Professional Documents
Culture Documents
Cybersecurity – DORA Practical Guide
Cybersecurity – DORA Practical Guide
PROFESSIONAL
GUIDE DECEMBER 2023
Digital
Operational
Resilience
Act
CONTENTS
Introduction 1
3. Incident categorisation 9
4. Resilience testing 12
Incident categorisation
→ The ability of a financial entity to into four key sections:
rebuild, reassure and review it’s opera-
Current situation: important points
tional capability, integrity and reliability
for verifying that you do in fact meet
(...) including through disruption.1
the requirements of DORA, since you
have probably already implemented
DORA aims to steer the financial sector these practices.
towards a real maturity that goes beyond
each participant’s individual operational What’s new: requirements under
resilience to strengthen the resilience DORA for which the next steps appear
of the sector as a whole. In addition to to be within reach.
Resilience testing
the financial actors that will be designated
Challenges: more complex
as systemic for the European financial system
requirements for which AMCs
and other players involved in its
will need to take certain measures.
implementation, DORA applies to ICT service
providers, which will be subject to stringent Keys for the board: these are
requirements and a high level of oversight, key points that your board
for the long-term benefit of the sector. should focus on and which you can use
in an elevator pitch. Third party management
2. R
eporting of cyber incidents → The principle of proportionality
and threats, is the subject of a specific article
which entails implementing procedures of DORA: Article 4 states that
to detect, classify, manage and report the measures applicable to entities
incidents. are “proportionate to their size and
overall risk profile, and to the nature,
3. D
igital operational resilience scale and complexity of their services,
testing, activities and operations.”
at least yearly, for systems supporting
critical or important functions. These tests,
At the time this guide was drafted,
Incident categorisation
to avoid concentrations, and minimum Since, in law, a special rule prevails over
clauses be included in contracts. a general rule, AMCs must focus on applying
DORA.
5. Cybersecurity information
sharing. ■ Is all information available
To ensure the overall digital operational at this stage?
resilience of the financial sector,
DORA is scheduled to come into force on
AMCs are encouraged to share information
17 January 2025. At this stage, 10 technical
related to cybersecurity.
standards (RTS / ITS) intended to supplement
Third party management
2) Microenterprises: AMCs with fewer than 10 employees and annual revenue and/or an annual balance sheet total of not more than
€2 million will be exempt from certain DORA requirements. 3) Specific rules will prevail over general rules 16.
AFG Professional Guide – DORA Practical Guide – December 2023 3
Incident categorisation
this document.
minimise them.
Article 5 of DORA defines various obligations,
including:
We recommend that the board
▶ explicit validation of security policies, review these risks at least annually.
▶ allocation of IT risk management budgets,
▶ oversight of the IT control plan,
▶ creation of committees
and internal reporting channels.
What’s new
It is essential that your board be regularly
■ AMCs must establish: a “role to monitor
informed of the risks related to cybersecurity
Resilience testing
their arrangements concluded with ICT
and their impacts on the AMC’s activities.
third-party service providers” or “designate
a member of senior management
At least once a year, the board must as responsible for overseeing the related risk
add a presentation by the Information exposure and documentation”.
Systems Security Manager to be ■ Boards of AMCs bear the “ultimate
replaced by Chief Information Security responsibility”6 for managing IT risks
Officer (CISO) to its meeting agenda and must define the roles and
and provide for additional reporting responsibilities related to cyber resilience;
Third party management
10) Art 5.2 (h). 11) Art 5.4. 12) Opening address by Vincent Strubel at the Assises de la sécurité des systèmes d’information (information systems
security conference) in Monaco, 11 October 2023.
AFG Professional Guide – DORA Practical Guide – December 2023 5
Incident categorisation
Up to now, however, they have been must be reviewed at least once a year, and
applied in varying degrees; what is new in upon the occurrence of major IT-related
DORA is that it integrates them incidents16.
to ensure regulatory compliance.
Resilience testing
Third party management
Information sharing
13) Art 6.4. 14) Art 6.9. 15) Art 6.1. 16) A
rt 6.5.
