Chapter II of DORA provides the key principles of ICT risk management and Chapter V of DORA provides the key principles for a sound management of ICT third party risk, the key steps of which are summarised below.
Step 1
As required by Chapter II of DORA, identify, classify and document all the:
- ICT supported business functions;
- Roles and Responsibilities, and
- The information and ICT assets supporting those functions and their roles and dependencies in relation to ICT risk.
Financial Entities (FEs) need to perform an annual review of the adequacy of the classification and of any relevant documentation. A core outcome of this review is that FEs are clear, which of these functions are considered critical and who the providers are of these functions.
When documenting their methodology for the classification, FEs should refer to the Central Bank’s Cross Industry guidance on outsourcing. This provides guidance in determining the criticality or importance of the activity or service outsourced.
Step 2
Identify all sources of ICT risk in relation to those ICT supported business functions, and continue to monitor, manage and assess these risks on a continuous basis. As part of this, FEs will:
- Set a clear risk appetite;
- Including impact tolerances for ICT disruptions.
Step 3
As required in DORA chapter V on ICT third-party risk, ensure that your FE has taken necessary steps to manage ICT third-party risk as an integral component of ICT risk within a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system. Two key principles in doing this are that
a. FEs that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under DORA and applicable financial services law;
b. FEs’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
- i. the nature, scale, complexity and importance of ICT-related dependencies;
- ii. the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level. Specific key contractual provisions to be ensured are listed in article 30 of DORA.
As a key element of the ICT risk management framework, the Central Bank expects FEs to have developed a clear strategy on ICT third-party risk, which shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
Step 4
You should ensure that you have strong oversight of your FE’s third party providers and develop a good working relationship with them. You will need to work with your FE’s third party provider to:
- Identify any systems in the third party that your FE is reliant upon, and which underpin critical and important services;
- Ensure such systems are appropriately protected;
- Put in place regular reporting of performance, for example changes to subcontractors;
- Ensure that the necessary mechanisms are in place to promptly detect unusual activity;
- Ensure there are processes in place, with third party providers, so that the FE is informed of incidents promptly, so that they can be appropriately managed and that the FE is in a position to be compliant with the reporting requirements of DORA; and
- Ensure that the third party provider has plans and capabilities in place to ensure recovery of the FEs activities within a reasonable timeframe, depending on the service.That plan may include your FE providing direct assistance to restore service.
In order to underpin this oversight, FEs should look to strengthen the contractual agreements in place with TPPs, and when reviewing these contracts ensure to include, in particular, the following:
- Contractual requirements in relation to audit rights;
- The inclusion of the TPP in the digital operational resilience testing of the FE, advanced Threat Led Penetration Testing (TLPT) where relevant, and business continuity tests; and
- Transparency of the subcontracting chain and changes to this.