The EBA Guidelines on ICT and Security Risk Management provide a comprehensive framework for credit institutions, investment firms, and payment service providers to identify, assess, and mitigate ICT and security risks. They emphasize strong governance, requiring institutions to integrate ICT risk management into their overall risk frameworks with clear roles and responsibilities, including board oversight. The guidelines mandate regular risk assessments, implementation of preventive and corrective controls, incident response plans, and robust information security measures covering confidentiality, integrity, and availability of data. They also address third-party risk management through due diligence and ongoing monitoring. Business continuity and disaster recovery planning are key components to ensure resilience against disruptions. The framework is designed to be continuously improved and aligned with evolving threats, with mandatory reporting and communication protocols to maintain operational stability and regulatory compliance. Recent updates have aligned these guidelines with the Digital Operational Resilience Act (DORA), narrowing their scope to entities covered by DORA and simplifying requirements to avoid duplication.
Publication's URL
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-ict-and-security-risk-managementAdditional documents on this topic
- NIST IR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) ★★★★★
- NIST IR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management ★★★★★
- NIST IR 8286C Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
- NIST IR 8286D Using Business Impact Analysis to Inform Risk Prioritization and Response
- FAIR Taxonomy for Cyber Risk Scenarios ★★★★★