Harmonising ICT Risk Management – An Overview of ESA’s Draft RTS for DORA
In June, the European Supervisory Authorities (ESAs) released the first batch of the regulatory technical standards (RTS) as a part of Digital Operational Resilience Act (DORA)*. Our focus in this article is on the RTS which is related to Article 15 and 16 in DORA and focuses on the ICT Risk Management Framework (RMF) with the aim to further harmonise ICT risk management tools, methods, processes, and policies across the EU.
The current released drafts are
- RTS to further harmonize ICT risk management tools, methods, processes, and policies as mandated under Articles 15 and 16(3).
- RTS on specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats.
- Implementing Technical Standards (ITS) to establish the templates composing the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
- RTS to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
On the 22nd of September, FCG hosts a webinar exploring the highlights from the draft RTS on ICT Risk Management. Register here.
Final version due January 2024
Worth noting is that this RTS is currently in draft form, and the final version is not expected until January 2024. The period to provide feedback to the ESAs ends on the 11th of September. After this deadline, the feedback will be processed by the ESAs and first after that, the final version will be released. Another important point to note is that this RTS “needs to be understood as complementary to the requirements set out in DORA itself”. This means that the requirements in the RTS should be understood as extensions to the requirements laid out in DORA and complements DORA with further descriptions on how DORA should be implemented. The last point to note is that DORA and the RTS will influence existing regulations, such as EBA/EIOPA Guideline of ICT and security risk management, EBA Guideline of Outsourcing, EIOPAs Guideline of Cloud Outsourcing, etc. We expect these guidelines to be revised in the future to harmonize with DORA.
This RTS is detailed and summarising its articles into their core components presents a challenge. Nonetheless, its level of detail serves a purpose, namely, to break down and refine the requirements for ICT Risk Management, from DORA.
A summary of the areas addressed in the RTS
General elements on ICT security
This section entails the requirement on the ICT polices (IT-policy, information security policy, Risk management policy and Outsourcing policy). This section also immerses itself into the governance arrangements of ICT and security risk management, mostly encompassing the requirements on the second line of defense.
Actions required: Develop steering documents for ICT, such as IT-policy, information security policy and outsourcing policy. Develop the digital operational resilience strategy. Ensure that the governance arrangements (both 1st and 2nd line) regarding ICT are documented and operational.
ICT risk management
Further refines the requirements on the ICT risk management framework regarding documentation of a policy in the area, including a process to manage ICT risks and defines the needs to keep track of residual risks as well as accepted risks.
Actions required: Refine the institute’s risk management framework to include ICT risk management and develop the needed processes and routines to ensure that ICT risk assessment are performed as required by the RTS.
ICT asset management
This area contains detailed requirements on the content of ICT asset management and the alignment between ICT asset management records and ICT processes and business processes incl. business continuity arrangements.
Actions required: Ensure that all business and support processes in the institution are documented sufficiently and include arrangements for business continuity management. Ensure that the ICT asset register is established and constantly up to date (including assets at ICT-third party providers).
Encryption and Cryptography
Includes requirements on cryptographic controls and cryptographic key management including rules related to encryption of data at rest, in transit and in use.
Actions required: Ensure encryption encompasses sensitive information and that there are arrangements for cryptographic key management.
ICT operations security
A large part of this RTS, regulating how information security is integrated into ICT operations and drives the needs of documenting internal ICT processes and specific ICT internal controls. Vulnerability and patch management are important areas, as are secure configurations of ICT assets as well as how to manage logging.
Actions required: Document internal ICT processes (and how security controls are applied in the processes) and ensure that relevant internal controls are operational. Specific emphasis should be on vulnerability management and logging management.
Another extensive area in this RTS where documentation, mapping and control are important areas to address. Network security and segregation are fundamental capabilities and different security reviews of network security must be performed with different frequency.
