+Cyber Threat Classification Criteria and Information Exchenge
|
1. Overview
Cyber Threat Classification Criteria and Information Exchenge
Classify significant cyber threats. A threat is considered significant if it has a high probability of materialisation, could meet any of the criteria that classify as a 'major incident' when materialised, and when it could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third party providers, clients or financial counterparts.
Cyber threat information and intelligence may be exchanged with other financial entities, ensuring such sharing enhances digital operational resilience. In this case, ensure that the exchange includes information such as indicators of compromise, tactics, techniques, procedures, alerts, and configuration tools. The exchange must occur within trusted communities and be governed by information-sharing arrangements that safeguard business confidentiality, personal data , and respect competition law. These arrangements shall clearly define participation conditions, address the potential involvement of public authorities and ICT third-party providers, and specify operational aspects, including the use of secure IT platforms. Notify competent authorities upon joining or leaving such arrangements.
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|
DORA
|
DORA Ch. III Art. 18 1.
1. Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:
- (a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
- (b) the duration of the ICT-related incident, including the service downtime;
- (c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
- (d) the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
- (e) the criticality of the services affected, including the financial entity’s transactions and operations;
- (f) the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.
|
|
DORA
|
DORA Ch. III Art. 18 2.
2. Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
|
|
DORA
|
DORA Ch. VI Art. 45 1.
1. Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing:
- (a) aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;
- (b) takes places within trusted communities of financial entities;
- (c) is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data in accordance with Regulation (EU) 2016/679 and guidelines on competition policy.
|
|
DORA
|
DORA Ch. VI Art. 45 2.
2. For the purpose of paragraph 1, point (c), the information-sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which they may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.
|
|
DORA
|
DORA Ch. VI Art. 45 3.
3. Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once it takes effect.
|
|