+RTS ICT Risk Management T. II Ch. IV Art. 25 , 1
|
1. Overview
RTS ICT Risk Management T. II Ch. IV Art. 25 , 1
1. When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity’s business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Business Continuity Policy
Establish an ICT business continuity policy that enables the continuity of critical or important functions, ensures rapid response to incidents, facilitates the resumption of activities, deployment of containment measures, activation and deactivation of response and recovery procedures, estimation of impact, damage, and losses, and provides clear communication to relevant stakeholders. Regularly review the business continuity policy and make necessary adjustments to enhance effectiveness.
Refer to Articles 24.2-4 of the RTS RM for specific requirements for Central counterparties, Trading venues, and Central security depositories.
|
|
NOREA
|
Crisis Management
Formulate and maintain a crisis management team tasked with overseeing and coordinating actions during a crisis or major disruption. Regularly review recovery/response plans. Make necessary adjustments to enhance effectiveness.
|
|
NOREA
|
Record Keeping
Keep detailed records of activities conducted before, during, and after disruptions, including actions taken and outcomes. Maintain an estimation of aggregated annual costs and losses resulting from major disruptions. This information shall be reported to the regulator upon their request.
|
|
NOREA
|
Business Impact analysis
Perform a comprehensive Business Impact Analysis (BIA) of exposures to severe business disruptions. The BIA should be done by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIA shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. Financial entities shall ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
|
|
NOREA
|
Response and Recovery
Establish comprehensive response and recovery plans encompassing short-term and long-term recovery options. These plans must thoroughly identify potential scenarios and shall duly take into account scenarios of cyber-attacks, switchovers, degradation of critical function provision, premises failure, breakdowns in ICT assets or communication infrastructure, staff unavailability, natural disasters and the impact of climate change, pandemic situations, physical attacks, insider threats, political or social instability, and power outages. Additionally, these plans must incorporate alternative options in cases where primary recovery measures are impractical in the short term due to factors such as cost, risks, logistics, or unforeseen circumstances. Address potential failures of key ICT third-party service providers into the plans.
|
|
NOREA
|
Testing and Assessment
Regularly test ICT business continuity, response, and recovery plans, particularly in collaboration with third-party service providers supporting critical or important functions. Testing should take into account the financial entity’s BIA and the ICT risk assessment and occur on a yearly basis and whenever there are significant changes to systems supporting critical or important functions.
Tests must be based on realistic scenarios and encompass scenarios like cyber attacks, insolvency or failure of the third-party, backup restores, and switchover between primary and redundant processing sites.
The testing shall verify whether at least critical or important functions can be operated appropriately, for a sufficient period of time and whether the normal functioning (of the business process) may be restored. Conduct testing of crisis communication plans to ensure effective communication strategies during a crisis or major disruption. Document test results and report any identified deficiencies resulting from the tests to the management body.
Refer to Articles 24.2-3 of the RTS RM for the specific requirements for Central counterparties and Central security depositories.
|
|