+RTS ICT Risk Management T. II Ch. IV Art. 25 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. IV Art. 25 , 2
2. Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity’s critical or important functions. That testing shall:
- (a) be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios;
- For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the
development of the business continuity plans.
- (b) contain the testing of ICT services provided by ICT third-party service providers, where applicable;
- For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT thirdparty service providers or linked to political risks in the ICT third-party service providers’ jurisdictions, where relevant.
- (c) for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities;
- For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated
appropriately for a sufficient period of time, and whether the normal functioning may be restored.
- (d) be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans;
- (e) contain procedures to verify the ability of the financial entities’ staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2).
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Business Continuity Policy
Establish an ICT business continuity policy that enables the continuity of critical or important functions, ensures rapid response to incidents, facilitates the resumption of activities, deployment of containment measures, activation and deactivation of response and recovery procedures, estimation of impact, damage, and losses, and provides clear communication to relevant stakeholders. Regularly review the business continuity policy and make necessary adjustments to enhance effectiveness.
Refer to Articles 24.2-4 of the RTS RM for specific requirements for Central counterparties, Trading venues, and Central security depositories.
|
|
NOREA
|
Crisis Management
Formulate and maintain a crisis management team tasked with overseeing and coordinating actions during a crisis or major disruption. Regularly review recovery/response plans. Make necessary adjustments to enhance effectiveness.
|
|
NOREA
|
Record Keeping
Keep detailed records of activities conducted before, during, and after disruptions, including actions taken and outcomes. Maintain an estimation of aggregated annual costs and losses resulting from major disruptions. This information shall be reported to the regulator upon their request.
|
|
NOREA
|
Business Impact analysis
Perform a comprehensive Business Impact Analysis (BIA) of exposures to severe business disruptions. The BIA should be done by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIA shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. Financial entities shall ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
|
|
NOREA
|
Response and Recovery
Establish comprehensive response and recovery plans encompassing short-term and long-term recovery options. These plans must thoroughly identify potential scenarios and shall duly take into account scenarios of cyber-attacks, switchovers, degradation of critical function provision, premises failure, breakdowns in ICT assets or communication infrastructure, staff unavailability, natural disasters and the impact of climate change, pandemic situations, physical attacks, insider threats, political or social instability, and power outages. Additionally, these plans must incorporate alternative options in cases where primary recovery measures are impractical in the short term due to factors such as cost, risks, logistics, or unforeseen circumstances. Address potential failures of key ICT third-party service providers into the plans.
|
|
NOREA
|
Testing and Assessment
Regularly test ICT business continuity, response, and recovery plans, particularly in collaboration with third-party service providers supporting critical or important functions. Testing should take into account the financial entity’s BIA and the ICT risk assessment and occur on a yearly basis and whenever there are significant changes to systems supporting critical or important functions.
Tests must be based on realistic scenarios and encompass scenarios like cyber attacks, insolvency or failure of the third-party, backup restores, and switchover between primary and redundant processing sites.
The testing shall verify whether at least critical or important functions can be operated appropriately, for a sufficient period of time and whether the normal functioning (of the business process) may be restored. Conduct testing of crisis communication plans to ensure effective communication strategies during a crisis or major disruption. Document test results and report any identified deficiencies resulting from the tests to the management body.
Refer to Articles 24.2-3 of the RTS RM for the specific requirements for Central counterparties and Central security depositories.
|
|