DORA: Building Resilience through ICT incident management

DORA: Building Resilience through ICT incident management

Reporting an ICT incident is all about being able to contain an attack, to mitigate the damage, to warn others to be on their guard, and to recover from the damage.

Financial services companies already have multiple supervisory entities to report to, so it is understandable that news of another reporting system would not necessarily be welcome. However, the advantages of a harmonised ICT incident management system are immediately obvious. With cyberattacks becoming more sophisticated, and with the impact of those attacks affecting entities in multiple jurisdictions, companies welcome all the help they can get.


Reporting requirements under DORA

The EU is doing what it can to make reporting under the Digital Operational Resilience Act (DORA) as streamlined as possible, creating a harmonised matrix that categorises contagion risk and criticality across all Member States. The notification procedures ensure that information about breaches – or even the mere suspicion of one – is shared, therefore controlling the risk that their impact will spread. The procedures laid down by DORA will not be as cumbersome for licensed entities in Malta, which have an advantage in that they already need to report ICT incidents, in accordance with a matrix created by the financial services regulator, the Malta Financial Services Authority (MFSA). This streamlined the categories of criticality, leaving no doubt as into what level of severity an incident should be classified.


ICT Incident Management

The classification triggers various reactions, from reporting requirements all the way to escalation in case of a major incident or crisis. It also sets the clock ticking, with tight deadlines for reporting. This makes even more sense when seen in the context of business continuity and disaster recovery plans imposed by DORA, which ensures that each scenario has been thought through, allowing a much faster reaction to be triggered, and therefore for a much faster recovery, limiting the damage – creating a pre-planned series of recovery procedures in a time of great confusion and pressure. The existence of the MFSA mandatory reporting framework is, however, no excuse for complacency. Companies need to ensure that they have all the appropriate incident management procedures in place, that they are regularly updated, and that they are rigorously tested.


Regulatory & Implementing Technical Standards

The European Supervisory  Authorities are currently on multiple Regulatory and Implementing Technical Standards, which will be rolled out over the coming months. These will determine the details of the reporting templates and methods through the Member States' supervisory authorities. Globalisation has created an interlinked ecosystem, as we found out all too well in the financial crisis of 2008. ICT attacks could be aimed at more than one entity; indeed they could be aimed at an entire country. Having prompt intelligence about attacks would enable the EU and supervisory authorities to trigger plans to protect the impact from spreading. Indeed, DORA is only one part of a series of different legislation affecting critical infrastructure – not only systemically important banks but also utility and telecommunication companies, for example.


Importance of training

Prevention is always the best option: companies need to ensure that their staff are properly trained about cybercriminals who target the weakest link: human error is responsible for many ICT attacks. Some of the most potent attacks have been inadvertently launched by a well-meaning employee clicking on a link in an email. Ongoing training will help employees to recognise likely scams and to know how to handle them, from reporting phishing emails or calls to disconnecting their workstations from the organisation networks  to isolate any malware if malicious links are clicked. In the end, reporting an ICT incident is all about being able to contain an attack, to mitigate the damage, to warn others to be on their guard, and to recover from the damage. It is also about doing so without delay, in spite of the uncertainty and panic that such an attack could cause. DORA is there to ensure that companies are prepared, creating certainty at the most critical times.


How can BDO help

Here at BDO Malta we have technical experts who can help to ensure that your company is ready in good time with the new requirements set by DORA. We can help you with DORA compliance by providing expert guidance on the regulation, conducting risk assessments and gap analysis, developing and implementing incident management and business continuity plans, and providing ongoing support and monitoring.

Get in touch