EBA draft Guidelines on ICT and security risk management

On 13^th December 2018, the EBA published a Consultative paper on Guidelines on information and communication (ICT) and security risk management.

The Guidelines set out how financial institutions should manage ICT and security risks they are exposed to. Moreover, the Guidelines aim to provide the institutions with a better understanding of supervisory expectations for the management of ICT and security risks.

The Guidelines build on the requirements set out in the Guidelines on security measures for operational and security risks under PSD2 Directive (EBA/GL/2017/17). Those Guidelines were addressed to payment system providers and only for their payment services. The draft Guidelines are addressed to a broader range of institutions, namely to credit institutions and investment firms both for their payment services and their other activities.

The Guidelines provide a detailed description on how institutions should proceed to meet requirements stipulated in Article 74 of CRD Directive (internal governance) and Article 95 of PSD2 Directive (management of operation and security risks).

The Guidelines specifically deal with:

• the proportionality principle,
• requirements on ICT strategy, management and mitigation of ICT risks,
• requirements on the classification of information assets and the assessment of operational risks related to ICT risks,
• requirements on information security,
• principles on ICT operations,
• expectations with regard to business continuity management and response and recovery plans.

In implementing the Guidelines, institutions should take into account existing standards and best practices.

The public consultation runs until 13th March 2019. Subsequently, the Guidelines will be finalised and the Guidelines on security measures for operational and security risks under PSD2 Directive (EBA/GL/2017/17) will be repealed after these Guidelines come into force.