Difference Between ICT Response and Recovery Plans and Restoration and Recovery Procedures

Question

What is a difference between ICT response and recovery plans and restoration and recovery procedures and methods?

Executive Summary

Understanding the distinction between ICT response and recovery plans versus restoration and recovery procedures is crucial for financial entities managing ICT incidents. Here’s how they differ:

  • Key Objectives: ICT response and recovery plans aim to immediately manage and control ICT-related incidents, ensuring quick resumption of services and limiting damage. Restoration and recovery procedures, however, are geared towards systematic restoration of ICT systems and data post-incident.
  • Timing and Focus: Response and recovery plans focus on active incident containment and maintaining critical operations, while restoration and recovery procedures concentrate on rebuilding and restoring system integrity once the immediate threat is neutralized.
  • Strategic Role: The former is part of a broader business continuity strategy to rapidly address ICT issues; the latter involves detailed, technical steps for returning to normal operations with a strong emphasis on tested backup policies.

These main points guide financial entities in forming robust ICT business continuity strategies and recovering effectively from any disruptions.

Assumptions

Given the ambiguities, for a meaningful legal analysis, we will assume that:

  1. Scope of Application: The distinction between these two concepts is to be understood in a general context, applicable to any financial entity subject to DORA, without focusing on a specific type of financial entity or service.

  2. Detail Level: The junior lawyer will need to explore both concepts to deliver an explanation that includes not only the definition but also the purpose, scope, and key components that differentiate the two.

  3. Context of Use: The response is being prepared for a hypothetical financial entity seeking to establish or refine its operational resilience framework within the scope of DORA, with an aim toward a clearer internal understanding and potential policy development.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

In this supplemental answer, we aim to build upon the information provided by investigating related legal documents. The insights from these texts are intended to enhance your understanding of the nuances in ICT response and recovery plans and restoration and recovery procedures as they relate to financial entities regulated under DORA.

Legal trace

Understanding the Scope of Impact on Clients

The number of clients affected by the incident […] shall reflect the number of all affected clients, which may be natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 22

The extent to which clients are impacted by an ICT incident is crucial in shaping the ICT response and recovery plans, per this excerpt. It underscores that the plans must be comprehensive enough to take into account the diverse ways in which clients can be affected, aligning with the aim to ensure service continuity and limit damage as emphasized in the main answer.

Measuring the Duration and Resolving Incidents

Financial entities shall measure the duration of an incident […] until the moment when the incident is resolved. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 23

Tracking the duration of incidents is essential for ICT response and efficiency, as noted in this excerpt. It illustrates the importance of time-sensitive action in the ICT response and recovery plans, in an effort to quickly restore services and support the objectives discussed in the main answer about prioritizing the resumption of critical activities and recovery actions.

Data Integrity and Losses Assessment

To determine the data losses that the incident entails […] financial entities shall take into account whether the incident has rendered the data temporarily or permanently inaccessible or unusable. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 24

This excerpt emphasizes considerations on data integrity and highlights the critical nature of data in the restoration and recovery process post-incident. It aligns with the restoration and recovery procedures mentioned in the main answer, which focus on minimizing data loss and ensuring data is reliably backed up and restored, maintaining the data availability and integrity that is key to a financial entity’s operations.

Quantifying Economic Impact of ICT Incidents

For the purpose of determining the economic impact of the incident, financial entities shall take into account the following types of direct and indirect costs and losses, which they have incurred as a result of the incident […] (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 25

Grasping the economic impact of an ICT incident, as this quote discusses, is instrumental in crafting both the ICT response and the broader restoration and recovery plans. It directly relates to the main answer’s point that financial entities must be able to estimate preliminary impacts, damages, and losses as part of their ICT response and recovery efforts, ensuring that restoration and recovery procedures consider economic repercussions comprehensively.