Article 12 Digital Operational Resilience Act (DORA), Learning and Evolving
Article 12 of the Digital Operational Resilience Act (DORA) emphasizes the importance of continual learning and adaptation for financial entities in response to vulnerabilities, cyber threats, and ICT-related incidents. This article outlines the responsibilities of financial entities to gather information, conduct reviews, and integrate lessons learned into their ICT risk management processes to enhance their digital operational resilience. Here’s a detailed overview of the key provisions under Article 12.
Capabilities and Information Gathering
Financial entities must establish capabilities and allocate staff resources suitable to their size, business, and risk profiles. This includes the ability to gather information on vulnerabilities, cyber threats, and ICT-related incidents, with a particular focus on cyber-attacks. The goal is to analyze these incidents to understand their impact on digital operational resilience and to adapt strategies accordingly.
Post-Incident Reviews
- Conducting Reviews: Following significant ICT disruptions, financial entities are required to conduct post-incident reviews. These reviews should analyze the causes of the disruption and identify necessary improvements to ICT operations or the ICT Business Continuity Policy as outlined in Article 10.
- Reporting Changes: For financial entities other than microenterprises, any changes made as a result of these reviews must be communicated to the competent authorities. The reviews should evaluate several aspects, including:
- Response Time: Assess the promptness in responding to security alerts and the effectiveness of impact and severity determination.
- Forensic Analysis: Evaluate the quality and speed of forensic analysis conducted.
- Incident Escalation: Review the effectiveness of incident escalation procedures within the entity.
- Communication: Assess the effectiveness of internal and external communication during and after the incident.
Incorporating Lessons Learned
Lessons learned from digital operational resilience testing (as per Articles 23 and 24) and real-life ICT-related incidents, particularly cyber-attacks, must be incorporated into the ICT risk assessment process. This includes analyzing challenges faced during business continuity or recovery plan activation and integrating relevant information from counterparties and supervisory reviews. These findings should lead to appropriate updates and improvements in the ICT risk management framework described in Article 5(1).
Monitoring and Reporting
- Effectiveness Monitoring: Financial entities must continuously monitor the effectiveness of their digital resilience strategy. This involves mapping the evolution of ICT risks, analyzing incident frequency, types, magnitude, and patterns, particularly focusing on cyber-attacks. This analysis helps understand the entity’s ICT risk exposure and enhances its cyber maturity and preparedness.
- Senior Staff Reporting: Senior ICT staff are required to report at least annually to the management body on the findings from their reviews and assessments. These reports should include recommendations for further improvements.
Training and Awareness
- Security Awareness Programs: Financial entities must develop and implement ICT security awareness programs and digital operational resilience training as mandatory components of their staff training schemes. These programs should be applicable to all employees, including senior management.
- Monitoring Technological Developments: Entities should continuously monitor technological advancements to understand their potential impact on ICT security and digital operational resilience. Keeping abreast of the latest ICT risk management processes is crucial to countering new and evolving forms of cyber-attacks.
Conclusion
Article 12 of DORA highlights the necessity for financial entities to remain proactive in learning and evolving their digital operational resilience practices. By establishing robust capabilities for gathering and analyzing information, conducting thorough post-incident reviews, integrating lessons learned, and maintaining effective monitoring and training programs, financial entities can strengthen their resilience against ICT-related incidents. This approach ensures that financial institutions are well-prepared to manage risks, adapt to technological changes, and enhance their overall digital security posture.