Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways.

Background

The EBA released a previous version of the guidelines back in 2017. The Guidelines will incorporate and repeal the 2017 guidelines once the Guidelines come into force on 30 June 2020. The Guidelines are also intended to be read alongside the guidelines on outsourcing that came into force at the end of September 2019.

The Guidelines aim to harmonise requirements for ICT and security risk management.

Their scope will cover:

  • Credit institutions and investment firms (as defined in the EU Capital Requirements Directive) for all of their activities
  • Payment service providers (subject to the revised Payment Services Directive) for their payment services

Highlights from the Guidelines

  • Proportionality – as a starting point, FIs should implement the Guidelines in a way that is proportionate to, and takes account of the size of, their business, their internal organisation, and the nature, scope, complexity and riskiness of the services and products that the FIs provide.
  • Governance and strategy – each FI’s management body should ensure that there are adequate internal governance and internal control frameworks within the organisation. Other measures include: aligning ICT strategies with the FI’s overall business strategy; ensuring that staff are adequate and are trained to support their ICT operational needs; and allocating ample budgets to achieve these goals. It is important to note that the management bears overall accountability for implementation.
  • ICT and security risk management framework – the Guidelines require FIs to assign responsibility for managing and overseeing ICT and security risks to an independent and objective control function. FIs should identify and map their business functions, and support processes and information assets based on the business criticality of each function. FIs should also conduct risk assessments to determine how risks can be mitigated, or whether changes are necessary.
  • Third party providers – to guarantee the continuity of ICT services, FIs should also ensure that contracts and service level agreements with third parties (and not just outsourcings) meet security-related objectives, such as minimum cybersecurity requirements. Likewise, sound business continuity management processes should be established. This includes conducting and documenting ‘business impact analyses’, and developing both short- and long-term response and recovery plans. Business continuity measures are also important in order to mitigate the failures of third party providers which provide important support to FIs’ business functions.

Comment

There are two points within the Guidelines that stand out to us.

First, the concept of ‘proportionality’. Although not a new concept within EU rules, applying it to the implementation of the Guidelines means that gold-plating across a group of FIs or even by one FI itself is unlikely to be possible. Each FI will need to consider, in terms of its own risk appetite, the ICT and security risks to its technology infrastructure and to each business function. It will therefore be difficult to copy what everyone else is doing ‘down the street’.

Second, conducting sound business continuity impact analyses is something that we have seen the Bank of England recommend when talking about the relatively new concept of ‘operational resilience’.

We weren’t expecting the Guidelines to be issued before the end of the year. Instead, we were expecting them to be shelved and replaced with a set of operational resilience requirements that would consolidate the challenges that this concept brings, including from third party relationships (such as outsourcing) and cyber risks, among others.

It would be interesting to see how European financial regulators (including the Bank of England, which seemed to be leading the way in this area) will respond to the Guidelines and particularly whether they will continue with their efforts to devise specific operational resilience rules.

For the time being, FIs should rely on the Guidelines to sharpen their ICT and security risk management frameworks before the Guidelines come into force on 30 June 2020.