On Apr. 14, NLD AFM discussed cyber risks and digital resilience.
NLD AFM article on digital resilience emphasized that cybersecurity and ransomware risks must be considered across a whole organization, not just by security experts.
Follows NLD AFM Dec. 2023, issued recommendations re cyber attacks, see #157958.
Overview
According to Global Security Outlook Report 2023, 43% of CEOs said they expected their organization to be affected by a cyberattack within the next two years.
Digitization and geopolitical tension, and the rise of cybercrime as a service have made this type of crime more accessible, as have hacking packages for sale on the dark web.
Cyber must be higher government, industry, public services, organization's agendas.
For the financial sector, EU is replacing/improving cyber rules via DORA, see #137568.
Interconnectivity across the financial sector means problems within one organization can lead to contagion of others so boards/managers can no longer ignore cyber risks.
Jul. 2023 Update
On Jul. 20, 2023, NLD AFM explained the substantive aspects of EU DORA rules.
Publication allows companies to see where they stand in field of cyber security and what steps they still need to take to comply with DORA (effective since Jan. 2023).
It is recommended that companies start preparing for DORA as early as possible.
Shows what companies can start working on while awaiting elaboration of further regs.
From Jan. 2025, companies in scope of regulation must comply with the regulations.
Highlights 5 points: ICT risk management, ICT-related incidents, Testing digital operational resilience, management of ICT risk from third party providers, governance.
Explained companies have until Jan. 2025 to comply with regulations, DORA will then officially apply, NLD AFM and NL DNB will supervise its application.
DORA-related requirements from existing laws, regs already apply to some companies.
Dec. 2023 Update
On Dec. 1, 2023, NLD AFM issued 2nd publication covering DORA substantive aspects.
This edition discusses managing ICT risks from third-party providers so companies can analyze where they stand, what steps they may still need to take to comply with it.
To be resilient to cyber threats and ICT disruptions throughout the chain, it's important to pay attention to risks of purchasing ICT services from third-party providers.
So companies must pay explicit attention to IT risks arising from using those services.
DORA expects companies to develop a strategy for managing these so-called third party risks, whereby the risks of outsourcing critical services are regularly reviewed.
Also prescribes which elements firms must include in contractual agreements with third-party providers; more detail and how to make them DORA-proof in issued article.
Mar. 29, 2024 Risk Management
On Mar. 29, 2024, NLD AFM issued Getting started with DORA: ICT risk management.
Publication 3 in the series explains how focus on ICT risk management can help organizations gain a clear picture of their ICT vulnerabilities, to minimize their impacts.
They can do so by analyzing current position/steps needed to comply with regulation.
Examines DORA articles and further topics in a regulatory technical standard (RTS).
Document dated Mar. 29, 2024, received from NLD AFM Apr. 9, summarized Apr. 12.
In Jun. 2024 NLD AFM issued 4th DORA update on ICT-related incidents, see #217474.
Sep. 2024 Testing Digital Operational Resilience
On Sep. 23, 2024, NLD AFM published the fifth DORA update in which the substantive aspects of DORA are explained, and outlined how to test digital operational resilience.
This update takes a closer look at the test program that companies need to set up.
The testing program shall include the tests, practices, methodologies and tools that are regularly carried out to assess the ICT systems, tools and processes.
A number of companies will be designated to perform an advanced test by means of threat-led penetration test; this update discusses designating and implementing TLPT.
Companies have until Jan. 2025 to comply with the regulations, after which time DORA will officially apply and NLD AFM and NLD DNB will supervise the regulation.
Some companies already subject to DORA-related requirements from existing laws.
