Become DORA ready with applications on ServiceNow

The Digital Operational Resilience Act (DORA) will be applicable for financial institution starting 2025. There are less than half a year to make sure you establish you organisation, processes, tools and data, that comply with the requirements for “strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption”, as stated by European Insurance and Occupational Pensions Authority.

The risks within the Information and communications technology (ICT) can lead to disruptions of financial services offered across borders. Disruptions such as CrowdStrike, that caused global impact across all industries, can have a significant impact on business and operations. Other examples of risks are DDoS attacks, Malware attacks including ransomware, Hardware or software vulnerabilities, Third-party or supply chain attacks, Data manipulation attacks, Cloud service outages, Human errors or insider threats.

Becoming compliant to the DORA requirements makes your organisation resilient and more trustful in such situations. How to become compliant within few month if you not started this journey yet?

Note: In the following article, I will outline the technical part of the DORA implementation, ignoring the important parts like actual DORA consultancy, vendor risk management, governance and organisational change. You cannot actually consider one without other, but it will blow up the article.

Define a vision of the DORA program

The programs driven by regulations are not really exciting as you normally start late and will need to achieve fast results while other business critical initiatives are still running. People do not really understand why they need to switch the focus. And it is a role of upper management to explain the need and get everyone in the same board.

A vision and a hero statement can help achieving that. Because the journey towards DORA readiness is not just about compliance. It helps you establishing excellence in digital operations. The main goal of DORA is to creating a secure, resilient, and trustworthy environment and increase the confidence of the stakeholders.

The vision can be something like

Empowering Resilience and Trust through Digital Operational Excellence.

Supported by a hero statement that outlines the importance and the expected outcomes;

Our mission is to establish a robust and resilient digital ecosystem that not only meets but exceeds the standards set by the Digital Operational Resilience Act (DORA). We envision a future where our organisation stands as a beacon of digital reliability and trust, ensuring seamless continuity of services even in the face of the most challenging cyber threats and operational disruptions.

Understand the gap

DORA covers ICT-related processes and procedures incl. risk management, third-party risk management, digital operational resilience testing, incidents, information sharing, oversight of critical 3rd party providers.

You probably already have a solid foundation. But there can be a gap in transparency, speed of data gathering and impact analysis, process of communication and up-to-date playbooks and recovery procedures.

So, first step is to understand what is actually required, where you are and what is the difference to be closed. There are plenty of Self-Assessments and Checklists available. A short version is below just to help overseeing the scope.

As a result of the analysis you will become actionable activities and challenges. We use them in the next steps to decompose and build a strategic roadmap for the implementation.

Build a strategic roadmap towards DORA compliance with Key ServiceNow capabilities

ServiceNow provides an integrated platform that helps companies automate their IT processes while ensuring they comply with the regulatory requirements of DORA. There are three major pillars that support you addressing the strategic alignment with DORA compliance.

• Integrated Risk Management (IRM) provides risk management and governance so your organisation can identify and mitigate operational risks continuously and with a high level of automation.
• IT Service Management (ITSM) provides the (major) incident and problem management for your service and operation teams that need to identify and resolve issues quickly, and, even, proactively.
• Capabilities within Security Operations (SecOps) enables an automated security incident detection and management.

Beside those, there are underlying capabilities of the NOW platform that interact with all applications, e.g. a healthy and service-oriented CMDB, communication and self-service tools, automations and integrations etc.

But what capabilities are right for the identified gaps and challenges and how to break down the applications into the specific features that need to be implemented?

Deep Dive Handling of ICT Incidents

So, let’s take a closer look on how the ICT incident handling should be done in concrete terms. Financial companies record all ICT-related incidents and significant cyber threats. They set up appropriate procedures and processes to ensure coherent and integrated monitoring, treatment and follow-up of ICT incidents. They should also ensure that the causes are identified, documented and addressed in order to prevent the recurrence of such incidents.

In ServiceNow, you would do it with Incident Management and an integrated, well-defined CMDB. Automated incident detection, but also pro-active issue detection are supported by ServiceNow ITOM Event Management and AIOps.

The handling procedure is as follows:

• Set up early warning indicators incl. KPIs, capacity measures and known vulnerabilities;
• Introduce procedures for identifying, tracking, logging and categorising ICT incidents incl. an integration of Event and Alert Management. The classification is based on their priority and severity as well as the criticality of the services affected (the Service Mapping helps tremendously);
• Assign roles and responsibilities;
• Set up communication plans for all stakeholders: employees, external interest groups and media, customers, providing information to financial institutions acting as counterparties where appropriate, e.g. through introduction of ServiceNow Major Incident Management (MIM) and Communication Plans;
• Set up procedures to respond to ICT-related incidents to mitigate the impact and ensure that services are operational and secure again in a timely manner. The Service Level Definitions, notifications but also ServiceNow Playbooks help to communicate fast and resolve efficiently.

Financial entities are required to report major ICT incidents to the relevant competent authority. If a financial entity is supervised by more than one national authority, Member States shall designate a single competent authority. The national authority shall forward the report to the ECB without delay.

There are templates for the submission of reports. Member States may also stipulate that some or all financial institutions must also submit the reports to the competent authorities or the Computer Security Incident Response Teams (CSIRTs) on the basis of the templates provided.

When a serious ICT-related incident occurs that affects the financial interests of customers, financial entities shall promptly inform their customers about the incident and the measures taken. In the case of a significant cyber threat, financial entities shall inform their potentially affected customers about appropriate protective measures, where appropriate.

The competent authority receives

• an initial report,
• an interim report once significant changes have occurred,
• a final report once the causes have been analyzed.

Financial entities may outsource the reporting obligations to an external service provider. In the event of such outsourcing, the financial institution remains fully responsible for fulfilling the incident reporting obligations.

After receiving the first reports, the competent authority shall communicate details of the serious ICT-related incident to the following recipients in a timely manner, within the scope of their respective competences:

• EBA, ESMA or EIOPA,
• the ECB,
• the competent authorities, points of single contact or CSIRTs under Directive (EU) 2022/2555,
• the resolution authorities, where such information concerns incidents that pose a risk to the provision of critical functions,
• other relevant public authorities under national law.

The EBA, ESMA or EIOPA and the ECB shall, in consultation with ENISA and in cooperation with the relevant competent authority, assess whether the serious ICT-related incident is relevant for the competent authorities in other Member States and inform the relevant competent authorities accordingly.

The notification to be made by ESMA shall be without prejudice to the responsibility of the competent authority to communicate the details of the serious ICT-related incident to the competent authority of the host Member State without delay.

The automated report preparation incl. gathering the required data is not available in ServiceNow out of the box, however, can be created as a Scoped Application.

We support you in making you organisation DORA ready by using the ServiceNow capabilities and custom solutions and AI.

Kostya Bazanov, Managing Director, Oct 21, 2024

Eager to take the next step? Contact us today!

Privacy policy (GDPR)

* Required fields

Submit