{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
Vincent Colonna
Director, Cybersecurity and Privacy, PwC Switzerland
Xavier Bédat
Senior Associate, Cybersecurity and Privacy, PwC Switzerland
In this blog post, we have analysed DORA and the Circular from the perspective of a Swiss financial entity that is already implementing measures to comply with the Circular and now needs to identify, at a high-level, any remaining gaps in its compliance with DORA.
DORA (Digital Operational Resilience Act) is a EU law that sets down uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties that provide information and communication technology (ICT) services to them, such as cloud platforms or data analytics services.
FINMA Circular 2023/1 ('the Circular') regulates how financial entities should manage operational risks, particularly in connection with ICT, and handle critical data and cyber risks for the Swiss financial sector
Both sets of regulations emphasise the need to ensure the security of data when these are being transmitted or stored, and to prevent unauthorised access, modification or destruction of the data. This also involves protecting the confidentiality, availability and integrity of the data. DORA additionally requires safeguards against potential threats from human error and inadequate administration – not only from hacking attempts.
According to DORA, financial entities must also:
At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.
According to DORA, financial entities must set up detection mechanisms that enable multiple layers of control, such as alert thresholds and criteria, that trigger incident response processes. This can involve setting up automatic alerts to notify relevant staff when an incident is detected and initiating ICT-related incident response processes to mitigate the incident quickly and effectively.
Financial entities shall also regularly test detection processes to ensure they are effective and function as intended. This can involve simulated attacks or other types of testing to identify vulnerabilities in the system to determine whether detection mechanisms are detecting and responding to incidents appropriately.
Finally, financial entities must devote sufficient resources and capabilities to monitor user activity, ICT anomalies and ICT-related incidents, especially those related to cyber-attacks. This can involve implementing tools and technologies to monitor network activity and detect potential threats as well as ensuring that staff responsible for incident response have the necessary training and resources to respond to incidents quickly and effectively.
Both sets of regulations require financial entities to have in place a crisis management plan, which is regularly reviewed and tested, as well as a dedicated crisis cell to deal with such situations.
Additionally, according to DORA, financial entities must test their crisis communication plan to ensure that all stakeholders are aware of their roles and responsibilities and that communication channels are effective. This can involve conducting mock drills or tabletop exercises to simulate various scenarios and identify any gaps or areas for improvement in the crisis communication plan.
They should also keep readily accessible records of activities before and during disruptive events as these are crucial for effective ICT business continuity planning and response. This can involve documenting incident response activities, including steps taken to mitigate the incident and restore normal operations, as well as lessons learned and areas for improvement.
Financial entities should pay particular attention to maintaining an up-to-date estimate of the aggregate annual costs and losses caused by major ICT incidents, as the competent authorities can request this estimate at any time. The estimate itself may involve providing detailed information on the scope and impact of major incidents, including the costs associated with remediation and recovery efforts, as well as the financial losses incurred because of the incident.
Moreover, financial entities are expected to conduct post-incident reviews to assess the effectiveness of the incident response plan and identify areas for improvement. This can involve evaluating response promptness, forensic analysis, incident escalation and communication, among other factors. Furthermore, they should be able to provide documentation on changes implemented after an ICT-related incident. This can include information on any updates or improvements made to the incident response plan or other systems or processes to mitigate the risk of similar incidents occurring in the future. Having a record of these changes can help ensure that the organisation is continuously improving its incident response capabilities and reducing the likelihood of future incidents. Documentation of the post-incident review and change activities are an important way for financial entities to learn from the past, prepare for the future and document their compliance.
Finally, DORA provides a dedicated template that lists all the information to be included when notifying the competent authorities.
We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.
Both sets of regulations require financial entities to have a Business Continuity Plan (BCP), which is reviewed and tested regularly.
In addition, DORA requires financial entities to maintain redundant ICT capacities that are equipped with resources, capabilities and functions to ensure business needs can be met in the event of a disruption. This can include backup systems, such as redundant servers or cloud-based infrastructure, that can quickly and seamlessly take over if the primary systems fail.
In addition to redundant ICT capacities, central securities depositories specifically should also maintain at least one secondary processing site with adequate resources, capabilities, functions and staffing arrangements to ensure business needs can be met in the event of a disruption. This can involve the set-up of a dedicated backup site that can be quickly activated if the primary site is unavailable. The secondary processing site should be located at a distance where it should not be affected by the same event that has affected the primary site. This can involve selecting a location that is far enough away to avoid being impacted by the same natural disaster, power outage or other event that has caused the primary site to become unavailable. If the financial entity uses a large cloud service provider, these usually offer such geographically redundant sites. The staff must have access to the necessary equipment, resources and support to quickly resume business operations at the backup site in the event of a disruption.
Preparing your organisation for sustaining operations in a serious crisis.
DORA states that tests shall be conducted at least yearly on all ICT systems and applications that support critical or important functions. FINMA Circular 2023/1, in contrast, states that tests should be done regularly as part of operational risk management and leaves it up to the supervised entity to define the exact frequency. The tests can involve testing various scenarios to ensure that the systems and applications are resilient and can withstand various disruptions.
Furthermore, central securities depositories and central counterparties have stricter requirements, as they should perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components and ICT services supporting critical or important functions of the financial entity.
Finally, advanced testing of ICT tools, systems and processes should be conducted based on threat-led penetration testing (TLPT), which involves simulating real-world attacks to identify potential vulnerabilities and weaknesses in the organisation's defences.
As the Circular does not regulate this topic, we based our analysis of third-party risk management on a comparison of DORA with FINMA Circular 2018/3 'Outsourcing – banks and insurers'.
DORA specifically requires financial entities to pay attention to several key contractual provisions:
Both sets of regulations provide for more flexible regulations with regard to smaller financial entities. FINMA Circular 2023/1 provides for exceptions for banks and securities firms in FINMA categories 4 and 5. Such financial entities are exempt from complying with certain specific requirements. Concerning third-party risk management, FINMA Circular 2018/3 allows for the risk-based relaxation of some requirements when the outsourcing is performed within the group.
On the other hand, DORA exempts the types of organisations listed below from compliance with its main body of ICT risk management regulation but imposes on them a simplified ICT risk management framework:
Generally, DORA and the Circular (and, to some extent, FINMA Circular 2018/3) are built on the same foundations as the NIST Cybersecurity Framework. FINMA has taken a more high-level approach, leaving the supervised entities to define for themselves how they want to best comply with its regulations, whereas DORA specifies the requirements in greater detail.
If a Swiss financial entity is already compliant with the Circular, it will have addressed almost all of the areas covered by DORA. Nevertheless, all entities will have to review in detail whether every requirement of DORA can be met by their processes and organisation in place and determine where they need to extend operational resilience to comply with DORA in full.
#social#
Please reach out to us if you are interested in an exchange on how we can support you in becoming compliant with the FINMA Circular 2023/1 and DORA or if you’re interested in assessing your organisation’s readiness.
https://pages.pwc.ch/core-contact-page?form_id=7014L000000DZEIQA4&embed=true&lang=en
Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.