EBA launched a consultation on the draft guidelines on ICT and security risk management. These guidelines establish requirements for credit institutions, investment firms, and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single Market. The consultation runs until March 13, 2019.
The guidelines outline expectations in relation to governance, risk assessment process, information security requirements, ICT operational management, security in the change and development processes, and business continuity management to mitigate ICT and security risks. Due to an increasing reliance on ICT for their operational functioning, financial institutions are vulnerable to increased threats from internal and external attacks, including cyber-attacks, or breaches that may arise from inadequate business continuity planning for ICT systems and processes, or poor processes related to ICT change management. These guidelines aim to mitigate all ICT risks—whether internal or external—, including security-related risks, for all financial institutions.
The Guidelines are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to PSPs subject to the revised Payment Services Directive (PSD2), for their payment services. These guidelines respond to EC's FinTech Action plan request for the EBA to develop guidelines on ICT risk management and mitigation requirements in the financial sector in EU. The guidelines on security measures for operational and security risks (EBA GL/2017/17) have been fully integrated in the EBA guidelines on ICT and security risk management and will be repealed when these proposed guidelines enter into force.
Comment Due Date: March 13, 2019
Keywords: Europe, EU, Banking, PMI, Guidelines, Cyber Risk, ICT Risk, Regtech, CRD, PSD2, EBA
Previous ArticleUS Agencies Adopt Final Guidance for Resolution Plan Submissions
FCA and PRA in the UK, FED in the US, and the authorities in Singapore have fined Goldman Sachs for risk management failures in connection with the 1Malaysia Development Berhad (1MDB).
BCBS announced that OSFI and the Bank of Canada hosted the 21st International Conference of Banking Supervisors (ICBS) virtually on October 19-22, 2020.
FCA proposed guidance on how firms should continue to seek to help customers who hold insurance and premium finance products and may be in financial difficulty because of COVID-19, after October 31, 2020.
EBA issued an opinion on prudential treatment of the legacy instruments as the grandfathering period nears an end on December 31, 2021.
ESRB published the fifth issue of the EU Non-bank Financial Intermediation Risk Monitor 2020 (NBFI Monitor).
HM Treasury announced that the new Financial Services Bill has been introduced in the Parliament.
APRA announced that it has increased the minimum liquidity requirement of Bendigo and Adelaide Bank for failing to comply with the prudential standard on liquidity.
PRA published the consultation paper CP17/20 to propose changes to certain rules, supervisory statements, and statements of policy to implement elements of the Capital Requirements Directive (CRD5).
US Agencies adopted a final rule that applies to advanced approaches banking organizations and aims to reduce interconnectedness in the financial system as well as to reduce contagion risks associated with the failure of a global systemically important bank (G-SIB).
US Agencies (FDIC, FED, and OCC) adopted a final rule that implements the net stable funding ratio (NSFR) for certain large banking organizations.