DORA Update 3: ICT Risk Management

TOEZICHT DORA UPDATE 3

1. ICT Risk Management in DORA 1 RTS on ICT Risk Management framework and on simplified ICT Risk Management framework 2 This concerns small and non-complex investment firms, payment institutions exempted under Directive (EU) 2015/2366; institutions exempted under Directive 2013/36/EU where Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted under Directive 2009/110/EC, and small occupational pension institutions. DORA aims to ensure that financial institutions better manage ICT risks and thereby become more resilient to cyber threats and ICT disruptions. To this end, the Regulation describes various requirements regarding ICT, including those for ICT risk management (or ICT Risk Management). Companies can already analyze whether they meet the DORA requirements in this regard and then take action (if necessary). To comply with DORA by January 17, 2025, it is advisable to start as early as possible. An important component of DORA is ICT risk management. Good ICT risk management helps organizations to detect and manage ICT risks in a structured manner. The requirements are described in the Regulation in Chapter II (Articles 5 to 16). These articles address, among other things, the ICT Risk Management framework, Business Continuity Management (BCM), and the training and development of employees in the field of ICT security and digital operational resilience. In addition to the requirements described in the Regulation, a number of topics are further elaborated in a Regulatory Technical Standard (RTS)1. In this RTS, the ICT risk management instruments, methods, processes, and policies (Article 15) and the simplified framework for ICT risk management (Article 16(3)) are elaborated. Here, Article 15 applies to all companies, as described in Article 2(1), while Article 16 describes a simplified framework for ICT risk management for certain specific types of companies.2 The following sections explain the articles mentioned in the DORA Regulation. We also address a number of topics that are further elaborated in the RTS. It is important to mention here that the RTS texts were sent to the European Commission (EC) in January 2024. There may still be changes to the text of the RTS, although we often see that the text remains largely the same. Getting started with DORA: ICT Risk Management In short This is the third edition in a series of AFM publications on the Digital Operational Resilience Act (DORA). This series is intended for all companies that must comply with this European Regulation from 2025. In this edition, we focus on ICT risk management. By paying sufficient attention to ICT risk management, organizations can form a good picture of their ICT risks and how they can minimize the effects thereof. In this way, companies can analyze where they stand in this regard and what steps they may still need to take to comply with the Regulation.

Getting started with DORA: ICT Risk Management 2 TOEZICHT DORA UPDATE 3 Table 1 Additional elaborations Topic Completed RTS for Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies Already sent to EC RTS for Article 16(3) Simplified ICT risk management framework Already sent to EC

Getting started with DORA: ICT Risk Management 3 TOEZICHT DORA UPDATE 3 2. Getting started with ICT risk management 3 All software or hardware in the network and information systems used by the financial entity. 4 All ICT assets that work together to perform a specific business function. Risk Management in DORA (Articles 6 to 14) Companies can already get started with: • Drawing up a framework for ICT risk management (including regarding outsourcing); • Checking whether the requirements regarding Business Continuity Management (BCM) are met. Article 6 of the Regulation describes the requirements for the ICT risk management framework (or ICT Risk Management framework). To address ICT risks quickly, efficiently, and as completely as possible, it is important that companies have a solid, well-documented ICT Risk Management framework. This framework records, among other things, the strategies, policies, procedures, and ICT instruments needed to protect all ICT assets (ICT assets)3 and relevant physical elements. The ICT Risk Management framework must be evaluated at least once a year (or periodically for micro-enterprises), and adjustments to the framework must be documented. Hereby, the framework is continuously improved based on the lessons learned from implementation and monitoring. Finally, the ICT Risk Management framework must be periodically subjected to an independent audit. The results of the audit must be followed up. To ensure the stability of a company's service provision, DORA sets requirements regarding Business Continuity Management (BCM). These requirements are described in Articles 8 to 12 of the Regulation: • Companies must map their ICT landscape clearly. For this purpose, it is important that all business functions, tasks, and responsibilities supported by ICT are identified, classified, and documented. The same applies to the ICT assets and applications that support these business functions. • Institutions must continuously monitor the security and operation of ICT systems4. This has a positive effect on the protection of ICT systems and reduces the likelihood of cyber incidents. • Companies can further limit their ICT risks on ICT systems by deploying ICT security instruments, policies, and procedures aimed at ensuring the resilience, continuity, and availability of ICT systems. Since not all incidents can be prevented, it is important that financial institutions have detection mechanisms to detect abnormal activities as quickly as possible and to identify weak (physical) points. Once a deviation is detected, institutions must respond appropriately. • Companies must draw up and implement an ICT business continuity policy. This policy includes arrangements, plans, procedures, and mechanisms that ensure, among other things, the continuity of critical functions, the proper resolution of ICT incidents with minimal damage, and that all relevant internal and external stakeholders are informed of the incident that occurred. The RTS further elaborates on some topics regarding BCM, such as testing the BCP and the response and recovery plan. We will return to this in the next section.

