ICT-related incident management process


TL;DR The Digital Operations Resilience Act from the EU outlines a process for ICT-related incident management, which includes establishing early warning indicators, procedures for identifying, tracking, logging and classifying ICT-related incidents, assigning roles and responsibilities for incidents, plans for communication and notification, and ICT-related incident response procedures. The process also requires that major ICT-related incidents be reported to relevant senior management and the management body.
  1. Financial entitiesas defined in Article 2, points (a) to (t) shall define, establish and implement an ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process to detect, manage and notify ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall record all ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;. Financial entitiesas defined in Article 2, points (a) to (t) shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.

  3. The ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process referred to in paragraph 1 shall:

    1. put in place early warning indicators;

    2. establish procedures to identify, track, log, categorise and classify ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1);

    3. assign roles and responsibilities that need to be activated for different ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; types and scenarios;

    4. set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entitiesas defined in Article 2, points (a) to (t) that act as counterparts, as appropriate;

    5. ensure that at least major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; are reported to relevant senior management and inform the management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; of at least major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, explaining the impact, response and additional controls to be established as a result of such ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;;

    6. establish ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.