DORA Pilot for Trading for Own Account: Exploratory Research Report

DORA Pilot for Trading for Own Account Exploratory Research 20 December 2024 Report

2 DORA Pilot for Trading for Own Account Table of Contents 1 Introduction ........................................................................................................................................... 3 2 Results ........................................................................................................................................ 4 3 Conclusion and Recommendations.............................................................................................................. 6

3 DORA Pilot for Trading for Own Account 1 Introduction On 14 December 2022, the European Parliament adopted new legislation regarding cybersecurity: the Digital Operations Resilience Act (DORA). DORA provides a regulatory framework for financial institutions within the EU for the resilience and robustness of ICT security and enters into force on 17 January 2025. The AFM conducted research in the form of a pilot with a limited number of Trading for Own Account (HER) entities. The objective of the pilot research was to determine, with a limited scope, to what extent the institutions comply with the requirements of DORA, or are on track to be compliant by 17 January 2025. The scope of the research focused on three areas within the 'DORA Regulatory Technical Standards (RTS) establishing tools, methods, processes and policies for ICT risk management'. This specifically concerned: 1 ICT Asset Management – Article 4 – Policy for the management of ICT assets – Article 5 – Procedure for the management of ICT assets 2 ICT Project Management and ICT Change Management – Article 17 – ICT Change Management 3 Access Control – Article 20 – Identity Management – Article 21 – Access Control These three areas and articles consist of IT processes for which requirements already exist in the Financial Supervision Act (Wft) and the Markets in Financial Instruments Directive (MiFID). The aforementioned processes were the focus area for this pilot research. In addition, the AFM discussed the intra-group agreements made within the institutions if these are applicable for the execution of the IT processes in scope. The AFM requested underlying documentation for the relevant IT processes for this pilot. In a discussion with the HER, the documentation and the underlying IT process were discussed for clarification. This gave the AFM a first insight into the current design of the IT processes. From this, points of attention emerged that may also be relevant for other market participants.

4 DORA Pilot for Trading for Own Account 2 Results 2.1 General Points of Attention Based on the received documentation and discussions, the AFM has drawn up a number of general points of attention. These are overarching and apply to the IT processes in scope, or arise from related topics that were discussed, such as internal outsourcing. Some points of attention therefore do not fall directly within the original scope of the research, but are of broader importance under DORA. 1 Documentation. The parties investigated were not able to provide their documented IT policies and IT procedures on the basis of which it can be established that they are compliant with the requirements of DORA. For parties that have recently established policy, the AFM signals the risk of a non-coherent DORA compliance approach. 2 Completeness of IT Policy. The IT policies and IT procedures of the parties were not fully aligned with the requirements, as set out in the DORA RTS establishing tools, methods, processes and policies for ICT risk management. This RTS specifically prescribes which elements must form part of the policy or procedure. If an element is not directly applicable to a financial entity, this must be described as such in the policy. As an example, a financial entity may choose not to expose its ICT assets to external networks (see Article 4(2) of the RTS for ICT risk management). This choice must then be recorded as part of the policy on the management of ICT assets. 3 Awareness among Directors. DORA stipulates that the board of directors must be demonstrably aware of information security. The board is responsible for the level of information security for all (outsourced) partners in the full end-to-end outsourcing chain. There must be a risk-based monitoring system for all these information security aspects. 4 Internal Outsourcing. In DORA, internal outsourcing is in principle equated with external outsourcing. This means that the Dutch registered entity must have outsourcing agreements with all group entities that deliver IT services. Furthermore, the Dutch entity is obliged to have a full Information Register. 5 Team Procedures. The use of multiple detailed procedures regarding processes such as change management and user access by different teams within an institution is a point of attention. These procedures must not deviate from the internal policy to be in line with the requirements of DORA. Having multiple procedures is not a risk in itself, but does require more time and attention to keep them compliant. 6 Operation of Policy and Processes. In addition to aligning policy and processes with DORA, institutions must also be able to demonstrate that they work in that way. By demonstrating the operation, in addition to the design, the institution is compliant with DORA.

5 DORA Pilot for Trading for Own Account 2.2 Points of Attention for ICT Asset Management, ICT Change Management, Identity Management and Access Control In addition to the general points of attention, the AFM also has a number of more specific points of attention for the areas where the pilot focused mainly: ICT asset management, ICT change management, identity management and access control. The given points of attention mainly arise from the specific requirements of the RTS establishing tools, methods, processes and policies for ICT risk management. 1 Classification of information and systems. Article 5 of the DORA RTS on ICT risk management describes that the classification of information (data) and systems must be based on the criteria availability, authenticity, integrity and confidentiality. The classification of information and systems is then aligned with the classification of ICT-supported business functions as described in Article 8, paragraph 1, of the DORA Regulation. 2 Audit trail for change management. A complete audit trail must be present, whereby the segregation of duties is demonstrated. It is important to document IT changes and the approvals of these changes. This is particularly applicable if the approval of changes is given in meetings or if multiple systems are used for change management, such as a pipeline and service management system. 3 Connections and interdependencies of ICT assets. Article 4, paragraph 2 of the RTS for ICT risk management states that the financial entity records in its policy for the management of ICT assets how to deal with the connections and interdependencies between ICT assets and the business functions that use these ICT assets. This requires extra attention from entities that use multiple records and overviews for their ICT assets, to properly document and monitor this connection and interdependencies. 4 Definition of ICT assets. The policy for the management of ICT assets and recording in overviews is mainly focused on hardware. While the definition of ICT assets, as given in Article 3(7) of the DORA Regulation, includes both hardware and software. Extra attention is needed to also capture the software components sufficiently in the policy and procedure for the management of ICT assets. 5 ICT user-access. Within a number of institutions investigated, the AFM could not establish that there is a documented procedure regarding user-access. Password security is usually well organized, but a system for user profiles and the associated user IDs were missing.

6 DORA Pilot for Trading for Own Account 3 Conclusion and Recommendations Based on the documentation and discussions with a limited number of HER, the conclusion is that the extent to which institutions are ready for DORA by 17 January 2025 varies greatly. A number of parties have recently started implementing the DORA requirements within their organization and it seems unlikely that they will be DORA compliant by 17 January 2025. For other parties, the question remains whether they are fully compliant with all specific requirements of DORA. Based on the given points of attention, the AFM makes the following recommendations: • Conduct a gap analysis to determine whether all required elements from DORA are embedded in the policy documents and procedures. Assistance can be sought from an external advisor or second-line function (compliance, risk management). Once the policy and procedures are implemented in line with DORA, an internal or external audit can be carried out to obtain assurance for design, existence, and operation. • Parties that depend on a group entity for the execution of their IT processes must ensure that their intra-group outsourcing agreement fully covers the services received. Under DORA, internal outsourcing is in principle considered as external outsourcing, whereby in principle the same requirements apply. A review of the intra-group outsourcing agreement is recommended to determine if it meets the requirements of DORA. • For an integrated approach to ICT risk management, it is important to take all information security criteria (availability, integrity, confidentiality and authenticity) into account when classifying all ICT-supporting business functions and the information and ICT assets. This classification must be evaluated if necessary and at least once a year. It is therefore recommended to plan this in advance as it takes a lot of time to classify all ICT-supported business functions and the information and ICT assets. Here too, there must be a demonstrable and recorded process. Apart from the research carried out, the AFM also requests attention for the information register. After DORA enters into force on 17 January 2025, the information register will be requested first from the market participants. The AFM must submit these registers to the EBA on 30 April 2025. The AFM intends to send an information request to all companies with an AFM license that fall under DORA in February 2025.