Organisations that handle financial data have various regulatory requirements to adhere to in the event of any ICT-related incidents. We look at the legislative and regulatory landscape covering how such incidents must be reported and managed in the EU and UK.
DORA
The EU's Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and financial entities and ICT service providers that are in scope have two years to implement it where it applies to them. The UK government has also been making noises that it will implement similar legislation (see our article on this here).
DORA (as its full name suggests) aims to strengthen the operational resilience of the financial sector. In terms of ICT-related incident management, DORA requires financial entities to have in place an ICT-related incident management process to detect, manage and notify ICT-related incidents. Financial entities will need to record all ICT-related incidents and significant cyber threats. They will also need to establish incident response plans and procedures to minimise the impact of the incident and take any risk mitigating measures, as well as reviewing how or why the incident happened so that preventative measures can be identified and implemented to make sure it does not happen again.
The definition of ICT-related incident in DORA is unsurprisingly wide and covers a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity. However, financial entities should also have DORA's overarching principle of proportionality in mind when considering their approach to the reporting and management requirements, with factors such as the nature of their business, risk profile and size having a bearing on how they should shape their compliance programme.
DORA requires that financial entities implement an incident classification system based on criteria such as number of clients or transactions impacted by the ICT-related incidents, the duration (including the service downtime), the geographical spread of the incident, the data losses involved, the criticality of the services affected and the economic impact.
In terms of reporting ICT-related incidents, DORA requires that major ICT-related incidents are reported to the relevant competent authority (this will depend on the type of financial entity and the relevant authority is set out in Article 46 of DORA, e.g. credit institutions will report to the European Central Bank). Financial entities should first file an initial notification with the relevant competent authority; then an intermediate report once the status of the incident or the handling of the incident has changed; and a final report, once the financial entity has analysed the cause of the incident and has impact figures that can replace any estimates given in the previous reports. All notifications/reports should be made within the timeframes given by the European Supervisory Authorities (ESAs), using any templates that they develop and must include enough information to enable the relevant competent authority to determine how significant the incident is and whether there will be any cross-border impact.
There is currently no minimum threshold explicitly given under DORA for reporting ICT-related incidents. The ESAs, in consultation with other bodies, are currently developing guidance on materiality thresholds and creating template forms for reporting. The ESAs are also considering a centralised reporting system through an EU hub, which would hopefully streamline the reporting process for financial entities.
Financial entities may also need to report a major ICT-related incident to their clients without undue delay after becoming aware of it if it looks like the incident will have an impact on the client's financial interests. They should also inform their clients about the mitigating measures that they are taking to reduce the impact of the incident. Financial entities may also, on a voluntary basis, notify significant cyber threats (meaning threats that could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident) to the relevant competent authority if they deem the threat to be of relevance to the financial system, service users or clients, and should notify clients that might be affected by the cyber threat of any protective measures the client should take. Read more about DORA here.
Data protection laws
If the financial data involved in any ICT-related incident contains personal data, or in the event of any other data breach involving such data, various data protection laws (for example, the UK GDPR and Data Protection Act 2018 in the UK, and the GDPR and local laws across the EU) also contain rules on reporting and managing such incidents. The reporting requirements under the data protection laws are triggered if the incident is likely to cause risk to the individuals whose personal data is involved in the incident. If there is a risk, then organisations must report the incident to the relevant regulator within 72 hours of becoming aware of the incident. Organisations must also report incidents to the impacted individuals if the incident is likely to cause a high risk to them. It will be interesting to see where the ESAs land on the timeframes for reporting ICT-related incidents under DORA and whether it will be a similar timeframe as under the data protection laws, or whether there will be condensed reporting timelines given the importance of financial data.
To determine whether there is a likelihood of risk for individuals, organisations must consider factors such as the type of data involved, the duration of the incident and what type of data it is. For example, a hostile thirdparty accessing customer account data of a bank will have more of an impact on individuals than a B2B mailing list of a newspaper being accidently sent to the wrong person. The number of individuals whose personal data is involved in the incident is also a factor to consider as the European Data Protection Board Guidelines 9/2022 on personal data breach notification state that generally the higher number of individuals involved, the greater the risk.
In a similar way as under DORA, EU and UK data protection laws contain requirements to keep personal data secure, and organisations will need to have technical and organisational measures in place to comply. Organisations must also review any incidents that occur, taking steps to mitigate the risk caused by the breach and implementing measures to ensure any incident does not happen again.
NIS2 considerations
Essential and important entities (which includes some financial service institutions) must notify the relevant competent authority within 24 hours of becoming aware of any incident that has a significant impact on the provision of its services under the new Network and Information Systems Directive (NIS2). As the UK is no longer in the EU, NIS2 will not apply in the UK but the UK government is in the process of updating the UK's Network and Information Systems Regulations (2018) so we wait to see whether it implements similar reporting provisions to those under NIS2. NIS2 overlaps with DORA in many ways but given the specialised nature of DORA, in the event of conflict between DORA and NIS2, DORA prevails.
Making sense of it all
The various reporting and management obligations for ICT-related incidents involving financial data in the UK and EU mean that financial entities will need to have thorough breach management and response policies and procedures in place to comply with the range of regulatory requirements. Financial entities will also need to ensure that they appropriately flow down certain requirements to any third parties handling their financial data on their behalf, such as key IT service providers, to ensure they can meet their compliance obligations, particularly around reporting ICT-related incidents.
Systems, internal policies and training need to be put in place and regularly reviewed to ensure that financial organisations can comply with their obligations in the event of an ICT-related incident or other data breach. While it may not be possible to avoid these altogether, prevention is better than cure so it is essential to understand the overlapping requirements and implement the appropriate technical and organisational methods.