SUMMARY
Avantage Reply was engaged by a global investment bank to implement an ICT-related incident risk reporting processes in response to the CSSF Circular 24/847. The bank sought assistance in addressing the new regulatory circular but initially provided limited clarity on specific expectations. Avantage Reply’s expertise was critical in interpreting and operationalizing the circular’s requirements, which also served as a preparatory step for the forthcoming DORA regulation.
Key deliverables included, the development of a comprehensive incident classification matrix and a critical CMDB, distilled to focus on elements supporting critical applications and processes. These outputs were integrated into a revised incident reporting policy and tested against real-life cases to ensure practical viability.
CUSTOMER GOALS
The client's key targets included:
- Implementing the requirements of CSSF Circular 24/847 within the short timeline mandated by the circular.
- Developing a new incident reporting policy and procedure aligned with both the existing Major Incident and Incident Management processes.
- Proactively preparing for the DORA’s incident management requirements through testing and solution design.
CHALLENGES
The project presented several significant challenges:
- Stringent Timeline: CSSF 24/847 was published in early 2024, with a strict implementation deadline of April 1, 2024, leaving only two months for design, implementation, and testing.
- Resource Constraints: The bank was undergoing major transitions, with key personnel preoccupied with parallel initiatives, limiting their availability for collaboration.
- Regulatory Uncertainty: As the circular aimed to prepare institutions for DORA, there were open questions regarding its application to subsidiaries and cross-border entities.
SOLUTION
Avantage Reply adopted a structured and results-oriented approach:
- Focused on creating a comprehensive incident classification matrix to standardize incident categorization and ensure compliance with the circular.
- Developed a critical CMDB, reducing the complexity of the existing configuration management database to prioritize elements essential for critical applications and processes.
- Designed and implemented an updated incident reporting policy, integrating CSSF Circular 24/847 into the bank’s existing Major Incident and Incident Management processes.
- Validated the new procedures through real-life testing, ensuring both practical applicability and future readiness for evolving DORA requirements.
By leading the interpretation and operationalization of CSSF Circular 24/847, Avantage Reply enabled the client to meet the regulatory deadline while establishing a robust foundation for managing ICT-related incident risks in alignment with present and future EU regulations.
CUSTOMER DESCRIPTION
The customer is a Leading Wealth and Fund Management Bank involved mainly in private banking and wealth and fund management. The customer has a long-established presence in Europe.