I
6
Governance and organisation AFG Professional Guide – DORA Practical Guide – December 2023
What’s new
▶o
versight of major IT-related incidents:
volume, objective, improvement plan
and effectiveness of preventive measures;
▶ t he procedure for implementing:
□ digital operational resilience testing
Digital □ ability to react to a cyber incident
Incident categorisation
In addition, entities must develop a post-IT
2. PROTECTION AND PREVENTION incident recovery plan that is also subject to
an independent audit review and tested at
The risk management framework must be
least yearly.
proportionate to the size and risk profile of
the AMC and contain20:
▶ an information security policy covering
Challenges
the AMC’s resilience;
▶ policies, procedures and controls on
network and infrastructure management, For the risk identification component,
access, strong authentication, IT change AFG recommends that you prioritise
Resilience testing
management, and patch and update mapping of the IS.
management;
▶ awareness training and campaigns for What was simply a best practice until now
the board and employees. (analysed by AFG via questionnaires
3. DETECTION carried out between 2018 and 2022
which showed little change in IS mapping)
AMCs must have in place regularly tested is now a requirement.
mechanisms21 to promptly detect anomalous
activities22. Its existence and completeness will no doubt
Third party management
18) Art 3.6: collection of information, either tangible or intangible, that is worth protecting. 19) Art 3.7: a software or hardware asset
in the network and information systems used by the financial entity. 20) Art 9.4. 21) Art 10.1 and Art 25. 22) Art 17. 23) Art 11.7. 24) Art 11.1.
25) Art 11.7. 26) Art 14. 27) Art 11.6. 28) Art 11.4.
8
Governance and organisation AFG Professional Guide – DORA Practical Guide – December 2023
Key deliverables
RISK MANAGEMENT
FRAMEWORK
▶ Access control
▶ Authentication
▶ Detection of anomalies
Register documenting
Third-party service network and infrastructure INCIDENT MANAGEMENT
provider risk strategy: management following
a risk-based approach ▶ Detection and prevention
mechanisms
▶ Roles and responsibilities
with respect to risks
COMPREHENSIVE ▶ Response process
REGISTER OF
▶ Classification
THIRD-PARTY SERVICE
▶ Notification
Resilience testing
PROVIDERS:
▶ Critical/non-critical
distinction IT CHANGE MANAGEMENT
▶ Exit strategies,
termination ability
and alternative BUSINESS CONTINUITY POLICY
solutions including HOLISTIC MULTI-
▶ Business continuity plans
a cost analysis VENDOR STRATEGY
based on crisis scenarios,
▶ Transition plan including those of critical or
▶ Assessment of important third parties
potential conflicts of Overview ▶ Crisis communication
Third party management
TRAINING
PENETRATION TESTING
AFG Professional Guide – DORA Practical Guide – December 2023 9
Incident categorisation
procedure that includes, where applicable, and severity and to the criticality
critical and important subcontractors. of the services impacted30.
Resilience testing
each AMC will depend in particular on: of reporting content and formal templates.
▶ the company’s maturity in terms of ■ Incident classification criteria include31:
its incident management system; ▶ the impact on the operational continuity
▶ the implementation of a response plan of financial services;
(communication, risk scenario); ▶ the duration of the incident;
▶ the desired level of detail; ▶ the change and geographical distribution
▶ its ability to monitor alerts of the areas affected by the incident;
and oversee action plans; ▶ data security, particularly sensitive data;
Third party management
29) Art 17.1. 30) Art 17.3. 31) Art 17.1 (Article 18 defines incident classification criteria, which will be clarified by regulatory technical standards).
10
Governance and organisation AFG Professional Guide – DORA Practical Guide – December 2023
■M
ajor incidents must be reported AMCs must consider how
to: their communication and response
▶ the board32, including plan is organised in case of an incident.
post-incident reviews and measures
to be implemented; You should begin to think about your incident
▶ service users and clients if the incident management organisation.
may have an impact on their financial
Risk management framework
Incident categorisation
Your board’s knowledge and validation of your
AMC’s critical processes and subcontractors
are also important.
