Background
In July 2024, an IT incident occurred which was caused by a faulty software update in a vulnerability scanner, causing millions of systems running Microsoft Windows to crash and has been widely reported as one of the most notable incidents in recent history.
Relevance to financial services firms subject to DORA
Firms that fall within the scope of DORA are required to be DORA-compliant by 17 January 2025 – a deadline which is proving challenging given the substantial work involved in implementing the technical and governance changes required and reviewing contractual relationships with IT vendors.
The dust has settled since the recent IT incident, but for those involved in DORA preparations, it has brought into even sharper focus:
- the potential for a small glitch in the supply chain to cause major problems for critical systems;
- the need for robust and well-tested business continuity and disaster recovery plans that can be implemented at pace;
- that contractual protection in a vendor contract goes well beyond the liability and indemnity clauses (the latter are, in any event, often defeated by exclusions and force majeure clauses in the context of global incidents);
- the importance of cyber insurance (and checking the small print); and
- the need for an incident response plan that ensures the firm can assess and respond to incidents (i) within regulatory timeframes (including under DORA and data protection rules, among others), (ii) in accordance with obligations in customer contracts, and (iii) in a manner that protects its commercial and reputational interests as far as possible.
For those preparing for DORA, we have prepared a flow chart outlining the key regulatory obligations that a financial entity will need to bear in mind in the event of being impacted by a similar major outage in future.
Overview of DORA incident response and reporting requirements
Next steps
If you are interested in further exploring incident management, the impact of DORA or anything else relating to digital operational resilience, we would be delighted to hear from you.
Authored by Sarah Wrage, Max von Cube, Louise Crawford, and James Sharp.