ECB published an opinion on the proposal for a regulation on digital operational resilience for the financial sector. The opinion has been published in response to requests from the European Council and Parliament. In the opinion, ECB welcomes the proposed regulation, which is intended to enhance cyber security and operational resilience of the financial sector in EU. ECB welcomes the aim of the proposed regulation to remove obstacles to, and improve the establishment and functioning of, the internal market for financial services by harmonizing the rules applicable in the area of information and communication technology (ICT) risk management, reporting, testing, and ICT third-party risk.
ECB welcomes the aim of the proposed regulation to streamline and harmonize any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under the EU law. ECB understands that the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk, which will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of compliance with the obligations set out under the proposed framework, including ECB, will be the authorities responsible for banking supervision, in accordance with the Single Supervisory Mechanism (SSM) Regulation.
ECB supports the effort of the EU legislative bodies to promote harmonization and streamline the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, ECB stands ready to amend (and potentially repeal) the Incident Reporting Framework, where necessary, in the light of the eventual adoption of the proposed regulation. In its opinion, ECB sets out the following specific observations on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk:
- ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for financial market infrastructures. In relation to the identification and classification to be performed by financial entities under the proposed regulation, ECB would consider it prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to consider the criticality of such assets (that is whether they support critical functions).
- ECB welcomes the efforts outlined in the proposed regulation to harmonize the ICT incident reporting landscape in EU and work toward a centralized reporting of major ICT-related incidents. ECB emphasizes that the responsibility for, and ownership of, the remediation and the consequences of an incident should remain solely and clearly with the concerned financial entity. ECB would, therefore, propose to limit the feedback and guidance to high-level prudential feedback and guidance only.
- ECB welcomes the requirements set out under the proposed regulation on digital operational resilience testing across financial entities and the need for each institution to have its own testing program. ECB proposes to remove, from the proposed regulation, any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a threat-led penetration testing.
- ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, to achieve an effective ICT risk identification and management, it is important to correctly identify and classify the critical ICT third-party service providers. In this regard, while the introduction of delegated acts that will supplement the criteria to be used for classification purposes is welcome, ECB should be consulted prior to the adoption of such delegated acts.
Related Link: Opinion (PDF)
Keywords: Europe, EU, Banking, Operational Resilience, ICT Risk, Incident Reporting, Operational Risk, Third-Party Risk, SSM, CRD, Basel, Cyber Resilience, Cybersecurity, Fintech, Opinion, ECB
In a letter addressed to the industry, the Australian Prudential Regulation Authority (APRA) set out an updated schedule of policy priorities for the banking, insurance, and superannuation industries.
The European Banking Authority (EBA) published answers to 29 questions in the Single Rulebook Question and Answer (Q&A) tool in September.
The European Commission (EC) adopted a comprehensive review package of Solvency II rules in the European Union.
The Office of the Comptroller of the Currency (OCC) issued Versions 1.0 of the "Earnings" and "Regulatory Reporting" booklets of the Comptroller's Handbook.
The European Central Bank (ECB) published results of its economy-wide climate stress test, which aimed to assess the resilience of non-financial corporates and euro area banks to climate risks.
The European Banking Authority (EBA) published a report on the use of digital platforms in the banking and payments sector in European Union.
The Hong Kong Monetary Authority (HKMA) published updates on the policy measures that were announced in context of the ongoing pandemic.
The International Swaps and Derivatives Association (ISDA), along with several other associations, submitted a joint response to the Basel Committee on Banking Supervision (BCBS) consultation on preliminary proposals for the prudential treatment of cryptoasset exposures.
BIS published the September issue of the Quarterly Review, which contains special features that analyze the rapid rise in equity funding for financial technology firms, the effectiveness of policy measures in response to pandemic, and the evolution of international banking.
The Basel Committee for Banking Supervision (BCBS) met in September 2021 and reviewed climate-related financial risks, discussed impact of digitalization, and welcomed efforts by the International Financial Reporting Standards (IFRS) Foundation to develop a common set of sustainability reporting standards