The EBA consulted on the guidelines in December 2018. The final report contains a summary of consultation responses and the EBA’s analysis.
The purpose of the Guidelines is to address ICT and security risks that have increased in recent years due to the increasing interconnectedness through telecommunications channels and with other financial institutions and third parties. The Guidelines detail how financial institutions should manage and address ICT and security risks and to provide financial institutions with a better understanding of supervisory expectations.
Scope
The Guidelines are addressed to payment service providers (PSPs), credit institutions and investment firms (all together referred to as, financial institutions in the Guidelines).
The Guidelines integrate and are built on the requirements set out in the EBA’s previous Guidelines on security measures for operational and security risks of payment services, which were published in December 2017 (EBA/GL/2017/17) (the Guidelines on security measures). Whereas the Guidelines on security measures were only addressed to payment service providers, as noted above, the Guidelines have been formulated to be addressed to broader range of financial institutions under the EBA’s remit.
The term ICT and security risks encompasses data integrity risk but also includes additional details to clarify that it covers the impact on systems and data deriving from security risks. The Guidelines refer specifically to ICT and security risks rather than operational and security risk to avoid confusion with wider operational risk issues, such as conduct risk, legal risk and reputational risk.
Requirements
The Guidelines specify the risk management measures that financial institutions must take to manage their ICT and security risks for all activities and additionally that payment service providers must take relating to the payment services they provide. The Guidelines include requirements for information security, including cybersecurity, to the extent that the information is held on ICT systems.
Financial institutions must comply with the Guidelines in a way that is proportionate to, and takes account of, the financial institutions’ size, their internal organisation, and the nature, scope, complexity, and riskiness of the services and products that the financial institutions provide or intend to provide. It is only by developing strong ICT risk management practices that financial institutions will be able to comply with these Guidelines.
A summary of the Guidelines’ requirements:
Governance and strategy: the Guidelines focus on the role of a sound internal governance and control framework in the management and mitigation of ICT and security risks. The Guidelines require financial institutions to have an ICT strategy covering a number of requirements such as ensuring that the strategy provides clear information security objectives and requires the establishment of a set of action plans that contain measures to be taken to achieve the objective of the ICT strategy. The Guidelines also remind financial institutions to ensure the effectiveness of the risk-mitigating measures when outsourcing to group entities, or when using third parties.
ICT and security risk management framework: financial institutions should maintain updated mapping of their business functions, supporting processes and information assets and to classify them in terms of criticality. This is to be based on the confidentiality, integrity and availability of data, and used to assess and determine what measures are required to mitigate the operational risks related to ICT and the security risks that impact them. Financial institutions should report internally on risk assessment results and the governance framework, systems and processes for its ICT and security risks should be audited on a periodic basis.
Information security: financial institutions should develop and document an information security policy and based on the policy the financial institution should establish and implement effective information security measures including logical security measures, physical security measures, security monitoring, information security reviews, assessment and testing and information security training and awareness.
ICT operations management: the Guidelines specify high-level principles on how ICT operations should be managed, including the implementation of logging and monitoring procedures for critical ICT operations and to implement performance and capacity planning and monitoring processes.
ICT project and change management: the Guidelines set out requirements for ICT project and change management, including the implementation of a programme and/or project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. Financial institutions should also establish and implement an ICT project management policy.
Business continuity management: the Guidelines specify expectations regarding business continuity management, the development of response and recovery plans, the carrying out of business impact analysis (BIA) and ensuring that ICT systems and ICT services are designed and aligned with the BIA. The Guidelines advise financial institutions to ensure they have effective crisis communication measures in place so that all internal and external stakeholders can be informed in a timely manner.
Payment service user relationship management: this applies only to PSPs for their provision of payment services. PSPs should establish and implement processes to enhance payment service users’ (PSUs) awareness of the security risks linked to the payment services by providing PSUs with assistance and guidance. It prescribes requirements for relationship management, including allowing PSUs, where product functionality permits, to disable specific functionalities, providing PSUs with assistance on questions and requests for support, and providing PSUs with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions, enabling them to detect fraudulent or malicious use of their accounts.
Next steps
The Guidelines enter into force on 30 June 2020. The Guidelines on security measures (as referred to earlier) will be repealed once the Guidelines come into force.
It will be interesting to see how regulators will respond to the Guidelines particularly in the UK where the Bank of England, FCA and PRA have recently published consultation papers proposing new rules on operational resilience. You can find our article on these consultation papers here.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
