EBA guidelines on ICT and security risk management

The final Guidelines come into force as of 30 June 2020, and will be the EBA's de-facto regulatory standard within the ICT and security risk management domain, replacing the previous draft guidelines. It is expected that local Financial Regulators will also endorse these guidelines in due course.

Once in force, the Guidelines on security measures for operational and security risks outlined under the PSD2 regulatory framework will be complemented by the EBA guidelines. The Guidelines should also be read in conjunction with the EBA's regulatory standard on Outsourcing (EBA/GL/2019/02), an acknowledgement by the EBA of the critical role that third parties have to play in protecting the security and resilience of financial institutions.

What's included in the guidelines?

The Guidelines outline the EBA's expectations on how financial institutions (Banks, Insurers, Funds, Credit Unions and Payment Service Providers) across the EU should manage their internal and external risks for ICT and information security, in order to reduce the likelihood and severity of potential incidents, and covers the following critical areas:

• Governance and Strategy (3.2)
• ICT and Security Risk Management Framework (3.3)
• Information Security (3.4)
• ICT Operations Management (3.5)
• ICT Project and Change Management (3.6)
• Business Continuity Management (3.7)
• Payment Service User Relationship Management (3.8)

How is ICT regulation evolving?

The EBA guidelines have evolved through consultation on: greater integration of third-party risk management; inclusion of change management as a risk discipline; introducing mandatory annual security awareness training; and mandating the security testing of critical systems at least annually.

The European Commission published a consultation in December 2019 on a digital operational resilience framework, looking for input from firms on topics including ICT risk management frameworks; reporting requirements; resilience testing framework; oversight of third-party providers; information sharing.

Impact on firms

When applying the guidelines, firms are expected to consider the principle of proportionality (i.e. in relation to the size, complexity, etc of the firm). Based on our experience working with firms, we expect the main challenges to be the following:

• Effective third-party risk management, with current practises exposing weaknesses in dealing with a dynamic cyberthreat
• Identifying and maintaining asset inventories that link key business processes to information and IT assets
• Consensus and resources around monitoring and risk reporting responsibilities, also hampering progress in change programmes

What should you do to prepare for compliance?

Current state assessment

Execute a current state assessment of your organisations; controls and processes, and a gap analysis against the guidelines, to determine your readiness for compliance, and obtain independent validation.

Remediation roadmap

Develop your target position and determine your areas of priority, to focus your organisation's efforts and resources on addressing your most significant gaps and highest risk areas.

Reporting framework

Develop a reporting framework to keep the board or executive management informed of compliance status and support ongoing decisions on risk reduction investments.