+RTS ICT Risk Management T. II Ch. IV Art. 24 , 3
|
1. Overview
RTS ICT Risk Management T. II Ch. IV Art. 24 , 3
3. In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy:
- (a) takes into account any links and interdependencies to users, critical utilities and critical service providers, other central securities depositories and other market infrastructures;
- (b) requires its ICT business continuity arrangements to ensure that the recovery time objective for their critical or important functions shall not be longer than 2 hours.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Business Continuity Policy
Establish an ICT business continuity policy that enables the continuity of critical or important functions, ensures rapid response to incidents, facilitates the resumption of activities, deployment of containment measures, activation and deactivation of response and recovery procedures, estimation of impact, damage, and losses, and provides clear communication to relevant stakeholders. Regularly review the business continuity policy and make necessary adjustments to enhance effectiveness.
Refer to Articles 24.2-4 of the RTS RM for specific requirements for Central counterparties, Trading venues, and Central security depositories.
|
|
NOREA
|
Crisis Management
Formulate and maintain a crisis management team tasked with overseeing and coordinating actions during a crisis or major disruption. Regularly review recovery/response plans. Make necessary adjustments to enhance effectiveness.
|
|
NOREA
|
Record Keeping
Keep detailed records of activities conducted before, during, and after disruptions, including actions taken and outcomes. Maintain an estimation of aggregated annual costs and losses resulting from major disruptions. This information shall be reported to the regulator upon their request.
|
|
NOREA
|
Business Impact analysis
Perform a comprehensive Business Impact Analysis (BIA) of exposures to severe business disruptions. The BIA should be done by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIA shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. Financial entities shall ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
|
|
NOREA
|
Response and Recovery
Establish comprehensive response and recovery plans encompassing short-term and long-term recovery options. These plans must thoroughly identify potential scenarios and shall duly take into account scenarios of cyber-attacks, switchovers, degradation of critical function provision, premises failure, breakdowns in ICT assets or communication infrastructure, staff unavailability, natural disasters and the impact of climate change, pandemic situations, physical attacks, insider threats, political or social instability, and power outages. Additionally, these plans must incorporate alternative options in cases where primary recovery measures are impractical in the short term due to factors such as cost, risks, logistics, or unforeseen circumstances. Address potential failures of key ICT third-party service providers into the plans.
|
|
NOREA
|
Testing and Assessment
Regularly test ICT business continuity, response, and recovery plans, particularly in collaboration with third-party service providers supporting critical or important functions. Testing should take into account the financial entity’s BIA and the ICT risk assessment and occur on a yearly basis and whenever there are significant changes to systems supporting critical or important functions.
Tests must be based on realistic scenarios and encompass scenarios like cyber attacks, insolvency or failure of the third-party, backup restores, and switchover between primary and redundant processing sites.
The testing shall verify whether at least critical or important functions can be operated appropriately, for a sufficient period of time and whether the normal functioning (of the business process) may be restored. Conduct testing of crisis communication plans to ensure effective communication strategies during a crisis or major disruption. Document test results and report any identified deficiencies resulting from the tests to the management body.
Refer to Articles 24.2-3 of the RTS RM for the specific requirements for Central counterparties and Central security depositories.
|
|