EBA published the final guidelines on the mitigation and management of information and communication technology (ICT) and security risks for banks in EU. The guidelines set out expectations on the way in which all financial institutions should manage their internal and external ICT and security risks. The guidelines provide financial institutions with a better understanding of supervisory expectations for the management of these risks, covering sound internal governance, information security requirements, ICT operations, project and change management, and business continuity management. The guidelines, which apply to credit institutions, investment firms, and payment service providers, enter into force on June 30, 2020.
These guidelines respond to the EC's FinTech Action plan request for EBA to develop guidelines on ICT risk management and mitigation requirements in the financial sector in EU. The guidelines:
- Focus on the management and mitigation of ICT and security risks by establishing sound internal governance and an internal control framework that sets clear responsibilities for the staff of financial institutions, including for the management bodies
- Require financial institutions to maintain up-to-date inventories of their business functions, supporting processes and information assets and to classify them in terms of criticality, based on the confidentiality, integrity, and availability of data
- Remind financial institutions to ensure the effectiveness of the risk-mitigating measures, as defined by their risk management framework, when outsourcing or using third-party providers
- Specify high-level principles on how ICT operations should be managed, including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of their ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery procedures
- Specify expectations on business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results
- Cover the management of relationship of payment service providers with payment service users to ensure that users are made aware of the security risks linked to the payment services and are provided with the tools to disable specific payment functionalities and monitor payment transactions
In implementing these guidelines, financial institutions should refer to the existing standards and leading best practices. These guidelines intend to be technology and methodology agnostic. The implementation of these guidelines should be done in accordance with the principle of proportionality, taking into account the scale and complexity of operations, the nature of the activity engaged in, the types of services provided, and the corresponding ICT and security risks related to the processes and services of financial institutions. These guidelines complement, and should be read in conjunction with, the supervisory assessment to the applicable institutions in EBA guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process (EBA/GL/2017/05) and other relevant guidelines such as EBA guidelines on outsourcing arrangements (EBA/GL/2019/02).
Effective Date: June 30, 2020
Keywords: Europe, EU, Banking, CRD, PSD 2, ICT Risk, Cyber Risk, Proportionality, Operational Risk, Outsourcing Arrangements, Third-Party Arrangements, Fintech, EBA
Previous ArticleSRB to Finalize MREL Policy Under BRRD 2 by First Quarter of 2020
The Network for Greening the Financial System (NGFS) launched its first user feedback survey on climate scenarios, with the feedback period ending on February 27, 2023.
The European Banking Authority (EBA) launched the 2023 European Union (EU)-wide stress test, published annual reports on minimum requirement for own funds and eligible liabilities (MREL) and high earners with data as of December 2021.
The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.
The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.