We continue our series devoted to discussing issues related to cybersecurity. This time, we share practical conclusions on the implementation of DORA. The article is based on the webinar conducted by legal counsel Monika Macura on 21 October 2024, concerning key threats, regulations and good practices in the area of cybersecurity for financial institutions. The full recording of the webinar “Cybersecurity in Payment Solutions” is available on the YouTube channel.

Audit of Compliance with the Requirements of the DORA Regulation

The first step is to verify the risk management system in terms of taking ICT-related matters into account as part of operational risk. The next stage should include the assessment of the business continuity plan’s compliance with DORA requirements, in particular, the verification of the extent to which it includes the scope required by DORA. In the subsequent stage, the following are assessed for compliance with DORA:

• management of ICT-related incidents;
• the digital operational resilience testing programme;
• internal policies and regulations.

In practice, changes or development will cover the following documents:

• digital operational resilience strategy;
• information security policy;
• business continuity policy;
• incident management process, including the incident response procedure;
• digital operational resilience testing programme;
• ICT services risk strategy, including risks from external ICT service providers;
• backup procedures, as well as procedures and methods for restoring and recovering data.

Definition of Technical Requirements in the Area of Digital Resilience – Training for Employees and Management

DORA requires financial institutions to regularly test their ICT systems to assess their resilience to cyber threats, which includes:

• regular penetration testing and more advanced tests aimed at identifying weaknesses in systems and security procedures;
• testing of ICT tools and systems and their critical functions to ensure that the organisation is able to quickly restore services after a potential incident.

Digital operational resilience testing programmes allow for the evaluation of the effectiveness of protective measures and the improvement of threat response strategies.

Cooperation with External ICT Service Providers

As discussed in the previous article, financial institutions often use the services of external ICT providers, which entails the need to manage outsourcing-related risk. The key challenges include:

• assessing the compliance of contracts concluded with ICT service providers with legal requirements and the financial institution’s security policy;
• managing ICT concentration risk, i.e. dependence on one or several providers, which may affect service availability in the event of their operational issues;
• introducing contractual clauses concerning security, reporting procedures and incident response, which is particularly important in the context of providing critical services for the functioning of the institution.

Regulations such as DORA impose an obligation on financial institutions to monitor and assess risks related to ICT providers and to implement remedial measures in the event of deficiencies.

Outsourcing of Payment Services and Soft Law

In the context of outsourcing payment services, legal provisions as well as soft law instruments regulating risk management must be taken into account:

• Article 86 of the Payment Services Act sets out the conditions that must be met by institutions entrusting their operational activities to third parties;
• recommendations and guidelines, such as KNF’s Recommendation D on ICT security in banks or the EBA Guidelines on outsourcing, indicate best practices in risk management.

These guidelines cover not only technical issues but also legal and operational matters aimed at minimising the risks associated with the use of services of external providers.

Policy on the Use of ICT Service Providers

Cooperation with ICT service providers requires special attention to risk management. The policy on the use of such providers should take into account:

• key performance and control indicators used to monitor the quality of services provided;
• rules for submitting reports and notifying about data security incidents;
• exit plans specifying procedures in case of termination of cooperation with the ICT provider, in order to avoid disruption in service provision.

Documentation relating to the security policy and risk management must be kept up to date and compliant with applicable regulations.

Summary

Cybersecurity in payment solutions requires an integrated approach encompassing legal regulations, risk management, and best operational practices.

New regulations such as DORA raise security standards in the financial sector; however, their effectiveness depends on the implementation of appropriate procedures and cooperation between institutions and technology providers.

In the face of the dynamic development of cyber threats, it is also necessary to raise employee awareness and continuously improve protection strategies against attacks.

The article is based on the webinar “Cybersecurity in Payment Solutions”, conducted on 21 October 2024 by legal counsel Monika Macura – the recording is available on the YouTube channel.