New guidelines on ICT and security risk management

Article by Constantinos Koumides as appeared on InBusiness

Information Communication Technology (ICT) and information security risk management are fundamental for a financial institution to achieve its strategic, corporate, operational and reputational objectives.  In light of an increasingly interconnected digital economy, of the reliance and complexity of information and communication technology (ICT) and security risks, and the rise in sophisticated cyber security attacks and incidents, the European Banking Authority (EBA) released the Guidelines on ICT and security risk management (EBA/GL/2019/04).

The guidelines came into force as of 30 June 2020, and will be the EBA's de-facto regulatory standard within the ICT and security risk management domain. They are compatible with the three lines of defence model, with the ICT operational units being the first line of defence, and focus in particular on the responsibilities of the management body and the second line of defence (which usually includes the information security function).

They should be read in conjunction with the EBA's regulatory standard on Outsourcing (EBA/GL/2019/02), which outline how financial institutions should manage outsourcing taking into consideration the critical role that third parties have to play in protecting the security and resilience of financial institutions. It should also be noted that the guidelines clarify and harmonise the supervisory expectations stemming from the Capital Requirements Directive (CRD) and Payment Services Directive 2 (PSD2).

When applying the guidelines, institutions are expected to consider the principle of proportionality (e.g. in relation to the size, complexity, services / products offered).

The guidelines outline the EBA's expectations on how financial institutions (e.g. payment service providers, credit institutions, investment firms) should manage their ICT and information security risks in order to reduce the likelihood and severity of potential incidents, and covers the following critical areas:

• Governance and Strategy

• ICT and Security Risk Management Framework

• Information Security

• ICT Operations Management

• ICT Project and Change Management

• Business Continuity Management

• Payment Service User Relationship Management

Financial institutions should incorporate the guidelines into their overall risk management framework. Firstly, a current state / readiness assessment should be performed in order to identify gaps. This exercise should not be treated solely as a compliance assessment but should be an important action to identify, analyse, and evaluate risks. 

Due to the importance of this step, a number of financial institutions are opting to obtain independent validation. 

Based on the output of the readiness assessment, appropriate risk treatment plans should be derived and a remediation roadmap with priorities determined. As an ongoing risk management process, a reporting mechanism should be in place so that executive management and the board are informed of the status and take informed decisions. 

Constantinos Koumides

Manager

Assurance Services
PwC Cyprus