Italian banks to self-assess digital resilience ahead of DORA
Banca d'Italia has called on supervised financial intermediaries to conduct a self-assessment of their digital operational resilience ahead of the Digital Operational Resilience Act (DORA) becoming applicable on January 17, 2025. The central bank highlighted increasing ICT and cyber incidents in the Italian financial sector.
Rising cyber incidents and data breaches
The Digital Operational Resilience Act (DORA) will become applicable on January 17, 2025, introducing harmonized European norms to strengthen ICT risk management.
Banca d'Italia's recent analysis, "Digital resilience in the Italian financial sector," reveals a significant increase in both operational and cyber incidents over the past three years, with cyber incidents seeing a larger rise in 2023. Operational incidents are frequently linked to inadequate ICT change management processes.
Cyber incidents predominantly stem from unauthorized access, often involving internal personnel or authorized service providers abusing access rights, leading to breaches of data confidentiality or service availability.
Furthermore, the central bank's "Risk Data Aggregation Survey" identified potential shortcomings in managing and aggregating risk data, alongside inadequacies in ICT systems supporting decision-making and risk management activities.
These findings are consistent with observations from the Single Supervisory Mechanism's horizontal analysis of IT and cyber risk among significant banks.
Mandatory self-assessment and key focus areas
In light of evolving regulatory requirements, Banca d'Italia mandates all directly supervised intermediaries to evaluate their readiness for DORA.
This self-assessment, due by April 30, 2025, must cover three key areas: strategies for third-party risk, contract renewals for suppliers, and the transmission of the Register of Information to the Authority.
Additionally, intermediaries must self-evaluate their ICT risk management systems.
This includes ensuring policies, procedures, and tools are adequate to prevent and detect data confidentiality breaches, assess access controls (including potential abuse by internal staff or suppliers), and monitor ICT systems for anomalous activities.
The assessment must also confirm that the ICT change management framework aligns with DORA requirements to mitigate risks from system modifications.
The Board of Directors must approve and submit this self-assessment to Banca d'Italia.
Digital resilience: A continuous challenge
This communication underscores the significant and ongoing challenge facing Italian financial institutions in bolstering their digital operational resilience.
The identified shortcomings in ICT change management and unauthorized access highlight deep-seated vulnerabilities requiring substantial investment and cultural shifts.
The mandated self-assessment is therefore a crucial opportunity for firms to proactively address these systemic risks before the DORA regulation takes full effect.