0003976
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
European Union
Regulations
Free
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
0003976
Free
European Union
Regulations
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and Risk Management | Preventive | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Technical Security | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Technical Security | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Process or Activity | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and risk management | Preventive | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Monitoring and measurement | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Monitoring and measurement | Detective | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Corrective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Monitoring and measurement | Process or Activity | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and risk management | Audits and Risk Management | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |