Difference Between ICT Response and Recovery Plans and Restoration and Recovery Procedures

Question

What is a difference between ICT response and recovery plans and restoration and recovery procedures and methods?

Executive Summary

Understanding the distinction between ICT response and recovery plans versus restoration and recovery procedures is crucial for financial entities managing ICT incidents. Here’s how they differ:

  • Key Objectives: ICT response and recovery plans aim to immediately manage and control ICT-related incidents, ensuring quick resumption of services and limiting damage. Restoration and recovery procedures, however, are geared towards systematic restoration of ICT systems and data post-incident.
  • Timing and Focus: Response and recovery plans focus on active incident containment and maintaining critical operations, while restoration and recovery procedures concentrate on rebuilding and restoring system integrity once the immediate threat is neutralized.
  • Strategic Role: The former is part of a broader business continuity strategy to rapidly address ICT issues; the latter involves detailed, technical steps for returning to normal operations with a strong emphasis on tested backup policies.

These main points guide financial entities in forming robust ICT business continuity strategies and recovering effectively from any disruptions.

Assumptions

Given the ambiguities, for a meaningful legal analysis, we will assume that:

  1. Scope of Application: The distinction between these two concepts is to be understood in a general context, applicable to any financial entity subject to DORA, without focusing on a specific type of financial entity or service.

  2. Detail Level: The junior lawyer will need to explore both concepts to deliver an explanation that includes not only the definition but also the purpose, scope, and key components that differentiate the two.

  3. Context of Use: The response is being prepared for a hypothetical financial entity seeking to establish or refine its operational resilience framework within the scope of DORA, with an aim toward a clearer internal understanding and potential policy development.

Legal trace

Overview of ICT Resilience in Financial Entities as per DORA

Financial entities shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity. Article 11(1)

In this stipulation, ICT response and recovery plans are established as components of a broader business continuity strategy. The use of “comprehensive” emphasizes the need for a robust and inclusive approach to resilience.

Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:

  • ensure the continuity of the financial entity’s critical or important functions;
  • quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions;
  • activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12;
  • estimate preliminary impacts, damages and losses;
  • set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 14, and report to the competent authorities in accordance with Article 19. Article 11(2)

Article 11(2) delineates the objectives of ICT response and recovery plans, emphasizing rapid and efficient reactions to maintain operational continuity. These plans mandate immediate containment followed by a calculated response to incidents, including comprehensive post-incident communication and assessment strategies.

The Role of Recovery and Restoration

For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, as part of their ICT risk management framework, financial entities shall develop and document:

  • (a) backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data;
  • (b) restoration and recovery procedures and methods. Article 12, Paragraph 1

Article 12 establishes the goal of restoration and recovery procedures and methods: minimizing downtime and managing disruption following an ICT incident. It underscores the necessity for well-defined backup strategies and detailed procedures that safeguard operational capabilities.

Efficient business continuity and recovery plans are necessary to allow financial entities to promptly and quickly resolve ICT-related incidents… However, such resumption should in no way jeopardise the integrity and security of the network and information systems or the availability, authenticity, integrity or confidentiality of data. Recital 49

Recital 49 highlights the need for the ICT response and recovery plans to manage incidents quickly and limit damage, yet those actions must preserve data integrity and system security. This suggests that “ICT response and recovery plans” enfold immediate post-incident strategies, while “restoration and recovery procedures and methods” refer to the technical and procedural steps to return systems to full functionality.

Conclusion

”ICT response and recovery plans” pertain to a financial entity’s broader business continuity strategy, designed to manage and control ICT-related incidents actively, and ensure rapid service resumption. These plans are crafted to prioritize limiting damage while observing the stringent requirements of data integrity and system security.

On the other hand, “restoration and recovery procedures and methods” are focused on the strategic and systematic restoration of ICT systems and data after an incident. They include the technical measures employed to return to normal operations, adhering to well-tested and documented backup policies.

The main difference lies in their application timing and focus: response and recovery plans aim to offer immediate solutions to contain incidents and sustain critical functions, while restoration and recovery procedures target rebuilding and restoring systems and data integrity in the aftermath.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

In this supplemental answer, we aim to build upon the information provided by investigating related legal documents. The insights from these texts are intended to enhance your understanding of the nuances in ICT response and recovery plans and restoration and recovery procedures as they relate to financial entities regulated under DORA.

Legal trace

Understanding the Scope of Impact on Clients

The number of clients affected by the incident […] shall reflect the number of all affected clients, which may be natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 22

The extent to which clients are impacted by an ICT incident is crucial in shaping the ICT response and recovery plans, per this excerpt. It underscores that the plans must be comprehensive enough to take into account the diverse ways in which clients can be affected, aligning with the aim to ensure service continuity and limit damage as emphasized in the main answer.

Measuring the Duration and Resolving Incidents

Financial entities shall measure the duration of an incident […] until the moment when the incident is resolved. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 23

Tracking the duration of incidents is essential for ICT response and efficiency, as noted in this excerpt. It illustrates the importance of time-sensitive action in the ICT response and recovery plans, in an effort to quickly restore services and support the objectives discussed in the main answer about prioritizing the resumption of critical activities and recovery actions.

Data Integrity and Losses Assessment

To determine the data losses that the incident entails […] financial entities shall take into account whether the incident has rendered the data temporarily or permanently inaccessible or unusable. (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 24

This excerpt emphasizes considerations on data integrity and highlights the critical nature of data in the restoration and recovery process post-incident. It aligns with the restoration and recovery procedures mentioned in the main answer, which focus on minimizing data loss and ensuring data is reliably backed up and restored, maintaining the data availability and integrity that is key to a financial entity’s operations.

Quantifying Economic Impact of ICT Incidents

For the purpose of determining the economic impact of the incident, financial entities shall take into account the following types of direct and indirect costs and losses, which they have incurred as a result of the incident […] (Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 25

Grasping the economic impact of an ICT incident, as this quote discusses, is instrumental in crafting both the ICT response and the broader restoration and recovery plans. It directly relates to the main answer’s point that financial entities must be able to estimate preliminary impacts, damages, and losses as part of their ICT response and recovery efforts, ensuring that restoration and recovery procedures consider economic repercussions comprehensively.