Exercises

Chapter 33: Cybersecurity Regulations — DORA, NIST, and Operational Resilience

Exercise 33.1: Notification Timeline Analysis (Introductory)

Scenario

A data breach is discovered at 14:00 on a Friday afternoon at Hartwell Asset Management, a UK-authorised investment manager with a DORA-regulated EU subsidiary (Hartwell Asset Management GmbH, BaFin-supervised). Hartwell serves approximately 8,400 UK retail clients and 3,200 EU institutional clients.

The breach is discovered when a junior systems administrator notices that a cloud storage bucket containing client portfolio reports has been publicly accessible for an undetermined period. Initial forensic assessment, completed at 16:30 on Friday, confirms that the publicly accessible bucket contained 5,200 client records: names, email addresses, account reference numbers, and quarterly portfolio valuations. No authentication credentials or financial account numbers were exposed.

The portfolio reporting system is taken offline at 14:15 for investigation. It is restored at 09:00 the following Monday. The portfolio reporting service has a declared impact tolerance of 24 hours under the FCA operational resilience framework.

The CISO classifies the incident as a major ICT incident under DORA Article 19 criteria at 17:00 on Friday — 3 hours after initial detection.

All times are in UTC.

Part A: Identify All Regulatory Notification Obligations

Identify every regulatory notification obligation that arises from this incident. For each obligation, state: - The regulatory framework and specific provision that creates the obligation - The jurisdiction in which the obligation applies - The triggering event (what must happen for the obligation to arise) - Whether the obligation is triggered in this scenario

Consider: DORA major incident notification; FCA PRIN 11; UK GDPR / ICO; EU GDPR / German DPA (BaFin oversees DORA, but the GDPR supervisory authority for EU data subjects is the relevant national DPA); FCA operational resilience impact tolerance breach; customer notification obligations under GDPR Article 34.

Part B: Map Each Obligation to Its Deadline

Using the facts above, calculate the precise deadline for each notification obligation you identified in Part A. Express each deadline as a specific day, date, and time (e.g., "Monday 14 March at 17:00 UTC"). Show your working.

Note the following for your calculations: - The DORA initial notification deadline runs from the classification time (17:00 Friday), not detection time (14:00 Friday), provided classification occurs within 24 hours of detection. - The UK GDPR 72-hour clock runs continuously in calendar hours — weekends do not pause it. - The FCA's PRIN 11 expectation is prompt notification — there is no fixed deadline, but you should identify when the obligation arises and what "prompt" means in this context. - The impact tolerance breach: does the 43-hour portfolio reporting outage (Friday 14:15 to Monday 09:00) breach the 24-hour impact tolerance?

Part C: Assign Internal Responsibility

For each notification obligation, identify which internal role should be responsible for: (i) Drafting the notification (ii) Approving the notification (iii) Filing the notification with the regulator

Use the following roles: CCO (Chief Compliance Officer); DPO (Data Protection Officer); CISO (Chief Information Security Officer); General Counsel; CEO; Head of Operations; German Counsel (for BaFin/German DPA obligations).

Explain briefly why you have assigned each role as you have.

Part D: Draft the Opening Paragraph of the FCA PRIN 11 Notification

Draft the opening paragraph (approximately 150 words) of the FCA PRIN 11 notification that Hartwell's compliance team would file. The paragraph must:

  • Identify the firm and the firm's FCA reference number (use a placeholder: FRN: [XXXXXX])
  • State the nature of the incident
  • State when the incident was detected and when it was confirmed
  • State which important business service has been affected and for how long
  • State the preliminary assessment of customer impact
  • Signal that further information will follow

Write the paragraph in formal regulatory notification language — precise, factual, and free of hedging or speculative language.

Exercise 33.2: Impact Tolerance Assessment (Intermediate)

Scenario

You have been engaged as a consultant to help Priya Nair's RegTech team advise a mid-size UK asset manager — Holloway Investment Partners — on its FCA/PRA operational resilience compliance. Holloway manages approximately £4.2 billion in assets for institutional and high-net-worth clients and is FCA-authorised as an investment manager. It also has a regulated subsidiary in Luxembourg, making DORA applicable to those EU operations.

Holloway has identified the following eight candidate services that may constitute important business services under PS21/3:

  1. Portfolio management and trading — active management of client portfolios; order generation and execution via prime brokerage.
  2. Client reporting — quarterly performance reports, monthly factsheets, and ad hoc client correspondence.
  3. Trade execution and settlement — submission of orders to brokers, confirmation matching, T+2 settlement.
  4. Fund accounting — NAV calculation, fund valuation, reconciliation with custodians.
  5. Client onboarding — KYC/AML processing for new clients; account opening.
  6. Regulatory reporting — MiFID II transaction reporting, AIFMD reporting, PRIIPs disclosures.
  7. Data analytics and risk monitoring — internal risk models, VaR calculations, position limits monitoring.
  8. IT help desk — internal user support, password resets, hardware issues.

