The EBA Guidelines on ICT and Security Risk Management provide a comprehensive framework for credit institutions, investment firms, and payment service providers to identify, assess, and mitigate ICT and security risks. They emphasize strong governance, requiring institutions to integrate ICT risk management into their overall risk frameworks with clear roles and responsibilities, including board oversight. The guidelines mandate regular risk assessments, implementation of preventive and corrective controls, incident response plans, and robust information security measures covering confidentiality, integrity, and availability of data. They also address third-party risk management through due diligence and ongoing monitoring. Business continuity and disaster recovery planning are key components to ensure resilience against disruptions. The framework is designed to be continuously improved and aligned with evolving threats, with mandatory reporting and communication protocols to maintain operational stability and regulatory compliance. Recent updates have aligned these guidelines with the Digital Operational Resilience Act (DORA), narrowing their scope to entities covered by DORA and simplifying requirements to avoid duplication.
Publication's URL
URL: https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-ict-and-security-risk-managementPublication's scorecard
Country: EU
Scope: ICT
Typology: Regulation
Publication's date: November 27, 2019
Category: Governance Framework
Sector: Finance
Rating:
(1 votes, average: 3.00 out of 5)
Loading...