{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
Vincent Colonna
Director, Cybersecurity and Privacy, PwC Switzerland
Xavier Bédat
Senior Associate, Cybersecurity and Privacy, PwC Switzerland
In this blog post, we have analysed DORA and the Circular from the perspective of a Swiss financial entity that is already implementing measures to comply with the Circular and now needs to identify, at a high-level, any remaining gaps in its compliance with DORA.
DORA (Digital Operational Resilience Act) is a EU law that sets down uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties that provide information and communication technology (ICT) services to them, such as cloud platforms or data analytics services.
FINMA Circular 2023/1 ('the Circular') regulates how financial entities should manage operational risks, particularly in connection with ICT, and handle critical data and cyber risks for the Swiss financial sector
We have identified the following key topics present in both sets of regulations:
General protection measures
Both sets of regulations emphasise the need to ensure the security of data when these are being transmitted or stored, and to prevent unauthorised access, modification or destruction of the data. This also involves protecting the confidentiality, availability and integrity of the data. DORA additionally requires safeguards against potential threats from human error and inadequate administration – not only from hacking attempts.
According to DORA, financial entities must also:
- Implement strong authentication mechanisms to verify the identity of users and prevent unauthorised access. This can include methods such as multi-factor authentication, depending on the level of security required.
- Deploy cryptographic keys to encrypt and decrypt sensitive information that should be protected against unauthorised access. This can involve measures such as storing keys in secure locations, limiting access to those keys and using key management systems to rotate or revoke keys as needed.
- Regularly apply patches and updates to software and systems. These activities are critical to maintaining the security of data and preventing vulnerabilities from being exploited.
Cybersecurity and Privacy
At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.
Detection and monitoring
According to DORA, financial entities must set up detection mechanisms that enable multiple layers of control, such as alert thresholds and criteria, that trigger incident response processes. This can involve setting up automatic alerts to notify relevant staff when an incident is detected and initiating ICT-related incident response processes to mitigate the incident quickly and effectively.
Financial entities shall also regularly test detection processes to ensure they are effective and function as intended. This can involve simulated attacks or other types of testing to identify vulnerabilities in the system to determine whether detection mechanisms are detecting and responding to incidents appropriately.
Finally, financial entities must devote sufficient resources and capabilities to monitor user activity, ICT anomalies and ICT-related incidents, especially those related to cyber-attacks. This can involve implementing tools and technologies to monitor network activity and detect potential threats as well as ensuring that staff responsible for incident response have the necessary training and resources to respond to incidents quickly and effectively.
Incident management
Both sets of regulations require financial entities to have in place a crisis management plan, which is regularly reviewed and tested, as well as a dedicated crisis cell to deal with such situations.
Additionally, according to DORA, financial entities must test their crisis communication plan to ensure that all stakeholders are aware of their roles and responsibilities and that communication channels are effective. This can involve conducting mock drills or tabletop exercises to simulate various scenarios and identify any gaps or areas for improvement in the crisis communication plan.
They should also keep readily accessible records of activities before and during disruptive events as these are crucial for effective ICT business continuity planning and response. This can involve documenting incident response activities, including steps taken to mitigate the incident and restore normal operations, as well as lessons learned and areas for improvement.
Financial entities should pay particular attention to maintaining an up-to-date estimate of the aggregate annual costs and losses caused by major ICT incidents, as the competent authorities can request this estimate at any time. The estimate itself may involve providing detailed information on the scope and impact of major incidents, including the costs associated with remediation and recovery efforts, as well as the financial losses incurred because of the incident.
Moreover, financial entities are expected to conduct post-incident reviews to assess the effectiveness of the incident response plan and identify areas for improvement. This can involve evaluating response promptness, forensic analysis, incident escalation and communication, among other factors. Furthermore, they should be able to provide documentation on changes implemented after an ICT-related incident. This can include information on any updates or improvements made to the incident response plan or other systems or processes to mitigate the risk of similar incidents occurring in the future. Having a record of these changes can help ensure that the organisation is continuously improving its incident response capabilities and reducing the likelihood of future incidents. Documentation of the post-incident review and change activities are an important way for financial entities to learn from the past, prepare for the future and document their compliance.
Finally, DORA provides a dedicated template that lists all the information to be included when notifying the competent authorities.
Cyber incident response and recovery
We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.
Business continuity and disaster recovery
Both sets of regulations require financial entities to have a Business Continuity Plan (BCP), which is reviewed and tested regularly.
In addition, DORA requires financial entities to maintain redundant ICT capacities that are equipped with resources, capabilities and functions to ensure business needs can be met in the event of a disruption. This can include backup systems, such as redundant servers or cloud-based infrastructure, that can quickly and seamlessly take over if the primary systems fail.
