As we discussed in the previous post, the European Banking Authority (EBA) in its report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process, includes a section describing how to inspect technology  risk management  within the framework of global operational risk management.

This assessment will be obtained from different sources, including activities, reports and results of the entity's risk management, risk self-evaluations and ICT controls, periodic reports on ICT risk, specific information on incidents, and results of internal and external audits related to ICT

EBA defines its ICT Risk Assessment method including some controls matching other information security frameworks, but adapting to the financial institutions distinctive features. For which it establishes 4 stages:

1 Review of the entity's ICT risk profile

It obtains a first approach of the impact produced by the ICT risk on the financial system availability and continuity,  analyzing in a general way aspects such as IT infrastructure unavailability , dependence on the Internet, ICT complexity or its obsolete nature, external ICT services hiring , facilities location, and socio-political aspects.

2 Review of critical ICT systems and services

It is about making an ICT systems and services inventory  essential for the organization. Which must meet at least one of the following conditions:

• Support the main business operations (ATMs, online banking, mobile banking)

• Support government processes  and essential corporate functions (risk management, treasury management).

• Be subject to special legal or regulatory requirements with availability, resilience, confidentiality, or security requirements

• Process or store confidential or sensitive data whose unauthorized access could affect the entity reputation  , financial results or business strength.

• Provide basic and vital functionalities for the entity operation

 3 Material ICT risks Identification for critical ICT systems and services

Taking into account the revisions of the ICT risk profile and the critical ICT systems and services, each entity must identify its own risks, taking into account the financial impact produced by the revenue loss , legal and repair costs, business availability and continuity risk (number of customers or branches and potentially affected employees), the impact on the organization’s reputation, fines for non-compliance with regulations, and the impact on the organization’s strategic plans.

Once the risks have been identified, a risk treatment plan must be developed and managed by monitoring a set of controls to mitigate these risks.

4 Control assessment to mitigate material ICT risks

The competent authorities will review the way in which the entity identifies, follows, evaluates and mitigates the material risks identified in the previous step; for which they will evaluate the following control set:

ICT risk controls

ICT Risk management Policy

Policy statement and approval.  ICT Risk management system

Organization management and supervision framework  

Roles, responsibilities, resources and internal audits.

Internal Audit coverage and results

Periodic audit execution and results monitoring

ICT availability and continuity


Critical processes and systems identification . Business continuity plan. Incident management procedure. Capacity management

ICT Security

Information security management system. Technical vulnerabilities management . Internal and external assets and services inventory. Awareness and training. Access control. Network controls. Independent security audits

Change Management

Processes documented. Tasks segregation. Realistic testing environments. Systems life cycle management. Source code control access. System and application security audits. Information leakage prevention

Data integrity

Functions and responsibilities. Data model. Application use authorization. Integrity exceptions management

ICT Outsourcing

Strategy. Impact assessment. Risk and service level monitoring. Service management resources


To complete the assessment process, the competent authority reflects the opinion formed about the entity's ICT risk in a results report. If the ICT risk is considered to be material, it can be scored in the report as a subcategory of operational risk according to the following scale:

  1. There is NO APPRECIABLE impact risk
  2. There is a LOW impact risk
  3. There is a MEDIUM impact risk
  4. There is a HIGH impact risk

Once again we find an example where organizations need to demonstrate the implementation of their information security measures, and at the same time evaluate their ICT providers security.

In this context, our security rating can be a great help to financial institutions. On the one hand, it offers a flexible control framework based on international best practices and standards, and it's classified into several protection levels. Leet's rating mechanism allows for specific risk coverage plans based on the most relevant security dimension for the entity (availability, integrity, confidentiality); but also according to the applicable security domain (security management, systems operation, safety, resilience, network control , etc). And on the other, it is an effective and efficient mechanism for the outsourced services supervision.

All you need is LEET

Subscribe to our communications following this link




You can follow us on

21 de septiembre de 2018