Compliance with DORA's Incident Reporting Requirements for Bank Cyber Attack

Question

After our bank was affected by a significant cyber attack that disrupted our core services, I'm in charge of managing the situation. As the chief risk officer, what specific steps do I need to take to comply with DORA's incident reporting and what are the deadlines for these actions?

Executive Summary

In the wake of a cyber incident at your bank, aligning with the Digital Operational Resilience Act (DORA) is crucial for compliance and risk management. Here are the key actions you must take as the chief risk officer:

  • Incident Classification and Management: Evaluate the cyber attack to determine if it’s a major ICT-related incident and implement a documented incident management process to detect, manage, and mitigate the cyber threat.
  • Incident Recording: Keep thorough records of the incident, ensuring that root causes are documented and addressed to prevent future occurrences.
  • Reporting to Authorities: Report major incidents to the relevant authorities promptly, following established criteria for impact assessment based on client and economic impact.
  • Communication and Response: Establish a comprehensive communication plan to inform authorities and stakeholders; this should include early detection measures and incident response procedures.

Acting swiftly and efficiently on these points is imperative to satisfy DORA’s requirements and maintain operational resilience.

Assumptions

  1. Nature of the attack: The cyber attack led to a significant disruption affecting the core services of the bank.
  2. Time of awareness: We’ll assume the bank has just become aware of the cyber attack, triggering the initial reporting deadlines under DORA.
  3. Existence of subsequent effects: We’ll assume there may be ongoing effects of the cyber attack that are still being evaluated.
  4. Reach of the attack: We’ll assume the incident could potentially affect operations in multiple EU Member States, given the nature of banking services.
  5. Prior notifications: The bank has not yet initiated any reporting process related to the cyber attack.

Legal trace

I have completed the analysis according to the plan laid out by the senior lawyer, utilizing various AI agents as directed. The analysis has led to an understanding of the specific obligations posed by the Digital Operational Resilience Act (DORA) in response to a significant cyber attack. Here is the summary of the legal findings:

Understanding Key Terms and Obligations

’ICT-related incident’ means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; Article 3(8)

The term “ICT-related incident” entails unplanned events that undermine the network and information systems’ security, impacting the data and services offered by the bank. Accordingly, the chief risk officer must engage in an incident response mechanism that meets the requirements of DORA.

‘major ICT-related incident’ means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; Article 3(10)

A “major ICT-related incident” categorization is based on the high adverse impact on critical operational functions. The chief risk officer must evaluate the cyber attack against this definition to establish the reporting urgency.

Incident Management Process

Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Article 17(1)

A mandated comprehensive management process for ICT-related incidents is required, covering all aspects from detection through to notification.

Financial entities shall record all ICT-related incidents and significant cyber threats… to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents. Article 17(2)

Recording incidents and threats is crucial, with a strategy that emphasizes preventing reoccurrences.

  • (a) put in place early warning indicators;
  • (f) establish ICT-related incident response procedures to mitigate impacts… Article 17(3)

A detailed framework has been outlined that the bank must follow, which includes provisions for early detection, response plans, and communication strategies.

Identification and Reporting of Major Incidents

Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria: … Article 18(1)

Incidents must be classified methodically as ‘major’ based on a range of factors, from client impact to the economic ramifications.

Financial entities shall report major ICT-related incidents… Article 19(1)

A structured response and reporting process is mandatory for classified ‘major’ incidents.

Upon receipt of the initial notification … the competent authority shall, in a timely manner… Article 19(6)

Reporting to competent authorities may extend to other entities, emphasizing the necessity for a broad communication plan.

Context and Broader Implications

The direct reporting should enable financial supervisors… Recital 52

Reporting should be immediate and direct, facilitating the rapid response of financial supervisors.

Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted… Recital 53

There is room for specificity in compliance obligations, indicating that reports should be tailored to the significance of the incident.


In conclusion, the chief risk officer is obliged to assess the cyber attack severity, establish its classification, record and manage the incident, and report to the competent authorities within prescribed deadlines. Establishing an incident reporting protocol, adhering to classification criteria, and remaining in ongoing communication with relevant authorities form the guiding pillars for DORA compliance in this scenario.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

In follow-up to our initial analysis, this supplemental answer delves into further specifics as informed by related regulatory technical standards (RTS) under the Digital Operational Resilience Act (DORA). These details elaborate on the classification and reporting of major ICT-related incidents, as well as the management of incidents with significant cyber threats. This targeted information will provide a refined understanding and enhance the decision-making framework necessary for effective compliance.

Legal trace

An incident shall be considered a major incident for the purposes of Article 19 of Regulation (EU) 2022/2554 where it has had any impact on critical services as referred to in Article 6 and where one of the following is met: a) the materiality threshold of Article 13(b) has been met; or b) two or more materiality thresholds specified in this Section have been met. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 26

The above quote specifies the definitive conditions that elevate an ICT-related incident to a ‘major incident’ status, in line with Article 19 of Regulation (EU) 2022/2554. It clarifies that a significant impact on critical services, in conjunction with meeting one or more materiality thresholds, dictates the requisite level of response and reporting sophistication expected of your institution.

Reporting Thresholds and Economic Impact

The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ shall be met where any of the following conditions is met: a) the number of affected clients is higher than 10% of all clients using the affected service; or b) the number of affected clients is higher than 100,000 clients using the affected service; […] (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 26

This excerpt emphasizes the significance of client impact in quantifying a cyber incident, outlining specific thresholds that must be considered when determining a major ICT-related incident. It enables your bank to discern whether the cyber attack’s scope necessitates reporting, an essential step in aligning with DORA’s incident response procedures.

The materiality threshold of the economic impact criterion in accordance with Article 7 shall be met where the costs and losses incurred by the financial entity from the major incident have exceeded or are likely to exceed EUR 100,000. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 28

This directive provides an economic perspective on incident materiality, where financial losses exceeding EUR 100,000 trigger major incident classification. It equips your institution with a clear financial benchmark for evaluating and potentially reporting the incident’s ramifications under DORA.

Reputational Impact Considerations

Any impact set out in Article 2 a) to d) shall be considered as meeting the threshold of the reputational impact criterion. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 27

Reputational impact is a nuanced but critical aspect of incident assessment. This provision stresses the need to appreciate a broad range of effects beyond mere operational and economic outcomes. It is a reminder of the importance of considering reputation within the bank’s overall incident reporting process.

Management of Recurring Non-major Incidents

Recurring incidents that individually do not constitute a major incident shall be considered as one major incident where the incidents meet all of the following conditions: a) the incidents have occurred at least twice within 6 months; […] (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 28

The repetition of smaller-scale incidents can collectively equal a major incident, according to the above criterion. This informs your ongoing risk assessment strategies by highlighting the need to monitor and possibly report recurring ICT-related issues that could escalate in significance when viewed in aggregate.

Supplemental Reporting Protocols

Understanding precise criteria and applying specific materiality thresholds is critical when reporting cyber incidents. The provisions offer a legal backbone for meticulous incident documentation and reporting, a fundamental aspect of adherence to DORA’s mandates. Each step of the reporting protocol must be executed with precision, ensuring that every reported incident meets the stipulated conditions.

Conclusion

The details derived from the aforementioned regulatory technical standards supplement the initial DORA-related guidance by stipulating explicit thresholds and criteria for major incident classification and reporting. These additional insights fortify the bank’s incident response plan and aid in cultivating a structured, compliant approach to managing and disclosing significant cyber threats.