In addition to redundant ICT capacities, central securities depositories specifically should also maintain at least one secondary processing site with adequate resources, capabilities, functions and staffing arrangements to ensure business needs can be met in the event of a disruption. This can involve the set-up of a dedicated backup site that can be quickly activated if the primary site is unavailable. The secondary processing site should be located at a distance where it should not be affected by the same event that has affected the primary site. This can involve selecting a location that is far enough away to avoid being impacted by the same natural disaster, power outage or other event that has caused the primary site to become unavailable. If the financial entity uses a large cloud service provider, these usually offer such geographically redundant sites. The staff must have access to the necessary equipment, resources and support to quickly resume business operations at the backup site in the event of a disruption.
Crisis preparation and management
Preparing your organisation for sustaining operations in a serious crisis.
Operational resilience
DORA states that tests shall be conducted at least yearly on all ICT systems and applications that support critical or important functions. FINMA Circular 2023/1, in contrast, states that tests should be done regularly as part of operational risk management and leaves it up to the supervised entity to define the exact frequency. The tests can involve testing various scenarios to ensure that the systems and applications are resilient and can withstand various disruptions.
Furthermore, central securities depositories and central counterparties have stricter requirements, as they should perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components and ICT services supporting critical or important functions of the financial entity.
Finally, advanced testing of ICT tools, systems and processes should be conducted based on threat-led penetration testing (TLPT), which involves simulating real-world attacks to identify potential vulnerabilities and weaknesses in the organisation's defences.
Third-party risk management
As the Circular does not regulate this topic, we based our analysis of third-party risk management on a comparison of DORA with FINMA Circular 2018/3 'Outsourcing – banks and insurers'.
DORA specifically requires financial entities to pay attention to several key contractual provisions:
- Contract termination
- When entering contractual arrangements for the use of ICT services, it is important to ensure that the contract includes provisions for termination under specific circumstances. This can involve ensuring that the contract includes language allowing for termination in the event of a breach in the third-party provider's ICT systems or in the event of any (logical or physical) change that is deemed capable of altering the performance of the functions provided.
- The contract should also include provisions for termination in the event of any evidenced weaknesses indicating an inability to ensure the availability, authenticity, integrity and confidentiality of data. This can involve ensuring that the contract includes language allowing for termination if the third-party provider is unable to meet the organisation's security requirements or if the provider experiences a significant security incident or breach.
- Termination rights and related minimum notice periods for termination of the contractual arrangements should be clearly specified in the contract.
- The third-party provider must provide information on the location of data in transit and in storage.
- The contract must include service level descriptions that specify quantitative and qualitative performance targets within agreed service levels in order to enable effective monitoring. The third-party provider must enable appropriate corrective actions to be taken without undue delay if agreed service levels are not met.
- The contract shall require that subcontractors provide assistance to the financial entity at no additional cost or at a cost that is determined ex-ante in the event of an incident.
- The contract shall require that subcontractors participate in security awareness programmes and operational resilience training.
Regulations for 'small' financial entities
Both sets of regulations provide for more flexible regulations with regard to smaller financial entities. FINMA Circular 2023/1 provides for exceptions for banks and securities firms in FINMA categories 4 and 5. Such financial entities are exempt from complying with certain specific requirements. Concerning third-party risk management, FINMA Circular 2018/3 allows for the risk-based relaxation of some requirements when the outsourcing is performed within the group.
On the other hand, DORA exempts the types of organisations listed below from compliance with its main body of ICT risk management regulation but imposes on them a simplified ICT risk management framework:
- Small and non-interconnected investment firms
- Payment institutions exempted according to Directive (EU) 2015/2366
- Institutions exempted according to Directive 2013/36/EU (the 'Capital Requirements Directives')
- Electronic money institutions exempted pursuant to Directive 2009/110/EC
- Small institutions for occupational retirement pensions.
Conclusion
Generally, DORA and the Circular (and, to some extent, FINMA Circular 2018/3) are built on the same foundations as the NIST Cybersecurity Framework. FINMA has taken a more high-level approach, leaving the supervised entities to define for themselves how they want to best comply with its regulations, whereas DORA specifies the requirements in greater detail.
If a Swiss financial entity is already compliant with the Circular, it will have addressed almost all of the areas covered by DORA. Nevertheless, all entities will have to review in detail whether every requirement of DORA can be met by their processes and organisation in place and determine where they need to extend operational resilience to comply with DORA in full.
#social#
Get in touch
Please reach out to us if you are interested in an exchange on how we can support you in becoming compliant with the FINMA Circular 2023/1 and DORA or if you’re interested in assessing your organisation’s readiness.
https://pages.pwc.ch/core-contact-page?form_id=7014L000000DZEIQA4&embed=true&lang=en
Building trust to succeed
Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
