Understanding the Fourth Chapter of DORA
The fourth chapter of the Digital Operational Resilience Act (DORA) is designed to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. Chapter 4 of DORA, titled “Information and Communication Technology (ICT) Risk Management,” is particularly critical as it lays out detailed requirements for the ICT risk management framework that financial entities must implement.
Overview
Chapter 4 of DORA mandates that financial entities establish and maintain robust ICT risk management frameworks. These frameworks should be integrated into the overall risk management system of the entity and should address all ICT-related risks comprehensively. The chapter outlines several key components that these frameworks must encompass:
- Governance and Organisational Structure
- ICT Risk Management Process
- Information Security Requirements
- ICT Incident Management, Classification, and Reporting
- Digital Operational Resilience Testing
- Management of ICT Third-Party Risk
Each of these components is designed to ensure a comprehensive approach to managing ICT risks, emphasising both preventative and reactive measures.
Governance and Organisational Structure
Implication: Financial entities must have a clear governance and organisational framework where ICT risk management is integrated at all levels in the organisation. This includes assigning specific roles and responsibilities for ICT risk management.
CRMG Recommendation: Effective governance and organisational structure are interdependent. A well-defined organisational structure supports good governance by providing assurance that roles and responsibilities have been clarified, ensuring accountability, and providing the most effective environment for effective decision-making.
ICT Risk Management Process
Implication: Entities need to identify, assess, monitor, and manage ICT risks continuously. This requires a systematic process that is well-documented and regularly reviewed.
CRMG Recommendation: Implementing a consistent approach to ICT risk management throughout the organisation, especially one that directly links threats to controls, will enable the organisation to understand, prioritise and address the relevant ICT risks.
Information Security Requirements
Implication: Ensuring the confidentiality, integrity, and availability of information and ICT systems is crucial. This includes implementing robust cyber security measures and maintaining a secure ICT environment.
CRMG Recommendation: By focusing on these three attributes of information when implementing cyber security measures, organisations are in a better position to protect their data from unauthorised access, fraud, and also ensure it is available when required.
ICT Incident Management, Classification, and Reporting
Implication: Financial entities must have procedures to detect, manage, and report ICT incidents promptly. This includes classifying incidents based on their severity and impact.
CRMG Recommendation: Detecting potential incidents early, and prioritising responses so that the most critical incidents receive immediate attention are techniques that will help organisations utilise their resources to deal with ICT incidents as efficiently as possible.
Digital Operational Resilience Testing
Implication: Entities are required to perform regular resilience testing to ensure their ICT systems can survive various types of disruptions. This includes vulnerability assessments, penetration testing, and other forms of resilience testing.
CRMG Recommendation: Regular resilience testing includes a wide range of techniques such as Disaster Recovery Testing, Load Testing, Failover Testing and Incident Response Testing. Threat-Led Penetration Testing (TLPT) is a particular area of focus under DORA as certain financial entities are required to conduct TLPT at least every three years to ensure their ICT systems can withstand sophisticated cyber threats.
Management of ICT Third-Party Risk
Implication: Managing risks associated with third-party ICT service providers is critical. Financial entities must ensure that their third-party providers adhere to the same high standards of ICT risk management as their own.
CRMG Recommendation: Third parties and the contracting financial entity must work very closely together to ensure the requirements of DORA are met and that all information for the Lead Overseer is available when they conduct off-site investigations, on-site inspections, and continuous monitoring.
By mandating standardised procedures and regular assessments, DORA aims to enhance the overall resilience of the financial sector against digital threats. Chapter 4 of DORA provides a comprehensive framework for managing ICT risks in the financial sector.
The practical implications and recommendations discussed in this article aim to guide financial entities in implementing effective ICT risk management frameworks, ensuring not only compliance with DORA but also the security and stability of their operations in an increasingly digital world.