Actions required: Document internal networking and external connections (mapping). Separate different networks (segmentation) and ensure that network reviews (including security reviews) are defined in the ICT-testing framework (digital operational resilience testing framework)
ICT projects and change management
Contains requirements related to project management for ICT related projects including acquisition, risk assessments, test, and verification. In this section you will also find change management requirements.
Actions required: Ensure that there is an established project management framework and change management routines encompassing both significant changes like organisational shifts, changes to products and services, etc., and smaller routine ICT changes performed within IT operations). All these changes require security controls to ensure that the security level of the company will not be negatively impacted.
Physical and environmental security
Requirements to have a physical and environmental security policy that is designed according to the threat landscape. The requirements aim to protect premises, data warehouses etc. in accordance with the types of threats they face and in alignment with the sensitivity of the systems and data they contain.
Actions required: Incorporate physical security requirements into the overall information security management system.
ICT and information security awareness and training
Requirements on annual trainings with an accompanied evaluation process to ensure efficient training.
Actions required: Develop structured training and awareness programs, that address both general information requirements and specific training needs.
Human Resources policy and access control
Sets out requirements for the HR policy related to adherence to the security policy and sets requirements for access management in general.
Actions required: Document and analyse all access management routines to ensure that relevant requirements are in place for all ICT systems and across processes. Conduct regular tests to ensure that all employees have the correct access.
ICT-related incident detection and response
Describes how mechanisms to detect anomalous activities and ICT incidents should be developed and implemented.
Actions required: Develop strong internal incident management routines to ensure that all incidents are reported and analysed according to the requirements in DORA (including categorisation and reporting).
ICT Business Continuity Management
Sets out the requirements for the ICT business continuity policy and describes which parts should be included, including additional requirements for central counter parties. These requirements encompass response and recovery plans as well as the testing of plans.
Actions required: Ensure strong business continuity routines are established, regularly updated and well-documented. Additionally, develop resilience routines based on the above requirements.
Report on the ICT risk management framework review
Requirements related to a report that should be produced based on the annual review of the ICT risk management framework. This report should be made available to competent authorities upon request.
Actions required: Develop the reporting format based on the requirements in DORA and ensure that all information needed to construct the report is available and up to date to produce the report.
A general article that states that you always should consider complexity and risk when defining and implementing risk management activities.
FCG’s experience of working with small, medium, large companies as well as ICT complex and less complex financial firms is that the requirement from DORA extends the requirements from previous regulations. The details in the RTS show that areas such as ICT risk framework, asset management, process development and testing framework, to name a few, are areas that need time to develop and time to implement as part of the ongoing business. Therefore, there is a sense of urgency to ensure fundamental adherence to DORA as these areas need time to mature. For firms that previously has not been regulated from an ICT perspective such as securities companies, insurance brokers and ICT third-party service providers, to name but a few, the urgency is even more dire as both development and integration into the business will take even more time.
Where did the ESAs find their inspiration when developing this guide? They have looked at almost every standard or regulation in this field. Amongst others, EBA and EIOPA’s ICT guidelines, NIS2 Directive, NIST Cybersecurity Framework, ISO/IEC 27000 family, etc.
Looking into the material, we can see a clear connection between EBA and EIOPA’s ICT guidelines and ISO/IEC 27000. For financial firms that within the scope of EBA and EIOPA’s ICT guidelines the journey to adhere to DORA will be smooth, since the principles somewhat overlap., Nevertheless there will still be a significant effort required to ensure and understand the link between the different regulations and connections. Work will be needed both from a governing perspective to ensure that steering documents are aligned with DORA’s requirements and from an implementation perspective, where you need to ensure that processes, procedures etc. are implemented and working. Getting the timing right for these types of major changes is always a challenge. At the moment, we have the final version of DORA, but only drafts of a part of the technical standards that will outline the more detailed level. FCG’s experience from working with implementation of EBA’s ICT guidelines suggests that it is better to adopt a proactive approach rather than having to rush through tasks at the very end when the time is constrained.
*This text is based on the available draft versions of the RTS (2023-06-19)