In December 2018, the European Banking Authority (EBA) issued draft guidelines on information and communication technology (ICT) and security risk management.

The draft guidelines set out how credit institutions, investment firms and payment service providers (PSPs) should manage ICT risks, detailing expectations in respect of governance, risk assessments, security and operational management.

In addition, for PSPs, the guidelines cover the management of the relationship with payment service users (PSUs).

Growing reliance, growing scrutiny

The guidelines were developed because the EBA was concerned that, with the growing reliance on technology for operational functioning, financial institutions are becoming more vulnerable to threats from cyber attacks or breaches leading from poor business continuity planning for ICT systems and processes.

For example, when the Financial Conduct Authority (FCA) fined Tesco Bank £16.4m following a cyber attack that exploited deficiencies in the bank's financial crime controls and debit card payments systems, it said that it "has no tolerance for banks that fail to protect customers from foreseeable risks".

The fine would have been £33.56m, but was reduced due to early settlement and Tesco Bank's co-operation with the regulator.

Further, as the financial services sector becomes more interconnected, ICT incidents are increasingly having a systemic impact (e.g. a cyber attack could bring down the IT systems of a service provider that is relied upon by multiple banks).

Robust internal governance required

The guidelines focuses on the importance of managing and mitigating ICT risk through robust internal governance and an internal control framework that sets clear responsibilities for financial institutions’ staff.

Among other things, the management body:

  • has overall responsibility for setting, approving and overseeing an ICT strategy, which should be aligned with the financial institution's overall business strategy. The ICT strategy should cover how ICT must evolve to maintain effective support to business strategy, evolution of the reference architecture of ICT and information security objectives;
  • has overall responsibility for the establishment of an effective risk management framework for ICT risks. Before any major change of ICT system or services, processes or procedure, and after any major operational or security incident, financial institutions must identify whether there are any resulting ICT risks; and
  • should set clear roles and responsibilities on ICT functions, information security risk management and business continuity, including those for the management body. This is not limited to the IT function.

Financial institutions checklist

Financial institutions should:

  • have a documented information security policy that is in line with security objectives identified through risk assessments. The policy should ensure the confidentiality, integrity and availability of sensitive data and should be communicated both internally and to third parties. The policy should apply to all employees and the management body;
  • conduct a business impact assessment to form the basis of a business continuity plan. ICT systems and services should be designed and aligned with the business impact assessment, and the resulting continuity plan should be approved by the management body;
  • develop response and recovery plans, based on the business impact assessment. Each plan should specify what conditions will trigger implementation of the plan and what actions must be taken to ensure the availability, continuity and recovery of critical ICT systems and ICT services. As part of the plan, financial institutions should consider continuity measures to mitigate against the failure of third-party providers in line with the EBA's guidelines on outsourcing (which were issued earlier this week and will apply from 30 September 2019);
  • establish a change management process for ICT systems. This will help to ensure that all changes to ICT systems are assessed, tested, approved and implemented in a controlled manner. The importance of a robust change management process is not to be underestimated, and in 2018 the FCA highlighted that failed IT changes accounted for 20% of the operational incidents that were reported to the FCA by firms (the largest root cause for incidents). The change management process should also include steps to determine whether changes in the existing operational environment influence existing security measures or require additional measures to mitigate risk.
  • have an ICT project management policy. This policy should effectively support the implementation of the financial institution's ICT strategy through ICT projects and should appropriately monitor and mitigate risks arising from such projects. All areas impacted by an ICT project should be represented in the project team and each member of the team should have adequate knowledge required to ensure the project is a success. This latter requirement could prove more challenging in respect of emerging or less mature technologies, where financial institutions are finding it difficult to hire and retain staff with the requisite knowledge;
  • develop and implement processes to govern the acquisition, development and maintenance of ICT systems. Such processes should include the setting of objectives during development, technical implementation, quality assurance standards and the testing approval and release of the system.

Financial institutions need to ensure the effectiveness of their risk-mitigating measures when using third-party providers.

While such measures should be reflected in the contracts and service-level agreements, financial institutions should also monitor and seek assurance of the level of compliance.

In implementing these guidelines, financial institutions should refer to existing standards and leading best practices.

Under the spotlight

The draft guidelines come at a time when the operational resilience of banks is high on regulators' agenda.

In 2018, the EBA, FCA, the Prudential Regulation Authority and the Bank of England all made it clear that the operational resilience of firms is a new area of regulatory and supervisory focus, and viewed as no less important than financial resilience.

The UK Government has also taken an interest, following a number of high-profile IT failures in banks in the past few years, and MPs have launched an inquiry into financial services companies' ability to respond to IT incidents.

Among other things, the inquiry is due to look at the common causes of IT failures, how they affect consumers, and whether the regulators have the ability to hold those responsible to account.

One point that has been made by regulators, and which is echoed in the EBA's draft guidelines, is that operational resilience is not just about IT.

A cyber attack, for example, can have a much greater impact than just on systems and technology, particularly where it prevents a business from providing services to customers.

A firm's strategy for managing ICT risk, as well as its response and recovery plans, need to reflect this wider impact.

What happens now?

Following consultation, the draft guidelines will replace the December 2017 EBA guidelines on security measures for operational and security risks of payment services under PSD2.

The consultation closes on 13 March 2019 and comments can be sent to the EBA by clicking on the "send your comments" button on the consultation page.

Next steps

Please contact us if you have any questions on the EBA's draft guidelines or to find out how we can help you mitigate your ICT risks.

For more news and analysis that is tailored to you, as well as access to Hogan Lovells' cutting-edge interactive Lawtech tools, register for free on Engage.

You can also keep track of all the Engage content by following our LinkedIn page.