Getting started with DORA: ICT Risk Management 4 TOEZICHT DORA UPDATE 3 The last two articles in the Regulation regarding ICT risk management (Articles 13 and 14) concern training and development and communication. Regarding training and development, it is important that companies have sufficient capacity and personnel resources to collect information on vulnerabilities, cyber threats, and ICT-related incidents. Hereby, financial entities must take into account technological developments, the results of tests on digital operational resilience and ICT incidents that have occurred. In the event that an ICT-related incident occurs, it is important to investigate what caused the disruption and what improvements must be made to prevent recurrence. Furthermore, it is important that companies have crisis communication plans to act adequately in the event of serious ICT incidents. This includes, among other things, responsibly informing personnel, clients, and other directly involved parties about vulnerabilities. Further elaboration of ICT risk management in the RTS (Article 15) Companies can already get started with: • Developing/implementing policies and procedures regarding, among other things, the management of ICT assets, network security, and encryption and cryptography. In this section, we will explain a number of topics from the RTS. These topics are a further elaboration of Article 15 in the Regulation. For the sake of clarity, a selection of topics from the RTS has been chosen. The fact that not all topics from the RTS are discussed in this publication does not mean that the other topics are less important. Companies must comply with all requirements elaborated in the RTS by January 17, 2025. Business Continuity Management In Chapter IV (Articles 24 to 26) of the RTS, a number of topics regarding BCM are further elaborated. This includes, among other things, testing the Business Continuity Plan (BCP) to ensure the continuity of critical and important business functions. During the testing of the BCP, companies must use realistic test scenarios that attempt to simulate potential disruptions. Where possible, ICT services of third parties are also included in the testing activities. The test results are documented, deviations are analyzed, followed up, and reported to management. In addition to testing the BCP, companies must draw up a response and recovery plan to minimize the impact of disruptions. Hereby, organizations must take into account the Business Impact Analysis (see also Article 11(5) in the Regulation). The ICT response and recovery plan includes, among other things, in which situations the plan applies (and when it does not), the actions taken to ensure the availability, integrity, and confidentiality of critical and important systems, and in which cases the execution of the response and recovery plan can be deemed successful. ICT Asset Management As part of the management of ICT assets, companies must draw up (and implement) policies and procedures to ensure the availability, integrity, and confidentiality of data. The policy states how the organization monitors and manages the lifecycle of its ICT assets. Furthermore, institutions must create an overview of all ICT assets, including the location, classification, system owner, and the business function supported by the ICT assets. Finally, there must be a procedure describing how the company determines whether an ICT asset or application is critical or important. Encryption and Cryptography As with the management of ICT assets, companies must draw up and implement a policy describing the encryption of data and the management of cryptographic keys. This policy describes, among other things, the criteria for selecting cryptographic techniques and usage practices. It must also be described in which situations a company switches to a new cryptographic technique to increase resilience against cyber attacks. For the management of cryptographic keys, it is important that companies set requirements for each phase in the lifecycle of cryptographic keys. This includes generating, renewing, storing, backing up, archiving, retrieving, sending, decommissioning, revoking, and destroying keys.

Getting started with DORA: ICT Risk Management 5 TOEZICHT DORA UPDATE 3 Network Security For the security of networks within the organization, it is important that companies draw up and implement a policy and procedure describing measures that prevent unauthorized access to the network and misuse of data. By creating an overview of the different network connections and data flows within the organization, institutions get a good picture of the network. Furthermore, it is important that network connections involving corporate networks, public networks, domestic networks, third-party networks, and wireless networks are secured and encrypted to prevent unauthorized access to data. Finally, institutions can ensure the security of their network by regularly reviewing the set firewall rules and periodically assessing the network architecture and network security. Vulnerability and Patch Management To further secure the networks of companies, institutions must describe procedures for both vulnerability and patch management. The vulnerability management procedure describes, among other things, how the institution ensures that a (automated) vulnerability scan is performed regularly and how the identified vulnerabilities are followed up and monitored. At the same time, the patch management procedure ensures that software and hardware patches are automatically identified and tested in an environment separate from the production environment (if possible) and that a deadline is set for the installation of patches and updates. Logging In addition to vulnerability and patch management and network security, institutions must protect themselves against intruders and data misuse by logging user actions. Hereby, companies must determine for themselves which actions are recorded, how long the log files are retained, and measures to securely store and process the data. To ensure the accuracy of the log files, it is also important that measures are taken to protect the log files against unauthorized access, manipulation/deletion, and disruptions in the logging system. Change Management To ensure the availability, integrity, and confidentiality of data, it is important that institutions have drawn up and implemented an ICT change management procedure. This procedure describes how the organization verifies that ICT security requirements are met, that changes are requested, tested, approved, and implemented by the appropriate employees, and how emergency changes must be carried out. Furthermore, it is important that companies consider the evaluation and monitoring of changes after implementation and what steps must be taken when a change is aborted prematurely or cannot be implemented. Logical Access Control For logical access control, it is equally important that a policy and procedures are drawn up (and implemented). This must describe how persons and systems with access to the institution's data are identified and authorized. For this purpose, it is important that all (external) employees are assigned a unique identity linked to the employee's user account. These identities/user accounts must be maintained and periodically checked. Checking the identity involves creating, modifying, (temporarily) deactivating, and deleting accounts. In addition to user identification, it is important that the organization correctly manages employee access to data.

