Your organisation will probably succumb to a cyber-attack in the coming years. Clients, investors and other counterparts will expect to be protected, and you will want to mitigate business losses while keeping onside with regulators. Then there is DORA, which financial services businesses will need to implement by early next year. Astrid Wagner, a partner in Arendt & Medernach’s IP, Communication & Technology practice area, charted a way forward.
Broad understanding required
“The board has the duty to oversee the management of the cybersecurity and broader data security risks within their organisation,” she said. “This includes active management and board engagement, which means understanding the organisation’s cyber risk profile, identifying critical systems and data, and knowing where that data is held, and then making adequate security choices.”
Not every board member needs deep technological knowledge, but each should have sufficient understanding to enable them to challenge and inform management decisions. “Cyber security should be an item on the board agenda at least once a year, featuring reporting and recommendations from the Chief Information Security Officer as well as outside technical and legal experts,” said Ms Wagner. Once goals are set, sufficient budget must be allocated, staff trained, and activity reported on.
Responding to evolving threats
Threats evolve constantly. For example, Luxembourg’s fund sector is reliant on networks of third-party service providers, and vulnerabilities to phishing attacks continue to rise. Organised criminals are increasingly sophisticated in how they mimic the identities of external partners, leading to security breaches which can give access to data systems and instigate fraudulent payments. “Before working with a third party, thorough ICT security due diligence is required,” Ms Wagner recommended. “Boards should be as strict in this area as they are with AML/KYC.”
As well as directors requiring training and advice, organisations must have tested plans for ICT related incidents. Boards and management might need to convene at short notice to take decisions about how to react to data breaches, particularly regarding communication with clients, partners, regulators, and the media. Strategy will need to be set for how business activity will be restored as soon as possible.
DORA for the financial sector
Regulatory requirements are being stepped up with the advent of the EU’s Digital Operational Resilience Act (DORA), which will come into force on 17th January next year. This regulation builds on GDPR which by design “lacks precision when it comes to data security,” said Ms Wagner. It also goes beyond CSSF Circular 22/806 which only applies to outsourcing as regards ICT. “Current rules only require businesses to have appropriate technical and organisational measures that protect personal data according to theirrisk. But there are no clear guidelines on what those organisational and technical measures should be.”
DORA changes this for the financial sector. It sets out with precision what financial businesses and their decision makers must do to achieve high levels of ICT security and resilience. Ms Wagner highlighted the regulation’s five pillars: ICT risk management; ICT related incident management, classification and reporting; digital operational resilience testing; managing of ICT third party risks; and an optional pillar featuring information sharing arrangements. When transposed into Luxembourg law, boards and individual directors could face sanctions if they are responsible for a lack of compliance.
Boards held responsible
Members of the management body of financial entities will be required to have sufficient up-to-date knowledge to understand and assess ICT risk and potential impacts on business operations. “Directors will not be able to say: ‘this is in the hands of our IT team’ nor can boards only have one member who takes care of these questions,” she said.
DORA will also require senior ICT staff to report at least yearly to management on the findings of digital operational resilience testing, featuring recommendations for potential up-grades. Feedback will also need to be provided on at least all major ICT-related incidents, explaining the impact, response and any additional controls which may be required. Management will need to review risks related to contractual arrangements with third parties, including taking account of sub-contracting relationships.
For “essential” and “important” non-financial companies, there is the second Network and Information Security Directive (NIS 2), which came into force at the start of last year. This requires that senior decision makers approve the cybersecurity risk-management measures taken by those entities and oversee its implementation, with them being liable for infringements. “Again, ensuring that management and staff are informed and well trained will be required to enable risks to be identified and cybersecurity risk-management practices implemented,” said Ms Wagner.
Partner at Arendt & Medernach