Resilience testing
Third party management
Information sharing
4. Resilience testing
and not limit itself to an individual approach security audits and business continuity tests.
focused on the service provider, the application
or the team. What’s new
There are two types of operational resilience
tests: DORA requires that operational resilience
▶ tests to assess the ability of the services and digital security tests36 follow a risk-based
(including service providers) to withstand approach.
attacks; These tests are carried out in a manner
▶ tests to assess business continuity proportionate to the size and overall risk profile
following a failure or degradation of the AMC, and the nature, scale
of the service (regardless of the cause). and complexity of its services, activities
Incident categorisation
and operations.
They must cover critical functions using
currently available tools and methods37
such as vulnerability scans, pentesting,
gap analyses, audits, end-to-end testing, etc.
The testing programme includes a range
of assessments, tests, methodologies, practices
and tools to be applied.
These tests may be carried out internally
Resilience testing
36) Article 24.1 excludes microenterprises from the required resilience testing programme. 37) Article 25.1 for a complete list. 38) Art 24.4.
AFG Professional Guide – DORA Practical Guide – December 2023 13
Incident categorisation
or are certified (e.g. PASSI or other European
certification) or adhere to codes of conduct a language that helps the board understand
and are covered by insurance39. the risk and the usefulness of the measures.
Resilience testing
functions.
AFG recommends using this threat analysis
as input for your risk mapping, cyber
resilience programme and board training.
Wherever possible, AMCs must apply are compliant, and must define a strategy
the same measures to them as they impose for managing risks related to ICT service
on themselves. providers, including a regular annual review
and taking into account the multi-vendor
The consolidation of information collected at strategy40.
the European level should help to strengthen
the stability of the European financial sector.
What’s new
Incident categorisation
country, its compliance with various laws of that subcontractor. The number of
(such as GDPR, on which DORA places subcontracting levels to be overseen will be
emphasis, bankruptcy law and data recovery clarified; be sure to define your minimum
laws)43; requirements in appropriate clauses.
▶ for third parties supporting critical or
important functions, exit strategies44 c. Review the risk of potential conflicts
that include alternative solutions of interest.
and documented transition plans.
It is important that AMCs enter into contractual
arrangements only with ICT third-party service
b. Provision of the register to
providers that comply with appropriate
the competent authorities once
Resilience testing
information security standards.
a year and prior notification to
the competent authorities of planned For service providers providing critical
contracts for ICT services supporting and important services, financial entities must,
critical or important functions . prior to concluding the arrangements,
take into consideration the use by ICT
c. A single contract that sets out the rights third-party service providers of the most up-
and obligations of the ICT third-party service to-date standards.
provider and the AMC45 and includes DORA also stipulates the conditions that may
additional clauses for ICT services supporting trigger the termination of the service.
Third party management
42) Art 28.4 and 28.5. 43) Art 29.2. 44) Art 28.8. 45) Art 30.1. 46) Art 30.3.
16
Governance and organisation AFG Professional Guide – DORA Practical Guide – December 2023
Incident categorisation
we will be even more resilient in front of new The various cybersecurity questionnaires
threats. carried out by AFG show a real improvement
in the cybersecurity maturity level
The pursuit of cyber resilience of the financial of the asset management sector and the extent
sector is a response to the rapid digital to which cyber risk is taken into account.
transformation seen in recent years.
Cybersecurity and resilience have become top The DORA Regulation supports this trend.
priorities for us. We hope that this guide will help you implement
It is also an opportunity for AMCs to create a plan that is pragmatic and proportionate to
synergies internally around the issues your AMC. With this guide, the Cybersecurity
of cybersecurity and business continuity. working group wished to provide you with
Resilience testing
an expert analysis of the asset management
sector so that you can estimate your maturity
level vis-à-vis the DORA Regulation,
take the necessary actions to ensure
your future compliance and focus on key
points that require attention.
© www.stephaniedargent.fr
For the past 60 years, AFG has brought together
asset management professionals, serving the interests
of investment industry participants and economic players.
■ It works to promote asset management and its growth.
■ It defines common positions, which it supports and defends vis-à-vis the public authorities.
■ It contributes to the emergence of solutions that benefit all participants in its ecosystem.
■ It furthers the industry’s standing in France,
Europe and beyond, in the interest of all those concerned.
■ It is invested in the future.
AFG
Investing in tomorrow together.