ICT Risk Management

ICT Management can be broken down into 2 areas, risk management and incident reporting. Key elements within these areas is the organisation's ability to identify and prioritise gaps and risks, including implementation of plans to outline the steps, timelines, and resources required to address the identified risks. A significant portion of DORA outlines requirements for policies and procedures, and are therefore not measurable by scanning. However, a number of items can be checked, validated, measured, and tracked. Those requirements which can be supported in all or part include:

Chapter II, ICT Risk Management

  • Article 5.1 2. The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).

  • Article 8, Identification, says:

    • 1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.

    • 2. Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

    • 3. Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets.

    • 7. Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.

Chapter IV, Digital operational resilience testing, Article 25

  1. (...) execution of appropriate tests, such as vulnerability assessments and scans;

  2. Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity;

  3. Microenterprises shall perform the tests (...) on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.

In addition to DORA, Regulatory Technical Standards called Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework states in the Article 10 on Vulnerability and patch management the following:

  1. As part of the ICT security policies, procedures, protocols, (...) financial entities shall develop, document, and implement vulnerability management procedures.

  2. (b) ensure the performance of automated vulnerability scanning and assessments on ICT assets (...), For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.

    • (c) verify whether:

      (i) ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity;

    • (f) prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;

    • (g) monitor and verify the remediation of vulnerabilities;

    • (h) require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.