đź“ś First Set of Rules under DORA for ICT and Third-Party Risk Management
On January 17th of this year, the three European Supervisory Authorities (European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), collectively referred to as the “ESAs”) published the first set of final draft technical standards under the European Union’s Digital Operational Resilience Act (DORA). DORA aims to enhance the digital operational resilience of the EU financial sector and strengthen its management of information and communication technology (ICT) providers and cybersecurity incident reporting processes.
This final draft of technical standards includes:
Regulatory Technical Standards (RTS) on the ICT risk management framework and the simplified ICT risk management framework: These standards identify the key elements that financial entities subject to the simplified regime should have, considering their smaller scale, risk, size, and complexity, establishing a simplified ICT risk management framework. Their goal is to ensure that ICT risk management requirements are harmonized across different financial sectors.
RTS on criteria for classifying ICT-related incidents: These standards specify the criteria for classifying significant ICT-related incidents, the approach for classifying major incidents, the materiality thresholds for each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States, and the details of incidents to be shared in this context. The aim is to ensure a harmonized and straightforward incident reporting classification process across the financial sector.
RTS on the policy for ICT services supporting critical or important functions provided by third-party service providers (TPPs): These standards specify parts of the governance, risk management, and internal control framework agreements that financial entities must have in place regarding the use of third-party ICT service providers. The goal is to ensure that financial entities maintain control over their operational risks, information security, and business continuity throughout the contractual lifecycle with such external ICT service providers.
Implementing Technical Standards (ITS) to establish information record templates: These standards establish the templates that financial entities must maintain and update concerning their contractual agreements with third-party ICT service providers.
The project has been submitted to the European Commission, which has begun reviewing it with the aim of adopting these first standards in the coming months.
🚨 Paraguay on Alert After Cyberattack
Following the attacks on IFX Networks (Colombia) and GTD (Chile), Tigo Business (Paraguay), another corporate service operator, fell victim to a security incident.
On January 4th of this year, the service infrastructure of Tigo Business suffered an attack that, according to the company’s official statement, affected the normal provision of services to a group of exclusively corporate segment clients:
According to the Directorate General of Information and Communication Technologies (DIGETIC) of the Paraguayan Armed Forces in the 01/2024 edition of their Bulletin on Sunday, January 7, 2023, more than 300 local companies were affected:
However, hours later, they rectified the content, modified the severity to “high,” and omitted the reference to the service provider company, in addition to removing any mention of “black hunt.”
However, hours later, they rectified the content, modified the severity to “high,” and omitted the reference to the service provider company, in addition to removing any mention of “black hunt.”
⚙️ Audi Suppliers in Querétaro Affected by Worker Strike at Audi in San José Chiapa, Puebla (Mexico)
The strike that began on January 24th at the Audi plant in San José Chiapa (Mexico) affected numerous suppliers of the German firm with locations in other states, such as Querétaro.
Puebla Governor Sergio SalomĂłn CĂ©spedes Peregrina called a press conference urging the directors of the German automaker and unionized staff to resume negotiations to reach an agreement as soon as possible due to the significant negative impact of the strike:
“We must analyze the collateral damage being generated. I had talks with Querétaro authorities who are being affected. It does not only affect Puebla but other states as well. This is a high priority issue for the state government,” he said.
Fortunately, on Monday, February 18th, Governor Sergio SalomĂłn CĂ©spedes confirmed that on Sunday night, after nearly a month, the strike at Audi finally ended following an agreement with the Independent Union of Audi Workers (Sitaudi) for a 10.2% wage increase.
🛡️ Ransomware Crisis in Hundreds of Romanian Hospitals Attributed to Third-Party Incident
The Romanian National Cybersecurity Directorate (DNSC) was notified on February 12th of a ransomware cyberattack on the Romanian company Soft Company (RSC), a service provider to several hospitals in Romania that develops, manages, and markets the Hipocrate information system (also known as HIS), a multipurpose healthcare management platform.
Since then, the agency has been investigating the ransomware attack executed with the Backmydata application, a virus from the Phobos ransomware family that encrypted data from the servers of several Romanian hospitals.
According to the DNSC’s report on February 14th, under Law 362/2018, essential service operators are required to implement appropriate measures to prevent and minimize the impact of incidents affecting the security of the networks and information systems used to provide these essential services, with the aim of ensuring the continuity of those services and immediately notifying the DNSC, as the national CSIRT, of incidents that have a significant impact on the continuity of essential services.
The DNSC clarified that immediate notification of the impact on essential services is also required if the impact is due to incidents affecting a digital service provider on which the provision of essential services depends. This is precisely the scenario with the Backmydata/Phobos ransomware incident. Additionally, they noted that the service provider managing the Hipocrate application notified the DNSC after learning of the incident before any formal notification from the hospitals, and that the agency carried out all due activities according to its legal powers.
Recently, the DNSC confirmed through its official communication channel that the total number of affected hospitals had risen to 26, and another 79 healthcare units were preventively disconnected from the internet hours after the first attacks were reported. They also issued an alert providing details and recommendations regarding the attack.