Getting started with DORA: ICT Risk Management 6 TOEZICHT DORA UPDATE 3 Hereby, institutions must try to limit employee access to data as much as possible (least privilege principles), prevent segregation of duties conflicts, and ensure that actions in ICT systems can be traced back to employees (especially when shared accounts are used). Finally, it is important that changes to access rights are carried out correctly and in a timely manner. Table 2 Additional elaborations Description Completed RTS for Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies Already sent to EC Simplified framework for ICT risk management (Article 16) Article 16 of the Regulation describes the requirements for the simplified framework for ICT risk management which apply to certain exempted institutions.5 Hereby, part of the requirements for the framework are described in the Regulation, while another part is elaborated in the RTS. If we look at the ICT risk management framework, it applies that the simplified framework is largely equal to the "regular" ICT risk management framework. As with the regular ICT Risk Management framework, the simplified variant is documented and evaluated periodically (and in the event of serious ICT incidents). The frequency of the periodic evaluation depends on the risk profile of the institution. 5 This applies to small and non-complex investment firms, payment institutions exempted under Directive (EU) 2015/2366; institutions exempted under Directive 2013/36/EU where Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted under Directive 2009/110/EC, and small occupational pension institutions. The biggest difference is the number of requirements to which the simplified framework must comply. These requirements are also often less detailed. The idea behind this is that the simplified framework contains the elements that are minimally necessary to ensure the availability, integrity, and confidentiality of data, while taking into account the risk, size, and complexity of the company. Institutions for which the simplified framework applies therefore only need to draw up an information security policy containing general, overarching guidelines and rules that must ensure the availability, integrity, and confidentiality of data. In addition to this information security policy, institutions must, however, take sufficient security measures for, among other things, logical access control, network security, management of ICT systems, and change management. To minimize the risk of unauthorized access, institutions must, for example, draw up and implement procedures that limit employee rights as much as possible and allow actions on ICT systems to be traced back to individual users. Furthermore, organizations must establish a fixed process for assigning, modifying, and revoking rights, and these rights must be checked periodically. For change management, organizations must also draw up a procedure. The requirements for this, however, are more concise than the requirements imposed on institutions to which Article 15 applies. The simplified change management procedure must ensure that every change to ICT systems is registered, tested, assessed, approved, implemented, and evaluated.

Getting started with DORA: ICT Risk Management 7 TOEZICHT DORA UPDATE 3 Regarding network security, companies must design the network so that systems connected to the internal and/or external network are sufficiently protected against unauthorized access and data misuse. For this purpose, it is important that measures are taken to protect data (in use, during transmission, and at rest) and to ensure authenticity, integrity, and confidentiality during data transmission. Furthermore, consideration must be given to how unauthorized access to the network is prevented and detected in a timely manner, and there must be a process for the secure deletion of data. Finally, institutions must, in the context of ICT asset management, identify all ICT systems that support an important or critical business function. Furthermore, organizations must develop and implement a procedure for the procurement, development, and maintenance of ICT systems. This procedure includes, among other things, what information security requirements are imposed and how ICT systems are tested before they are put into use. Hereby, it is also important that the lifecycle of the ICT system is monitored to ensure that it always meets the requirements of the organization. The requirements included in the RTS for the simplified framework for ICT risk management thus largely correspond to the requirements for the regular framework for ICT risk management. For the simplified ICT Risk Management framework, however, the imposed requirements are less extensive. This takes into account the size of the institutions to which Article 16 applies. Table 3 Additional elaborations Description Completed RTS for Article 16(3) Simplified ICT risk management framework Already sent to EC

Getting started with DORA: ICT Risk Management 8 TOEZICHT DORA UPDATE 3 3. Outlook Currently, both the first and second batches of RTSs and ITSs have been published. The first batch (including that for Article 15 and 16(3)) has already been submitted to the European Commission for assessment and decision-making. The second batch has been submitted by the ESAs to companies in the financial sector for public consultation. This batch will likely be submitted to the European Commission in the third quarter of 2024. The AFM is preparing itself in the meantime to further execute DORA supervision. In the next publications in this series, other topics from the Regulation will be addressed. The next edition will be published in the second quarter of 2024. For further elaboration on ICT Risk Management in DORA, the following pages can be consulted: News item on the first series of rules for, among other things, ICT risk management (RTS) (esma.europa.eu) Further questions? Contact the AFM entrepreneur's desk