#3 Incident response

As security professionals, we spend the majority of our time bolstering defences and trying to detect breaches. This approach will give us the best return on investment, by reducing our risk of a potential financial loss and reputational damage.

However, the odds of being able to stop all attacks and data leaks are not in our favour and reducing all the time.  Financial entities, and the IT companies supporting them, are juicy targets for cybercriminals.  Losses from (even brief) outages can be significant.  The ION cyber incident in 2023 resulted in an effective halt on the trading of derivatives for several days until the ransom was paid. 

The ION platform was one of many systems in the trading workflow, demonstrating clearly that the impact of one link in the chain will break the end-to-end process.  The DORA regulation extends to IT providers to financial institutions, precisely for this reason.

This third blog in the DORA series will look at how financial entities will need to report on ICT related disruptions, not just cyber incidents.

Major ICT-related incidents

Firstly, what constitutes a “major” incident?  Given that DORA covers both financial entities and their critical 3^rd party ICT providers, the answer isn’t straightforward.  The March 2024 supplementary regulation to DORA lists 18 considerations which were taken into account before reaching these criteria. 

In brief, an incident can be considered “major” if it affects more than 10% of your clients (or more than 100,000), more than 30% of financial counterparts, higher than 10% of daily average number or amount of transactions, or specific clients or financial counterparts.

Other criteria include reputational damage, a downtime of more than 2 hours for critical or important functions, or a total incident time of over 24 hours.  What are critical or important functions, well, I’ll cover that in a further blog post.

Furthermore, a “major” incident is one that has any impact to the confidentiality, integrity, availability and authenticity of data which affects business objectives or regulatory commitments.  Also, any successful, malicious and unauthorised access which may result in data loss.

Lastly, if the incident affects two or more EU member states, or has cost the business more than 100,000 euros.

Reporting

Financial entities and supporting ICT providers will need to report major ICT incidents from January 2025 to the respective regulator in the country where the incident has a significant impact, or the location of the root cause.

The timing and contents of the reports have recently been updated after consultation with industry.  In essence, the initial report contains minimal information and needs to be provided within 24 hours of the detection of the incident and within 4 hours of the classification as major.

The intermediate report within 72 hours of the initial report, which contains more details to help regulatory bodies to potentially notify other entities at risk of a similar incident or trigger a risk mitigation action to prevent a wider impact to the financial sector.

The final report within a month of the intermediate report, containing root cause analysis, recovery actions, costs and losses.

What’s next

As a financial services regulation, DORA is innovative in its extension to 3^rd party ICT providers supporting “critical and important functions”.  In the next blog, I will delve into what are these critical and important functions and therefore which ICT supplies are in scope.

#𝗗𝗢𝗥𝗔 #𝗳𝗶𝗻𝗮𝗻𝗰𝗲 #𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻 #𝗘𝗨 #𝗰𝘆𝗯𝗲𝗿 #𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