteria or three or more primary and secondary criteria (with at least one primary criteria).

The primary criteria are:

• affecting client, financial counterparties and transactions
• involving data loss
• critical services affected

The secondary criteria are:

• reputational impact
• duration and service downtime
• geographical spread
• economic impact

Further technical standards in relation to the content and timeline for incident reporting will be published for consultation later this year and finalised next summer.

Third party risk management

Under DORA financial entities are required to manage risks relating to the provision of ICT services including by adopting a policy on the sub-contracting of critical or important ICT services and establishing a register of all ICT-related contracts.

The new draft regulatory technical standards set out the requirements for a policy on the use of ICT services supporting critical or important functions which must:

• Define a methodology for determining which ICT services support critical or important functions (further technical standards are to be published on this point)
• Specify the requirements for the lifecycle of ICT services, i.e. planning, due diligence, selection process, implementation, monitoring and governance, documentation and record-keeping, exit strategies and termination management
• Assign internal responsibilities around contract management and manage conflicts of interest

A template has also been provided for the register of information on all ICT-related contracts at an individual entity level and at the sub-consolidated and consolidated level for groups.