A Guide to Incident Management, Data Management, and Cybersecurity in DORA

Exploring the three key elements essential to incident reporting with DORA deadline less than two months away

In July 2024, one of the largest IT incidents in recent memory unfolded, with a software update from cyber security company CrowdStrike causing a global IT outage that affected millions of Microsoft systems globally. The outage lasted roughly ten hours, with a range of businesses, from airlines to banking institutions, being affected. This event serves a visceral reminder of the importance of sound management and response protocols in the face of major IT incidents.

Such incidents underscore the importance of having robust operational resilience regulations in place. The EU’s Digital Operational Resilience Act (DORA) is a trailblazer in this regard.

In just under two months’ time, DORA will come into force in the EU. With capital markets becoming increasingly digitised and dynamic, DORA seeks to establish resilience standards that safeguard against ICT risks and disruptions, which can have disastrous financial and reputational consequences for financial firms. Suffice to say, it is all hands to the pump for financial firms seeking to meet the fast-approaching regulatory deadline.

DORA brings several key elements into focus, including:

• The need for robust and well-tested business continuity and disaster recovery plans that can be implemented at pace;

• The need for an incident response plan that ensures the firm can assess and respond to incidents (i) within regulatory timeframes (including under DORA and data protection rules, among others), (ii) in accordance with obligations in customer contracts, and (iii) in a manner that protects its commercial and reputational interests as far as possible;

• The importance of cyber insurance, and;

• The potential for small technical glitches to cause major problems for critical, interconnected systems.

In particular, incident reporting is one of the five core pillars of the DORA requirements, along with ICT risk management, digital operational resilience testing, third-party risk management and information sharing.

As the model below shows, it can be broken down into three components: incident management, data management and cybersecurity.

Source: GreySpark Analysis

The centre of the diagram, where all three components overlap, indicates the ultimate goal of establishing a comprehensive strategy that meets DORA’s incident reporting requirements. Ultimately, these requirements set a high bar for operational resilience, challenging banks to significantly and meticulously enhance their compliance and risk management strategies.

1. Incident Management: Precision, Speed, and Proactivity

Central to the DORA regulations is the requirement for robust incident management. The European Supervisory Authorities are proposing that firms must report significant operational disruptions within a tight timeframe, detailing the incident across 101 specific data points, of which 46 are mandatory and 55 conditional. This comprehensive data collection includes details about the incident’s impact, classification, and other critical criteria, demanding a level of precision that many firms are currently not equipped to handle.

The absence of standardised playbooks complicates matters further. Without these vital guidelines, firms may struggle to conduct effective mock drills, creating uncertainties around their ability to respond in real-time to actual incidents. This raises questions over the firm’s preparedness in the face of disruption. Many firms are still in the early stages of developing these playbooks, which are crucial for both aligning with regulatory expectations and enhancing their own incident response capabilities.

Therefore, the immediate need is for firms to develop, refine, and regularly update their incident management playbooks. These guides must detail the process for rapid data collection, outline response strategies, and establish protocols that align with DORA’s rigorous standards.

As a result, firms must develop robust, automated playbooks for incident management that can be tested and refined through regular mock incident reporting exercises.

Firms should include:

1. Process Mapping: Detail the process for gathering necessary data points efficiently;

2. Protocol Creation: Include protocols for rapid response following incident classification and;

3. Staff Training: Train staff thoroughly on the playbook's procedures to ensure readiness and compliance under real incident conditions.

2. Data Management: Ensuring Integrity and Security

In tandem with incident management is the complex challenge of data management. Firms are required to manage large amounts of data from several sources, including stakeholders, in-house systems and increasingly, from third and fourth-party service providers. The task extends beyond mere data collection to include data accuracy, mapping, and management across disparate systems. The sensitivity of this data mandates thorough sanitisation processes to help prevent the unintentional disclosure of confidential information, posing significant risks if data is mishandled or exposed.

When it comes to data sanitisation, the current lack of automation puts firms at risk of non-compliance and data breaches. To address this, firms must implement advanced data management technologies that can handle the seamless integration, sanitisation, and secure storage of data. These systems should facilitate not only compliance with regulatory requirements but also support dynamic data accessibility without compromising security.

To enhance data management capabilities, firms should include:

1. Data Mapping: Implement advanced data mapping and management tools that integrate seamlessly with both in-house and external data sources;

2. Data Sanitisation: Develop automatic data sanitisation protocols to ensure data privacy is maintained when reporting to regulators, and;

3. Stakeholder Engagement: Engage in continuous dialogue with stakeholders, including third and fourth-party providers, to ensure clarity and compliance with data handling requirements.

4. Data Management Framework: Establish clear guidelines for data management that are understood across all levels of the organisation and rigorously enforced.

3. Cybersecurity: Shifting from Compliance to Cultural Integration

DORA’s cybersecurity requirements require firms to conduct penetration tests, vulnerability scans and continuous threat-based monitoring. These exercises are crucial; not only for identifying potential vulnerabilities, but also for ensuring that the firm's defences are equipped to withstand new and evolving cyber threats. The challenge, however, lies in fully integrating these cybersecurity activities into the broader incident management and risk governance frameworks.

Many firms perform these tasks sporadically, treating them as compliance checkmarks rather than integral components of their operational strategy. To genuinely protect against cyber threats, firms must foster a culture of continuous cybersecurity vigilance, embedding these practices into everyday operations and decision-making processes.

Firms should include:

1. Instil Cybersecurity Culture: Ensure these exercises are not merely regulatory check marks but are deeply embedded into the firm’s culture and operations;

2. Cyber threat Evaluation: Use insights from these cybersecurity tests to continually refine and update incident reporting processes and data management protocols and;

3. Employee Education: Educate all employees about cybersecurity risks and their roles in maintaining organisational resilience.

The path forward for firms under DORA is clear; develop comprehensive incident management playbooks, establish robust and automated data management systems, and improve cybersecurity practices over time. By adopting a proactive and integrated approach, firms can not only meet the demanding requirements of DORA but also enhance their operational resilience against digital disruptions. This journey is complex and demanding, but with strategic focus and commitment, firms can navigate these challenges successfully, safeguarding their operations and maintain their competitive edge in the digital era.

---

For further information, please do not hesitate to contact us at london@greyspark.com with any questions or comments you may have. We are always happy to elaborate on the wider implications of these headlines from our unique capital markets consultative perspective.