Date: 22 February 2024
DORA is dominating headlines and if you’re in the financial services space in the EU, it’s probably also dominating all boardroom discussions. The Digital Operational Resilience Act (DORA) came into force on 16th January, 2023 and will be applicable from 17th January, 2025.
DORA is a regulatory framework and one of the key components of the European Union Digital Finance Package. The vision behind the Package is to catalyse the digital transformation of the financial services space in the EU and also harmonise the regulatory requirements at all EU member states. The goal is to offer clarity to financial institutions on how they can enter into a new era of digitisation while staying secure from the threats that loom large across all digital frontiers.
The Act comes in the wake of major cybersecurity incidents with financial organisations the world over. The impact of a cyber-attack on a financial player, sadly, is never limited to the business alone and directly impacts the end-user or the citizen. To mitigate these risks and others arising from Information and Communication Technologies (ICT), the crux of the DORA requirements pertaining to operational resilience can be broken into two parts:
- Build operational resilience - By anticipating cybersecurity risks and ensuing disruptions. And preparing for these well ahead of time.
- Demonstrate operational resilience - Through regular testing, businesses must be able to prove that they have the necessary resilience to withstand a cyber or ransomware attack and act appropriately in a crisis.
But how do you achieve these goals laid out by DORA and what does Digital Operational Resilience really mean? As experts in Cyber Incident Resilience Testing and creators of the NCSC Assured Training in Cyber Incident Planning & Response, we feel like we’re well-placed to explain both.
In this article, though, we are going to focus on the Act’s requirements pertaining to Business Continuity and Cyber Incident Response Plans. In the next article in this educational series on DORA, we take up Digital Operational Resilience Testing.
What DORA says about ICT Response and Recovery Plans
Chapter II of DORA covers ICT Risk Management in complete detail and emphasises on all aspects of Cyber Incident Response and Recovery, while Chapter IV is focussed on Digital Operational Resilience Testing. Article 11 (Chapter II) talks in detail about Cyber Incident Response Recovery. The gist is encapsulated in this sentence: “Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms.” Chapter IV is devoted
In essence, DORA formalises what we have been recommending to our clients for as long as we can remember - plan, plan and plan! If you fail to plan, plan to fail - at least when you’re embroiled in battle with an advanced criminal hacker.
As per DORA, a solid business continuity plan and cyber security incident response plan are essential to ensure recovery from a cyber incident as seamlessly as possible. The financial entity must be able to respond to and resolve any cybersecurity incident with the end-goal of mitigating damage and minimising disruption to services.
These plans should also clearly define communication channels and crisis communications management strategies. Communication plans must include all internal and external stakeholders in compliance with Article 14 of the Act. Article 19 (Chapter II) lays out the guidance on updating ‘competent authorities’ when a major ICT-related incident and/or significant cyber threat does emerge.
Chapter II on ICT Risk Management of the final text of DORA is detailed and exhaustive. It talks of every aspect of Cyber Incident Response - Identification (Article 8), Prevention (Article 9), Detection (Article 10) and Response and Recovery (Article 11), Lessons Learned (Article 13), Communication (Article 14) and so forth.
It can be daunting and overwhelming to grasp every detail of every Article. So much so, that we’ve actually met potential clients who haven’t even started readying themselves for DORA a year into its official announcement.
Lucky for you, though, that you’ve stumbled upon this article and we may be able to help in at least unravelling DORA requirements at the onset. Our objective in the next section is to simplify for you how you can get started on building an effective Business Continuity Plan and inch a step closer to becoming DORA compliant before 2025.
Actions for meeting DORA’s Cyber & Operational Resilience & Response Requirements
#1. Train your staff - In our opinion, the first and foremost step you need to take is to educate your staff in Cyber Incident Response. They need to understand what goes into preparing for and responding to a cyber crisis.
Many of our clients whose teams have attended the NCSC Assured Training in Cyber Incident Planning and Response shared with us how significantly the course helped their staff to understand the real impact a cyber incident could have on their organisation. High-quality cybersecurity training in Incident Response really opens up the minds of employees about how much still needs to be done to bolster their defences against cyber crime.
