Payment authorisation outage — INC-2287

How this incident was handled, assessed against the regulatory regimes in scope. Each finding cites the source event and is categorised by obligation and priority. A draft for human sign-off — the accountable owner decides.

Model claude · prompt regulatory_gap v3 Redaction pseudonymous Scope single incident Generated 2026-06-20 · cached by content hash

Executive summary

A payment-authorisation service degraded for 47 minutes following a configuration change. Customer impact was material; the incident met at least one regulatory notification threshold. Handling was timely but under-documented: classification, escalation approval and the notification decision were not recorded against the ticket at the time they were taken. Five findings follow — one P0 notification trigger, two mandatory and two advisory.

Findings

F-01 · Regulatory notification not assessed within window RegulatoryP0 · Notification

Regulation: EU DORA major-incident reporting · initial notification window verify
Gap: No record that the major-incident classification or the notification decision was made during the incident. cited: evt-1043 (status → major, 09:18Z)
Recommend: Record the notification assessment against the ticket at classification time; add a notification-decision step to the runbook with the clock.
Owner: Incident Manager (A) · Compliance (C)
Due: Before next change window

F-02 · Emergency change lacked recorded approval MandatoryMust

Regulation: FCA SYSC change-management expectations verify · ITIL change control
Gap: The remediating configuration change was applied before an emergency-change approval was recorded. cited: evt-1071 (config applied, 09:41Z)
Recommend: Require an emergency-change record with named approver before or immediately on application; auto-create it from the incident.
Owner: Change Manager (A)
Due: 30 days

F-03 · Incident misclassified as Service Request initially MandatoryMust

Regulation: ISO/IEC 27001 A.5.24–A.5.26 incident management verify
Gap: First 11 minutes were handled under a Service Request type, delaying SLA clocks and escalation. cited: evt-1009 (type=request, 09:07Z)
Recommend: Add a reclassification prompt when impact crosses the major threshold; train on Incident vs Request triage.
Owner: Service Desk Lead (A)
Due: Next training cycle

F-04 · Customer communications not evidenced AdvisoryShould

Regulation: Good practice · consumer-impact communication verify
Gap: Customer status updates were sent but not attached to the incident record. cited: no artefact between evt-1052 and evt-1090
Recommend: Write customer communications back to the ticket as artefacts at send time.
Owner: Comms (R) · Incident Manager (A)
Due: 60 days

F-05 · Post-incident problem record not raised AdvisoryCould

Regulation: ITIL problem management · good practice
Gap: No problem record links the root cause to preventive action. cited: incident closed at evt-1118 with no linked problem
Recommend: Auto-suggest a problem record on closure of any major incident.
Owner: Problem Manager (A)
Due: Backlog

Notification-trigger checklist

DORA major-incident classification confirmed and time-stamped
Initial regulator notification window assessed and decision recorded
FCA SUP 15.3 materiality considered
Customer / affected-party communication evidenced on the record

How to read this

Every finding names the regulation and the source event it is grounded in; where the exact article is uncertain the report flags it verify rather than inventing a citation. Obligation (Regulatory · Mandatory · Advisory) and priority (P0-Critical/Notification · Must · Should · Could) make the backlog triageable. Outputs are drafts; Signum never files a notification or changes your ITSM on your behalf.

See it on your own incidents