EBA supervises ICT risk management within financial entities (I)

The European Banking Authority (EBA) published in May 2017 the guidelines to be followed by the competent authorities (Bank of Spain in the national territory) in the exercise of the supervision of the ICT strategy and government, as well as the evaluation of technological risk exposure.

These Guidelines have been developed by the EBA on its own initiative and in accordance with the provisions of Article 16 of Regulation (EU) No 1093/201. Being mandatory from January 1, 2018 for those competent authorities, such as the Executive Commission of the Bank of Spain, which decided to adopt them on November 7, 2017

In short, we are facing the governance and ICT risk  management rules by which European banks are assessed, including spanish banks. It is important to note that in these Guidelines the proportionality  principle applies to the scope, frequency and intensity of the supervisory assessment; in such a way that the depth, detail and intensity of the ICT evaluation will be proportional to the size, structure and entity operating environment.

In the first place, the regulations make it necessary to evaluate whether the entities have an adequate ICT strategy, and if this is subject to timely follow-up by the Corporate Management. In this sense, the ICT strategy must be aligned with the business strategy; and its main objective is the technological change planning in order to maintain an updated and efficient IT infrastructure.

Senior management must guarantee its involvement in the strategic ICT priorities definition  through the knowledge of the development, design , and implementation of the most relevant initiatives for the business in this area. In addition, the strategy must be documented and supported by concrete implementation plans and by resource planning.

Regarding the ICT government, the competent authorities will evaluate if it duly covers the systems and related risks, and if the management body addresses and manages properly these aspects; since ICTs are an integral part of the entity's good operation. It will also be subject to evaluation if the entity has an adequate and transparent corporate structure with clear responsibilities, which facilitates the main ICT managers have access to the Management in order to communicate important issues related to technology.

Standards such as  IT VAL (IT Governance Institute), ISO 38500, COBIT (ISACA) or ITIL could be valid reference frameworks in which banks could be inspired to implement their own ICT governance methodologies.

Finally, the competent authorities are obliged to identify the ICT risks to which the organizations are exposed; for which a methodology must be followed that identifies critical services, calculates risk potential impact, and evaluates implemented controls to mitigate it.

The EBA develops a unique approach to ICT risk adapted to the characteristics of its business, and for this purpose it identifies the following risk exposures:

●ICT availability and continuity risk: Associated with the impact on the performance and systems and services availability.

●ICT security risk: Unauthorized access probability  to ICT systems and data

●ICT change risk: Coming from the inability to adequately manage changes in ICT systems

●ICT data integrity risk : Relative to data risk being incomplete, inaccurate, or incoherent

●ICT outsourcing risk : Related to the contracting of ICT systems or services to a third party.

It is with this last item where LEET Security offers a unique mechanism to manage risks with third parties with maximum efficiency.

As a result of the evaluation of these three points (strategy, governance and risk exposure ), the competent authority will draft a report with the findings obtained, assigning the corresponding score as indicated in the section 5.11 within the Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process ; where the value 1 is the most favorable and the 4 the most deficient.

In the following post, we will go deeper into how the competent authority should evaluate the way in which entities identify, monitor, assess and mitigate material risks in the ICT field.

All you need is LEET.

Suscrite to our communications following this link.