The course also teaches you how to implement a well-defined and managed approach to dealing with a cyber-attack or data breach. Your team can learn how to put in place an effective Cyber Incident Response framework which can ultimately help you fulfil the requirements of the Digital Operational Resilience Act.
#2. Create or Review Your Cyber Incident Response Plan: An effective Business Continuity Plan and a Cyber Incident Response Plan are prerequisites of DORA. You need to make sure that you have a robust and fit-for-purpose cyber incident response plan as a financial entity.
The plan should actually help in case of an Incident to control the infection and mitigate any damage that it can cause. It must reflect the latest techniques and core principles of effective cyber incident response. It must also be in sync with the current cybersecurity threat landscape.
If you don’t have a plan, or are uncertain about the effectiveness of your existing plan, our cybersecurity consultants can help. Our Virtual Cyber Assistant Service is unlike anything in the market. You can hire deeply experienced cybersecurity experts for exactly the number of hours you need them.
You can choose to have them create a new Plan for you or review your existing plan and share their opinion on whether it is aligned with DORA or not. They can also help you refresh your plan to meet the requirements of the Act. But the services aren’t limited to just your Incident Response Plan.
Our expert cyber consultants can help you achieve significant improvements in your overall cybersecurity maturity. Ensuring Business Continuity within the context of cybersecurity is amongst the chief reasons why our clients enlist the services of our cybersecurity consultants. And this in turn brings you closer to achieving the goals laid out in the Digital Operational Resilience Act.
#3. Use our FREE Incident Response Plan Template: We understand that it may not be possible or feasible to immediately hire an external expert to advise you on your Cyber Incident Response Plan. This is why we’ve created an invaluable FREE resource - our Cyber Incident Response Plan template.
Created by the world leader in cybersecurity incident response and the creator of the NCSC Assured Training in Incident Response Planning, this free template is an extremely crisp, insightful and easily customisable resource. You can easily tailor it to your organisational structure, technology infrastructure and business context.
While it won’t replace the expertise of an external cybersecurity consultant, it’s a great starting point. It will show you what key elements of incident response to cover and what steps to take immediately in the aftermath of a cybersecurity incident. Use it in combination with our free Cyber Incident Response Checklist and you’ll feel more confident about becoming DORA compliant.
#4. Build Effective Playbooks in Conjunction with Plans: Though the DORA text doesn’t specifically mention Cyber Incident Response Playbooks, we recommend creating and/or refreshing yours in conjunction with your IR plans. Together, they can help you achieve the levels of digital operational resilience that DORA mandates.
Incident Response Playbooks contain immediate remediation steps based on pre-defined triggers. They also contain specific triggers for communication channels in case of a cyber incident - a stringent DORA requirement.
#5. Test your Response & Recovery Cybersecurity plans: Digital Operational Resilience Testing is a major part of DORA. And it is highly recommended to regularly test your cyber resilience through cyber crisis tabletop exercises. We cover this aspect of DORA requirements in greater detail in our next blog.
However, any conversation about cyber resilience and cyber incident response plans is incomplete without a mention of cybersecurity drills so we had to include this in the list of action items. In the context of IR plans, it has to be underlined that testing the plans against simulated cyber attack scenarios is critical.
Without cyber simulation drills, it’s impossible to know whether the plans are any good or not. It’s also the best way to familiarise your staff and key incident responders with what’s in the plans, processes and cybersecurity procedures.
Last Word
Cyber incident response planning is critical to the Digital Operational Resilience Act (DORA). It ensures that financial entities and service providers can effectively prepare for, respond to, and recover from cyber incidents.
Incident Response planning is essential for minimising the impact of cyber incidents on the financial markets, protecting consumers, and preserving the stability and resilience of the financial system.
By mandating robust incident response mechanisms and a robust Incident Response Plan, DORA aims to enhance the overall digital operational resilience of the financial sector. While complying with DORA is mandatory for financial entities in the EU, it is important to remember that by taking the actions mentioned above, you can also ensure that your business can withstand, respond to, and recover from adverse cyber events without significant disruption to financial services or loss of sensitive data.
