The Dutch Authority for the Financial Markets (AFM) has released its fifth update on #DORA, providing guidance for financial firms to test their digital operational resilience.
Previous AFM Publications:
Update 1: General Overview
This edition introduced the financial sector to DORA’s objectives and outlined the key focus areas, including IT risk management, incident reporting, and operational resilience.
It emphasized the importance of harmonizing ICT risk management across the financial industry to protect against the growing cyber threat landscape.
Update 2: Third-Party Risk Management
Focused on managing risks associated with third-party ICT providers.
This update guided firms on setting up contracts, developing exit strategies, and ensuring oversight of critical third-party providers.
Update 3: ICT Risk Management
This publication provided an in-depth look at ICT #riskmanagement frameworks, urging firms to develop structured approaches to monitor, assess, and mitigate IT risks.
It covered requirements around #BCM, training employees in #ICT security, and implementing monitoring tools to detect and address risks.
Update 4: Incident Management
Focused on the requirements for managing ICT-related incidents, including classifying and reporting significant cyber incidents.
This update stressed the importance of creating processes for detecting and managing incidents while maintaining compliance with DORA’s reporting requirements.
Update 5: Testing Requirements and Operational Resilience
Focused on the requirements for testing programs to ensure digital operational resilience.
Testing Program Implementation:
All firms must set up a risk-based testing program as part of their ICT risk management framework. This includes:
- Establishing regular tests for the resilience of ICT systems and tools.
- Ensuring the testing program is aligned with the firm’s size, risk profile, and operational complexity.
Tests:
- Vulnerability Scans: Automated tests to identify security gaps.
- Gap Analyses: Evaluation of system performance against expected outcomes.
- Physical Security Assessments: Ensuring unauthorized access to critical locations is restricted.
- Source Code Reviews: Independent assessment of code to identify potential flaws before deployment.
- Compatibility Testing: Ensuring software works across different environments.
End-to-End Testing: Comprehensive tests covering the entire application to verify functionality in real-world scenarios.
- Penetration Testing: Simulated cyberattacks to uncover vulnerabilities.
- Advanced Threat-Led Penetration Testing (TLPT): Simulates real-life cyberattacks, providing a more detailed and intelligence-driven evaluation of the firm’s resilience.
Author: Sebastian Burgemejster
Comments