Article 13 Digital Operational Resilience Act (DORA), Communication
Article 13 of the Digital Operational Resilience Act (DORA) emphasizes the importance of responsible disclosure and communication plans within financial entities. It mandates the establishment of robust communication strategies to handle ICT-related incidents effectively and maintain transparency with stakeholders.
Responsible Disclosure and Communication Plans
Within their ICT risk management framework as outlined in Article 5(1), financial entities must establish communication plans that ensure responsible disclosure of ICT-related incidents or major vulnerabilities to clients, counterparts, and the public as appropriate. These plans are critical for maintaining trust and transparency with stakeholders, mitigating the potential reputational damage, and ensuring timely dissemination of information that can help contain and resolve incidents.
Communication Policies
Financial entities, under the ICT risk management framework described in Article 5(1), must implement communication policies tailored for both internal staff and external stakeholders. Internal communication policies should differentiate between staff directly involved in ICT risk management, specifically response and recovery teams, and those who require general information. This distinction ensures that those who need detailed and specific information to manage and resolve incidents receive it promptly, while the rest of the staff remain informed without being overwhelmed by technical details.
External communication policies should be designed to address the needs of clients, business partners, regulatory bodies, and the public. Clear guidelines should be established for what information can be shared, when it should be shared, and through what channels. These policies should ensure that communication is consistent, accurate, and timely, helping to manage expectations and provide reassurance during incidents.
Designated Communication Role
It is required that at least one designated individual within the entity be responsible for implementing the communication strategy concerning ICT-related incidents. This person should also act as the spokesperson for the entity when communicating with the public and media about such incidents. The designated individual should be well-versed in both the technical aspects of ICT risk management and the strategic importance of effective communication. They should coordinate with internal teams to gather accurate information and present it clearly and confidently to external audiences.
Key Elements of the Communication Plan
The communication plan should include several key elements to ensure its effectiveness:
- Incident Reporting Protocols: Clear protocols for reporting ICT-related incidents internally and externally. This includes defining what constitutes an incident, who should be notified, and the timelines for reporting.
- Stakeholder Identification and Prioritization: Identification of key stakeholders who need to be informed about incidents and prioritization of communication based on their level of impact and influence. This ensures that critical stakeholders are kept informed at all stages of incident management.
- Message Templates and Scripts: Pre-drafted message templates and scripts for various types of incidents. These templates should be adaptable to specific situations and should cover initial notifications, ongoing updates, and post-incident summaries.
- Communication Channels: Specification of communication channels to be used for different stakeholders, such as email, phone, social media, press releases, and direct meetings. The choice of channel should reflect the urgency and sensitivity of the information.
- Training and Simulation: Regular training sessions and simulation exercises for staff to practice the communication protocols. This helps ensure that everyone understands their roles and can execute the communication plan effectively under pressure.
- Feedback Mechanism: A mechanism for gathering feedback from stakeholders about the effectiveness of the communication during and after incidents. This feedback should be used to continuously improve the communication strategies.
Maintaining Transparency and Building Trust
The measures outlined in Article 13 are essential for ensuring transparent and effective communication during ICT incidents. By establishing clear communication plans and policies, financial entities can bolster stakeholder confidence and manage potential reputational risks. Transparent communication helps to build trust with clients, partners, and the public, demonstrating the entity’s commitment to managing ICT risks responsibly and proactively.
Article 13 of DORA sets the foundation for financial entities to handle ICT-related incidents with a structured and strategic approach to communication. By adhering to these guidelines, entities can ensure that they maintain transparency, manage stakeholder expectations, and mitigate the impact of incidents on their reputation and operations.