ICT-related incident management process

Financial entitiesas defined in Article 2, points (a) to (t) shall define, establish and implement an ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity management process to detect, manage and notify ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity.

Financial entitiesas defined in Article 2, points (a) to (t) shall record all ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident. Financial entitiesas defined in Article 2, points (a) to (t) shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.

The ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity management process referred to in paragraph 1 shall:

1. put in place early warning indicators;

2. establish procedures to identify, track, log, categorise and classify ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1);

3. assign roles and responsibilities that need to be activated for different ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity types and scenarios;

4. set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entitiesas defined in Article 2, points (a) to (t) that act as counterparts, as appropriate;

5. ensure that at least major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity are reported to relevant senior management and inform the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law of at least major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity, explaining the impact, response and additional controls to be established as a result of such ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;

6. establish ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.