DORA major incident report: Key lessons for financial entities

Financial entities and ICT third party providers across the EU and those doing business within the EU have been under increased pressure for at least the last three years to comply with the Digital Operational Resilience Act (DORA). The first DORA ICT-related major incident report has been published and provides valuable insights into the root causes of incidents and where firms should take pre-emptive action.

Overview of ESA DORA major incident report

The European Supervisory Authorities comprise of the EBA, EIOPA and ESMA. Under DORA they are required to publish at least annually their assessment of major ICT-related incidents. The purpose of their report is to share the knowledge to improve resilience and encourage better cyber security controls.

If you would like to read it you can find it here -DORA major incident report.

Executive summary

• This first DORA major incident report highlights the primary drivers as system failures 51% and third-party risk 27%
• Only 10% of incidents were cyber security related - less than 40 firms suffered a ransomware related incident
• Firms should pre-emptively:
  • Review systems asset management and review refresh cycle
  • Review ICT third party management
  • Review major incident reporting thresholds
  • Expand audit schedule to include both asset and third party management
  • Conduct crisis management exercise
  • Carry out purple team penetration test - see below for more details

Key findings from ICT incidents

The report stresses that even though the number of incidents is higher than most might expect, it ‘should not be interpreted as a sign of structural weakness'. In our opinion it is impressive that the vast majority of EU citizens were unaffected. That is testament to the detection, response and remediation activities taken by the firms affected.

The report highlights two areas that drive the majority of incidents – system failures (51%) and external events (27%).

For system failures it is possible to design systems to be fault tolerant however firms appear to be prioritising rapid recovery over redundancy. This demonstrates there’s a balance to be had between the risk of unavailability, system complexity, cost, impact and speed of recovery. Incident reporting thresholds should be reviewed to ensure they are set correctly to avoid over and under reporting.

Firms may have the balance right but may be over reporting major incidents.

Almost one third of all incidents were attributed to third-party ICT providers. This reflects the increased reliance on outsourcing that has occurred in financial services and still continues. It also reinforces the point that ICT third-party providers need to be effectively managed and monitored.

10 Key observations from DORA major incident report

1. January had about half the number of incidents as the average month
2. There was a noticeable up-tick in incidents in three months in the first half of the year
3. The baseline average for the number of major incidents per month is 282
4. Credit institutions were by far the biggest contributor to the incidents
5. The majority of incidents were classified as “service downtime” or “non monetary”
6. Two thirds of incidents were “Domestic” with a third having “Cross-border impact”
7. System failures is the primary contributor to major incidents followed by external events
8. Only 10% of incidents were cyber security related
9. The cyber security incidents were mainly distributed denial of service and data exfiltration & identity theft
10. There were just under 40 ransomware incidents reported throughout the year

What the European Supervisory Authorities can do to improve

The report highlighted that the majority of the incidents did not affect a large number of customers or did not affect a large number of payments. This may point to the need to improve reporting or refinement of the classification of 'major incidents' or both. This would reduce the burden on financial entities and the ESAs themselves by focusing on the incidents that really matter.

Based on the report the number of ransomware incidents reported is estimated between 35 and 38. It is not clear if these relate to a single machine being impacted or a more comprehensive level of intrusion on financial networks. While the number of Financial Entities in the EU is large the number of ransomware related incidents appears bigger than we would expect and may warrant a deeper review. We suspect the ESAs will follow-up on these ransomware reports to understand just how close these entities came to a full blown ransomware shutdown.

For us and probably the ESAs, the incidents that require the most attention are those affecting the most clients or those affecting the most transactions. It is important they have a deeper dive into these as they truly are 'major incidents' in the real sense of the words. Hopefully more analysis will be shared about these.

6 Actions firms should take now

This report from the ESAs is the first of its kind and it represents a major step-up in terms of maturity. Only when you measure your performance can you take steps to improve it over time. Financial entities should take this report and be proactive in terms of steps they can take to improve further:

Operational resilience

1. Ensure you have a full inventory of systems, their vendor support status (e.g. out of support or legacy), their age, maintenance schedule and where appropriate alternate system and method of switching over. Review how old your systems are and look to replace older systems quicker.

ICT Risk management and reporting

1. Review ICT risk management frameworks especially around ICT third party suppliers as one third of incidents affect them.
2. Review ICT-related major incident reporting and ensure the classification of a major incident is correct. This is to reduce the number of non-major incidents being incorrectly reported.

Audit and assurance

1. Add the following audits to the Audit schedule:
   1. IT Asset Management for servers and mainframes
   2. ICT Third Party management
2. Conduct a crisis management team exercise on cyber security ransomware or critical systems failure or both
3. Undertake purple team penetration test exercise to enable your defenders to perfect their detection and responses. A purple team penetration test combines a red (attack) team and a blue (defender) team allowing them to work together and share knowledge and skills.

We help firms improve operational resilience, ICT risk management and support internal audit teams. Please get in touch to discuss your approach.

You might also be interest in our other articles on DORA:

How to meet the EU Digital Operational Resilience Act (DORA)

EU regulators can summons financial services boards, temporary or permanently shut down a financial entity’s operations or publicise any breach.

IT Security LocksmithJonathan Evans

EU DORA ICT Third-party providers

Learn how EU DORA impacts ICT third-party providers and what financial entities must do to ensure compliance and resilience.

IT Security LocksmithJonathan Evans

EU Threat Led Penetration Testing (TLPT)

A short article designed for board level consumption explaining Threat Led Penetration Testing both in terms of key teams and the overall process.

IT Security LocksmithJonathan Evans

About IT Security Locksmith

We are a specialist UK consultancy that aims to help small, medium and large firms, if you need assistance on any of these or similar subjects please get in touch.

Learn more about our board-level training and consultancy → [About Us]

Explore our full range of cyber security services → [Our Services]

Book your free initial consultation today → [Contact Us]

#DORA #ESA #DigitalResilience #MajorIncident