Overview of DORA incident response and reporting requirements following recent global IT incidents

Insights and Analysis

Overview of DORA incident response and reporting requirements following recent global IT incidents

19 August 2024

A well-publicised IT incident made significant waves across the world, leading to various system outages that impacted a range of companies. The incident affected businesses of all sizes, across all industries. But for the financial sector, the timing could not have been more apt as regulated firms are well underway with their preparations for the Digital Operational Resilience Act (DORA), an EU regulation that focuses on enhancing operational resilience across the financial ecosystem and ensuring that firms are able to prepare for, withstand and recover from ICT incidents.

For those preparing for DORA, we have prepared a flow chart outlining the key regulatory obligations that a financial entity will need to bear in mind in the event of being impacted by a similar major outage in future.

Background

In July 2024, an IT incident occurred which was caused by a faulty software update in a vulnerability scanner, causing millions of systems running Microsoft Windows to crash and has been widely reported as one of the most notable incidents in recent history.

Relevance to financial services firms subject to DORA

Firms that fall within the scope of DORA are required to be DORA-compliant by 17 January 2025 – a deadline which is proving challenging given the substantial work involved in implementing the technical and governance changes required and reviewing contractual relationships with IT vendors.

The dust has settled since the recent IT incident, but for those involved in DORA preparations, it has brought into even sharper focus:

the potential for a small glitch in the supply chain to cause major problems for critical systems;
the need for robust and well-tested business continuity and disaster recovery plans that can be implemented at pace;
that contractual protection in a vendor contract goes well beyond the liability and indemnity clauses (the latter are, in any event, often defeated by exclusions and force majeure clauses in the context of global incidents);
the importance of cyber insurance (and checking the small print); and
the need for an incident response plan that ensures the firm can assess and respond to incidents (i) within regulatory timeframes (including under DORA and data protection rules, among others), (ii) in accordance with obligations in customer contracts, and (iii) in a manner that protects its commercial and reputational interests as far as possible.

For those preparing for DORA, we have prepared a flow chart outlining the key regulatory obligations that a financial entity will need to bear in mind in the event of being impacted by a similar major outage in future.

Overview of DORA incident response and reporting requirements

Next steps

If you are interested in further exploring incident management, the impact of DORA or anything else relating to digital operational resilience, we would be delighted to hear from you.

Authored by Sarah Wrage, Max von Cube, Louise Crawford, and James Sharp.