”After our bank was affected by a significant cyber attack that disrupted our core services, I’m in charge of managing the situation. As the chief risk officer, what specific steps do I need to take to comply with DORA’s incident reporting and what are the deadlines for these actions?”
Understanding the Legal Question
The user is seeking guidance on managing a cyber attack under the Digital Operational Resilience Act (DORA). They aim to understand the immediate steps and deadlines to properly report this incident as mandated by DORA, specifically about the bank’s disrupted core services.
Ambiguities in the Legal Question
Nature of the attack: The specific details of the cyber attack are not provided, such as the extent of the disruption or the data potentially compromised.
Time of awareness: It’s not clear when the bank became aware of the incident, which can influence the reporting deadlines.
Existence of subsequent effects: The presence of follow-up issues post-incident is not mentioned, which may require additional reporting.
Reach of the attack: The territorial reach of the cyber attack (whether it’s localized or cross-border) is unspecified, potentially affecting the reporting process.
Prior notifications: It’s unknown if other authorities or bodies have been notified of the attack before seeking advice under DORA, which might affect the reporting steps.
Assumptions for the Legal Analysis and the Plan for the Junior Lawyer
Note: The junior lawyer is what we call a subsystem of Hotseat that completes helper tasks
Nature of the attack: The cyber attack led to a significant disruption affecting the core services of the bank.
Time of awareness: We’ll assume the bank has just become aware of the cyber attack, triggering the initial reporting deadlines under DORA.
Existence of subsequent effects: We’ll assume there may be ongoing effects of the cyber attack that are still being evaluated.
Reach of the attack: We’ll assume the incident could potentially affect operations in multiple EU Member States, given the nature of banking services.
Prior notifications: The bank has not yet initiated any reporting process related to the cyber attack.
Plan for the Junior Lawyer:
Review Legal Background:
Familiarize yourself with DORA’s definitions of key terms by examining Article 3, focusing on “ICT-related incident,” “financial entity,” and “incident reporting.”
Understand Reporting Obligations:
Analyze Article 17 to grasp the overarching ICT-related incident management process that the bank must have in place.
Check Articles 18 and 19 which outline the classification of ICT-related incidents and the process for reporting major ICT-related incidents, including deadlines.
Review Specific Provisions for Reporting:
Inspect Article 19 to identify the procedural requirements for reporting major ICT-related incidents as they apply to a bank suffering a cyber-attack affecting core services.
Assess Notification Deadlines:
Study Article 19 carefully to extract the specific deadlines for reporting, including initial notification and subsequent reporting phases.
Examine Article 20, which details harmonization of reporting content and templates.
Prepare Reporting Documentation:
Ensure you understand the templates that must be used for reporting by referring again to Article 20.
Collect information for the initial report as outlined in Article 19(4), noting any data or analysis still pending that could influence subsequent reports.
Consult Recitals for Broader Context:
Review Recitals 52 and 53 which provide context on the importance and expectations surrounding the reporting of major ICT-related incidents for financial entities.
Develop a Reporting Plan:
Based on findings from the above steps, devise a reporting action plan for the bank, detailing immediate actions, responsible parties, and steps to adhere to the reporting timelines.
Include considerations for any ongoing assessments of the cyber attack’s effects that may require additional reporting.
Advise on Ongoing Compliance:
Offer guidance on maintaining documentation as required by Article 19(8) for ongoing incident management and further supervisory review.
Final Advice:
Formulate final advice for the chief risk officer that includes a checklist for the reporting process under DORA, ensuring all obligations are met within the deadlines.
Definitions and Terms from the Digital Operational Resilience Act (DORA):
ICT-related incident: An event causing disruption to the digital operational integrity of a financial entity.
Financial Entity: An entity engaged in the provision of financial services as defined by DORA.
Incident Reporting: The process by which a financial entity notifies relevant authorities about disruptive ICT-related incidents.
Major ICT-related incident: An incident causing a significant detrimental impact on the provision of financial services.
Initial Notification: The first report a financial entity must submit to the competent authority upon becoming aware of a major ICT-related incident.
Subsequent Reporting: Additional detailed reports provided after the initial notification within specified deadlines, updating on the incident’s status and impact.
Question Clarity Rating
Somewhat clear
Clarity Rating Explanation
The original question provides a clear intent and a specific user scenario, which involves managing the aftermath of a significant cyber attack at a bank. However, details regarding the nature of the cyber attack, the steps already taken by the bank in response, and any initial risk assessments or communications with authorities are not provided. These details could influence the specific requirements and timelines for incident reporting under DORA. Moreover, the request for “specific steps” suggests that the user may need more detailed information about the entire incident reporting process, not just deadlines. The assumption here does not adhere strictly to DORA but provides a logical structure that most incident reporting processes would likely entail.