Following increasing Security Risks bolstered by the complexity of Information and Communication Technology and associated cyber-related incidents, the European Banking Authority has released its Final Report on the guidelines for ‘ICT’ and Security Risk Management for Financial Institutions.
These guidelines describe how ‘FIs’ should manage their Internal and External ‘ICT’ and Security Risk Exposures. It also specifies the Supervisory Expectations for the Management of ‘ICT’ and Security Risk, including sound Governance Arrangements, Information Security Requirements, ‘ICT’ Operations, Project and Change Management and Business Continuity Management (‘BCP’).
The Guidelines also cover the Management of Payment Service Providers’ (‘PSPs’’) relationship with Payment Service Users (‘PSUs’), to ensure that users are made aware of the security risks linked to relevant Payment Services, and are provided with the tools to disable specific payment functionalities and monitor payment transactions.
For the purpose of the guidelines, the affected ‘FIs’ are ‘PSPs’, as defined in Article 4(11) of the revised Payment Services Directive (‘PSD2’), Credit Institutions and Investment Firms, subject to the Capital Requirements Directive (‘CRD’). Additionally, the guidelines apply to Member State Competent Authorities.
The guidelines will take effect from 30 June 2020.
Credit institutions and investment firms as defined in ‘CRD’, and ‘PSPs’ subject to ‘PSD2’ should take note of the final guidelines and amend the relevant policies and procedures where necessary, ensuring that Senior Management / Executive Teams are appraised and Project/Change Management and Information Technology Teams. Firms should also undertake a review of the current ‘ICT’ Strategy, Control Framework (including Internal Audit Arrangements) and Governance Structure. Training Programmes are also required for relevant Staff and Contractors, including Business Continuity Management Plans and Testing.
These guidelines specify the requirement stated below:
1. Proportionate application of the guidelines
The ‘EBA’ sets out the proportionate application of the guidelines based on the potential variation in size, complexity, internal organisation, nature, scope and riskiness of the services and products between ‘FIs’.
2. Management and mitigation of ‘ICT’ and Security Risks
The guidelines require establishment of sound Internal Governance, an Internal Control Framework and an ‘ICT’ strategy to manage risks. It also recommends an Independent and Objective Control Function and an independent Internal Audit function. It advises that ‘FIs’ ensure the effectiveness of their risk mitigating measures, when outsourcing or using Third-Party Providers
3. Maintaining up to date records of Business Functions
‘FIs’ must keep updated records of their Business Functions, supporting processes and information assets and classify them based on Criticality, Confidentiality, Integrity and Data Availability. ‘FIs’ are advised to assess the ‘ICT’-related Operational Risks and the Security Risks that impact them and determine mitigating measures.
4. Information Security for data held on ‘ICT’ Systems
The guidelines require having Information Security Policy(ies) in place; establishing, implementing and testing Information Security Measures; and establishing a Training Programme for all Staff and Contractors.
5. ICT Operations Management
The EBA specifies high-level principles on how ICT operations should be managed, including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations.
6. ICT project and change management requirements
‘FIs’ must ensure that changes to Production Systems are assessed, tested, approved and implemented in a controlled manner, to ensure ‘ICT’ Projects have appropriate Governance and Oversight, with development of applications carefully monitored, from the ‘Test’ phase to the ‘Production’ phase
7. Business Continuity Management
The guidelines require that ‘FI’s’ have effective Crisis Communication Measures in place so that all relevant Internal and External Stakeholders can be informed in a timely manner. The ‘EBA’ notes that the ‘ICT’ Business Continuity Management Processes are an integral part of the overall ‘FIs” Business Continuity Management Process and should not be separated
8. Payment Services Providers’ (‘PSPs”) Relationship Management with Users
The guidelines also covers the management of ‘PSPs’’ relationship with ‘PSUs’, to ensure that Users are made aware of the Security Risks linked to the Payment Services and are provided with the tools to disable specific payment functionalities and monitor payment transactions.
To read more, please follow this link:
Contact us here
Please Note: This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.
Latest posts by Bethany Klarmann (see all)
- FCA Quarterly Consultation No. 26 - 24th January 2020
- EBA Issues Second Part of Advice on Implementation of Basel III in the European Union - 23rd January 2020
- European Central Bank Working Group publishes report on €STR ‘Fallback Arrangements’ - 22nd January 2020