Part A: Identify Which Are "Important Business Services"

Apply the FCA/PRA PS21/3 definition of an important business service: a service provided by a firm to external clients (or to financial markets) the disruption of which would cause intolerable harm to clients, other market participants, or the firm's role in the financial system.

For each of the eight services above, state whether it qualifies as an important business service and briefly explain your reasoning. Consider: who receives the service (internal vs external); what harm would disruption cause; and whether disruption would affect clients' ability to access financial services or undermine market functioning.

Part B: Set Impact Tolerances

For each service you have identified as an important business service, propose a specific impact tolerance expressed in hours (e.g., "maximum tolerable disruption of 4 hours"). Justify each tolerance by reference to at least two of the following factors:

  • Client harm: at what point would clients suffer material financial harm or loss of access to essential financial services?
  • Regulatory obligation: does the service support a time-sensitive regulatory obligation (e.g., T+2 settlement)?
  • Market impact: would disruption affect Holloway's counterparties or the broader market?
  • Recovery feasibility: is the tolerance technically achievable given Holloway's current infrastructure?
  • FCA/PRA precedent: has the FCA indicated any expectation about tolerances for this type of service?

Part C: Explain Your Reasoning

Write a brief narrative (100–150 words per service) explaining the key factors you weighed in setting the tolerance. Address: why you chose the specific duration; what the consequences would be if the actual disruption exceeds the tolerance; and what assumptions underpin the tolerance (e.g., whether manual workarounds are available).

Part D: DORA Assessment for Luxembourg Operations

Holloway's Luxembourg subsidiary (Holloway Investment SARL) is subject to DORA from January 2025. For the important business services you have identified in Part A, assess which services would also require DORA major incident assessment if disrupted. Consider:

  • Does the service serve EU clients through the Luxembourg entity?
  • Would a disruption to this service affect Holloway SARL's ability to deliver its regulated functions?
  • Which DORA major incident classification criteria are most likely to be relevant for each service?

Note where the DORA assessment would differ from the FCA PS21/3 assessment — for example, where different clients are served or where the Luxembourg entity uses different technology infrastructure.

Exercise 33.3: Third-Party ICT Contract Review (Intermediate-Applied)

Scenario

Priya Nair's consulting team has been asked to review the cloud services agreement between a UK-regulated payment institution, Apex Payment Services, and its primary infrastructure provider, CloudBridge Ltd. CloudBridge hosts Apex's payment processing platform, customer data environment, and regulatory reporting systems. The agreement was signed in 2022 and has not been reviewed since DORA became applicable in January 2025.

A summary of the agreement's key provisions is provided below:

Summary of Existing CloudBridge Agreement (Signed 2022)

  • Service Levels: CloudBridge commits to 99.5% monthly uptime for core services. No specific provision for notification to Apex if uptime falls below threshold. Financial remedy: service credits applied to next invoice.
  • Security: CloudBridge will "maintain industry-standard security practices." No specific standards referenced (no ISO 27001, SOC 2 Type II, or equivalent). No obligation to notify Apex of security incidents affecting Apex's data environment.
  • Audit: "Apex may request information about CloudBridge's security practices. CloudBridge will respond within 30 business days."
  • Sub-contractors: CloudBridge may use sub-contractors without Apex's prior approval. No requirement to notify Apex of sub-contractor changes. No security requirements for sub-contractors specified.
  • Data: Agreement references GDPR compliance "as applicable." No specific data processing agreement is appended. No data breach notification timeline specified.
  • Business continuity: CloudBridge represents that it maintains a business continuity plan. No obligation for CloudBridge to share the plan with Apex or to test it jointly with Apex. No requirement for CloudBridge to participate in Apex's resilience testing.
  • Exit: On termination, CloudBridge will provide Apex with a data export within 90 days. No provision for CloudBridge to cooperate with Apex's migration to an alternative provider. No obligation to continue providing services during a transition period.
  • Incident notification: "CloudBridge will notify Apex of any material security incidents affecting the services." No timeframe specified. "Material" is not defined.
  • Liability: CloudBridge's aggregate liability is capped at 6 months of service fees. Excludes consequential loss.

Part A: Identify Six Contractual Gaps

Identify the six most significant contractual gaps in the CloudBridge agreement from the perspective of DORA Article 30 compliance and FCA operational resilience requirements. For each gap: - State the specific provision that is absent or inadequate - Identify the regulatory requirement it fails to satisfy (DORA Article 30 sub-provision, FCA guidance, or UK GDPR Article 28) - Describe the regulatory and operational risk that the gap creates

Part B: Draft Contractual Language

For each of the six gaps identified in Part A, draft specific replacement or additional contractual language that would address the gap and satisfy the relevant regulatory requirement. Your language should be: - Precise and unambiguous (a court or regulator could interpret it without ambiguity) - Commercially realistic (a sophisticated technology vendor could reasonably accept it) - Consistent with DORA Article 30's mandatory provisions where applicable

Aim for 50–100 words of contractual language per gap.

