On 11 May 2017 the European Banking Authority (EBA) published its final Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the Supervisory Review and Evaluation Process (SREP). The Guidelines are focused on common procedures and methodologies for the assessment of ICT risk. The EBA developed the Guidelines on its own initiative in order to assist competent authorities.
The Guidelines must be understood as part of the SREP and read in conjunction with the applicable EBA SREP Guidelines published on 19 December 2014. The SREP is specifically referred to in Articles 97 and 107 of Directive 2013/36/EU (the so-called CRD). Under the SREP guidelines the ICT risk is described as one of the sub-categories of operational risk which should be paid particular attention because of their pervasive nature and relevance to the majority of institutions (see mainly para 258 – 261). The
Guidelines on ICT consist of three titles. Title 1 explains how the assessment of ICT risk contributes to the overall SREP assessment of an institution. Title 2 describes how the institution’s overall internal governance and institution wide controls address ICT, including adequate knowledge and understanding at the management body level, as well as assessing the institution’s ICT strategy taking into account both the governance and the institution’s business model. Title 3 includes the assessment of ICT risk and the controls in place as a ‘risk to capital’.
The Guidelines contain ICT risk taxonomy in the annex which includes ICT risk categories:
The mapping of ICT risks in to the individual risk categories shall assist competent authorities in determining which risk is material and therefore require a closer and/or deeper review. The ICT Guidelines are applicable from 01 January 2018.
13-7-2017