Featured Product

    EBA Publishes Guidelines on ICT and Security Risk Management

    November 28, 2019

    EBA published the final guidelines on the mitigation and management of information and communication technology (ICT) and security risks for banks in EU. The guidelines set out expectations on the way in which all financial institutions should manage their internal and external ICT and security risks. The guidelines provide financial institutions with a better understanding of supervisory expectations for the management of these risks, covering sound internal governance, information security requirements, ICT operations, project and change management, and business continuity management. The guidelines, which apply to credit institutions, investment firms, and payment service providers, enter into force on June 30, 2020.

    These guidelines respond to the EC's FinTech Action plan request for EBA to develop guidelines on ICT risk management and mitigation requirements in the financial sector in EU. The guidelines:

    • Focus on the management and mitigation of ICT and security risks by establishing sound internal governance and an internal control framework that sets clear responsibilities for the staff of financial institutions, including for the management bodies
    • Require financial institutions to maintain up-to-date inventories of their business functions, supporting processes and information assets and to classify them in terms of criticality, based on the confidentiality, integrity, and availability of data
    • Remind financial institutions to ensure the effectiveness of the risk-mitigating measures, as defined by their risk management framework, when outsourcing or using third-party providers
    • Specify high-level principles on how ICT operations should be managed, including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of their ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery procedures
    • Specify expectations on business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results
    • Cover the management of relationship of payment service providers with payment service users to ensure that users are made aware of the security risks linked to the payment services and are provided with the tools to disable specific payment functionalities and monitor payment transactions

    In implementing these guidelines, financial institutions should refer to the existing standards and leading best practices. These guidelines intend to be technology and methodology agnostic. The implementation of these guidelines should be done in accordance with the principle of proportionality, taking into account the scale and complexity of operations, the nature of the activity engaged in, the types of services provided, and the corresponding ICT and security risks related to the processes and services of financial institutions. These guidelines complement, and should be read in conjunction with, the supervisory assessment to the applicable institutions in EBA guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process (EBA/GL/2017/05) and other relevant guidelines such as EBA guidelines on outsourcing arrangements (EBA/GL/2019/02). 

     

    Related Links

    Effective Date: June 30, 2020

    Keywords: Europe, EU, Banking, CRD, PSD 2, ICT Risk, Cyber Risk, Proportionality, Operational Risk, Outsourcing Arrangements, Third-Party Arrangements, Fintech, EBA

    Featured Experts
    Related Articles
    News

    HKMA Finalizes Policy Modules on Group-Wide Approach and Remuneration

    The Hong Kong Monetary Authority (HKMA) revised the Supervisory Policy Manual module CG-5 that sets out guidelines on a sound remuneration system for authorized institutions.

    July 29, 2021 WebPage Regulatory News
    News

    EBA Guide to Monitor Threshold for Intermediate Parent Undertakings

    The European Banking Authority (EBA) published the final guidelines on the monitoring of the threshold and other procedural aspects on the establishment of intermediate parent undertakings in European Union (EU), as laid down in the Capital Requirements Directive (CRD).

    July 28, 2021 WebPage Regulatory News
    News

    PRA Finalizes Approach to Supervision of International Banks

    In a recent Market Notice, the Bank of England (BoE) confirmed that green gilts will have equivalent eligibility to existing gilts in its market operations.

    July 26, 2021 WebPage Regulatory News
    News

    FCA Issues PS21/9 on Implementation of Investment Firms Regime

    The Financial Conduct Authority (FCA) published the policy statement PS21/9 on implementation of the Investment Firms Prudential Regime.

    July 26, 2021 WebPage Regulatory News
    News

    EBA Proposes Regulatory Standards to Identify Shadow Banking Entities

    The European Banking Authority (EBA) proposed regulatory technical standards that set out criteria for identifying shadow banking entities for the purpose of reporting large exposures.

    July 26, 2021 WebPage Regulatory News
    News

    IOSCO Proposes Recommendations on ESG Ratings and Data Providers

    The Board of the International Organization of Securities Commissions (IOSCO) proposed a set of recommendations on the environmental, social, and governance (ESG) ratings and data providers.

    July 26, 2021 WebPage Regulatory News
    News

    ESMA Group Issues Recommendations on RFR Switch in Interdealer Market

    The European Securities and Markets Authority (ESMA) published recommendations from the Working Group on Euro Risk-Free Rates (RFR) on the switch to risk-free rates in the interdealer market.

    July 26, 2021 WebPage Regulatory News
    News

    ECB Study Assesses Impact of Basel III Finalization Package

    The European Central Bank (ECB) published a paper as well as an article in the July Macroprudential Bulletin, both of which offer insights on the assessment of the impact of Basel III finalization package on the euro area.

    July 26, 2021 WebPage Regulatory News
    News

    ISDA Finds FRTB Results in Higher Capital Charges for Carbon Trading

    The International Swaps and Derivatives Association (ISDA) published a paper that explores the impact of the Fundamental Review of the Trading Book (FRTB) on the trading of carbon certificates.

    July 26, 2021 WebPage Regulatory News
    News

    PRA Updates Remuneration Policy Statement Templates and Tables

    The Prudential Regulation Authority (PRA) published the remuneration policy self-assessment templates and tables on strengthening accountability.

    July 26, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7311