Part C: Prioritise the Gaps

Rank your six identified gaps from most critical (1) to least critical (6), from a regulatory compliance perspective. Justify your ranking by reference to: - The severity of the regulatory breach associated with each gap - The likelihood that the gap would cause actual harm in a real incident - The regulatory priority signals from DORA Article 30 and the FCA CTP guidance

Explain, in two or three sentences per gap, why you have placed it at its ranked position.

Exercise 33.4: Incident Response Procedure Design (Applied)

Task

You are the newly appointed CCO of a dual-regulated UK bank with a DORA-regulated EU subsidiary (Dublin) and a US affiliated entity subject to FINRA and SEC oversight. The bank has 120,000 UK customers, 18,000 EU customers, and the US affiliate has 40,000 customers. The bank's core banking platform is cloud-hosted; payment processing is a declared important business service with a 4-hour impact tolerance.

The bank has no documented cyber incident response procedure that integrates regulatory notification obligations. Technical incident response (containment, recovery) is handled by the CISO's team; regulatory notifications have historically been managed ad hoc. You have been asked by the Board to produce a regulatory incident response procedure within 30 days.

Design the procedure. It must address each of the requirements below.

Part A: First 24 Hours — Step-by-Step Procedure

Write a step-by-step procedure covering the first 24 hours of a major cyber incident. The procedure must be formatted as a numbered sequence of actions, each with: - A specific action to be taken - The time trigger (e.g., "Within 15 minutes of incident detection"; "Within 90 minutes of incident classification") - The role responsible for taking the action - The output or deliverable (e.g., "completed DORA classification checklist"; "draft FCA PRIN 11 notification")

The procedure should cover at minimum: initial detection and escalation; CISO-to-CCO notification; impact tolerance assessment; DORA major incident classification; regulatory notification decision; notification drafting and approval; filing; and internal documentation.

Part B: Role Assignment Matrix

Produce a role assignment matrix for cyber incident response. The matrix should cover five roles — CISO, CCO, General Counsel, Head of Operations, and CEO — and assign specific responsibilities for each of the following stages: Detection and initial escalation; Impact tolerance assessment; Regulatory notification decision; Notification drafting; Notification approval and filing; Board briefing; Media and customer communications; Post-incident review.

Present as a table with roles as columns and stages as rows. For each cell, state the role's responsibility at that stage: LEAD, SUPPORT, REVIEW, INFORM, or N/A.

Part C: Notification Decision Triggers

For each of the following regulatory obligations, specify the precise decision trigger — the fact or threshold that, once met, means the notification must be filed:

  1. FCA PRIN 11 notification
  2. DORA initial major incident notification (EU subsidiary)
  3. UK GDPR / ICO notification
  4. EU GDPR / national DPA notification (for Irish subsidiary)
  5. FINRA systems disruption notification (US affiliate)
  6. SEC Form 8-K cybersecurity disclosure (if the US affiliate's parent is a listed company)
  7. FCA impact tolerance breach documentation (PS21/3 self-assessment)

For each trigger, specify: the triggering condition; who in the organisation has authority to confirm the trigger has been met; and the maximum time between trigger being met and notification being filed.

Part D: The 30-Minute Notification Assessment Protocol

Design a structured 30-minute "notification assessment" protocol — a mandatory, time-boxed call or meeting that must occur within 90 minutes of any significant incident being declared. The protocol must:

  • Specify who must attend (named roles, not individuals)
  • Provide a structured agenda with time allocations for each agenda item (total: 30 minutes)
  • Include a specific checklist of questions that must be answered during the call
  • Define the output: what must be decided, documented, and assigned by the end of the 30-minute call
  • Include a mechanism for escalating the protocol if a key participant is unavailable (e.g., CISO is travelling internationally)

Write the protocol as a structured document suitable for adoption as a firm procedure, formatted for use by compliance and legal teams who may not have a deep technical background.

Part E: Multi-Jurisdictional Simultaneous Obligations

Write a single-page reference card — formatted for quick use during a live incident — that sets out the UK, EU, and US notification obligations side by side. The reference card should show, for each jurisdiction: - The applicable regulatory framework - The trigger for notification - The deadline (expressed as a formula: e.g., "4 hours from classification") - The recipient regulator - The responsible internal role - The template location (e.g., "FCA PRIN 11 template — Incident Response folder, document IR-03")

The reference card should be designed to be printable on a single side of A4 paper and usable by a compliance officer under time pressure — clear, colour-coded by jurisdiction, and requiring no cross-referencing with other documents to use.