The European Banking Authority (EBA) recognised the importance, and changing nature, of information and communication technology (ICT) risks to financial organisations; and in response they issued their Guidelines on ICT and Security Risk Management on 28 November 2019 (EBA/GL/2019/04), which will enter into force on 30 June 2020 (thereafter, the EBA Guidelines on security measures for operational and security risks under PSD2* will be repealed).
Some of the risks recognised by the EBA and described in the Guidelines include:
- Increased complexity of organisations’ environments due to digitisation and increased use of third parties include outsourced service providers (and EBA also recommend that these Guidelines should be read in conjunction with their Guidelines on outsourcing arrangements);
- Greater frequency and impact of ICT and security-related attacks and incidents (including cyber incidents); and
- Wider systemic impacts due to the interconnectedness of financial institutions.
Who do they apply to?
These Guidelines apply to all EU financial institutions listed in paragraph 9 of the Guidelines – including banks, insurers, credit institutions, investment firms, Payment Service Providers (PSPs) and competent authorities.
The Guidelines are intentionally not prescriptive in nature but rather more principles-based, and call for financial institutions to apply the principle of proportionality; that is, to take into consideration their size, and nature and scope of products and services provided when implementing the Guidelines.
What’s in the Guidelines?
The Guidelines cover the following areas:
- Governance and Strategy;
- ICT and Security Risk Management Framework;
- Information Security;
- ICT Operations Management;
- ICT Project and Change Management;
- Business Continuity Management; and
- Payment Service User Relationship Management.
How should financial institutions prepare for compliance?
ThreeTwoFour recommend the following steps:
- Review the Guidelines to understand how the Guidelines apply to the organisation;
- Undertake a current state assessment and gap analysis against the Guidelines;
- Assess the gaps to estimate remediation efforts required;
- Develop a remediation plan, and ensure accountabilities for remediation activities are clearly understood;
- Form a working group to track and manage the remediation activities; and
- Ensure regular reporting and metrics such as Key Performance Indicators (KPIs) are provided to relevant governance bodies within the organisation, including regular reporting on the overall ICT and security risk and control position.
* For further details, refer to the EBA website here.
If you’d like assistance with assessing against the Guidelines, then why not get in touch on +44 203 603 4733 or email us at firstname.lastname@example.org.