Considering the COVID-19 impact on digitalization, EBA’s updated Guidelines on ICT and Security Risk Assessment will help focus on priority areas, including compliance.
The COVID-19 crisis has forced rapid digitization for many financial institutions, businesses, and agencies, which has significantly increased the risk for ICT and security-related incidents. Because of their interconnectedness, financial institutions are a greater risk for ICT and security-related incidents that have the potential for systemic impacts. As a result, there is currently an increased focus on implementing the European Banking Authority’s (EBA) recently published Guidelines on ICT and Security Risk Assessment to protect financial transaction and critical customer data from potential operational and security risks.
The European Banking Authority’s Response
In their new guidelines, the EBA details how financial institutions should manage the ICT and security risks that they are exposed to. However, the document also attempts to give financial institutions a better understanding of the supervisory expectations for managing ICT and security risks.
In doing so, EBA’s latest guidance integrates and builds on the requirements previously laid out in its December 2017 EBA/GL/2017/17 “Guidelines on security measures for operational and security risks of payment services.” The latter have been applied since January 2018 to fulfil the mandate put forth in Article 95(3) of Directive 2015/2366/EU (PSD2).
Their original intent was meant to apply to payment service providers (PSPs) for use with payments. However, they are also relevant to a wider range of financial institutions. The EBA’s latest guidelines has reformulated the former guidelines to apply to not just payment services, but also to financial institutions, including all activities conducted by credit institutions outside of payment services and investment firms.
Addressing Governance, ICT and Security Risks
EBA’s guidelines build on Article 74 of Directive 2013/36/EU (CRD), with the intent to strengthen governance of financial institutions in the increasingly digitized banking processes.
Because of the electronic nature of payment systems, the term “ICT and security risks” refers to the operational and security risks mandate included in the revised Payments Services Directive (PSD2) under Article 95.
The EBA Guidelines bases its definition of ICT and security risk on its revised common procedures and methodologies for the supervisory review and evaluation process and stress testing.
The guidelines not only include data integrity risk but have been expanded to provide additional details that clarify covering the impacts of the security risks.
The Capital Requirements Directive (CRD) and PSD2 detail how financial institutions should comply in addressing ICT and security risks with the following provisions:
Article 74 of Directive 2013/36/EU (CRD)
With EBA, Guidelines on ICT and Security Risk Management, governance requirements for institutions are strengthened by requiring:
- Robust governance arrangements
- A clear organizational structure
- Consistent, transparent, and well-defined lines of responsibility
- Effective processes that identify, manage, monitor, and report existing risks and possible risks
Article 95 of Directive 2015/2366/EU (PSD2)
Explicit provisions for managing operational and security risks that PSPs face and the need for appropriate measures for mitigation and mechanisms to manage those risks are addressed in Article 95 of Directive 2015/2366/EU, including:
- Section 3.1, which recognizes that the guidelines should be scalable in accordance with the size, organizational structure, nature and complexity of operations, scope, and riskiness of the products and services offered by different financial institutions.
- Section 3.2, which provides guidelines that focus on the management and mitigation of ICT and security risks through sound internal governance and an internal control framework. This guideline requires financial institutions to create an ICT strategy that aligns with their overall business strategy.
- Section 3.3, which requires financial institutions to use an independent and objective control function to manage and mitigate ICT and security risks. This control function should be appropriately segregated ICT operations processes.
- Section 3.4, which establishes requirements for information security in relation to the type of information stored on ICT systems. These requirements include:
- Having an information security policy
- Establishing, implementing, and testing information security procedures
- Establishing a training program for all staff and contractors
- Section 3.5, which specifies high-level principles for managing and improving the efficiency of ICT operations. Incident and problem management processes should also be established and implemented.
- Section 3.6, which describes ICT project and change management requirements. This includes the acquisition, development, and maintenance of ICT systems and services.
- Section 3.7, which specifies the expectations of business continuity management and developing a response and recovery plan. Financial institutions should have effective crisis communication measures in place.
- Section 3.8, which applies to PSPs only regarding their payment services. This section provides requirements for payment service users (PSUs) relationship management, including ensuring transparency.
It is recommended that financial institutions should refer to leading best practices and existing standards when implementing these guidelines. Implementations should consider:
- Scale and complexity of operations
- Nature of the institution’s activities
- Services the institution provides
- Corresponding ICT and security risks that are related to the processes and services used and provided by the institution
Securing digital banking processes by Aligning Governance, Technology and Security
In demanding times like the Post-COVID era, banks need to follow the path of rapid digitalization without any trade off with respect to security and data privacy. To accomplish this and to comply with EBA's guidelines, there needs to be an alignment of governance, technology and security infrastructure throughout the bank’s digital supply chain.
Many banks may need to modernize their applications and security infrastructure.
They will need to lay out their vision for their digital transformation.
This generally includes:
- Identifying and prioritizing commercialization opportunities and use cases
- Selecting potential financial services and service partners
- Selecting potential (cloud) infrastructures
- Defining operating models and technology requirements
- Developing clear paths to implementation
The 1-5 sequence is not a one time action plan. It is more likely that it may be run through regularly in an iterative and agile way, to adapt to rapidly evolving customer requirements.
What are the take-aways for the financial institutions?
Banks who execute well-rounded strategies in an agile alignment with digital end-to-end processes and compliant security infrastructure have good opportunities to create growth that will help them stay competitive in challenging times.
Cryptomathic has been protecting digital banking processes for 35 years with implementations in many of the leading banks worldwide. The company’s solutions and services fully respond to EBA’s guidelines in terms of technical features and service offer. They also comply with international banking regulations, namely PCI-DSS, Directive 2015/2366/EU (PSD2) and Directive 2013/36/EU (CRD).
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- EBA/GL/2019/04 FINAL REPORT - EBA Guidelines on ICT and security risk management (29 November 2019), by the European Banking Authority EBA
- BYOK: a Solution for EBA’s New ICT and Security Risk Management Guidelines (2020) by Dawn Turner
- CEN/TC 224 - Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing (05.2018), by AFNOR
- Conformity assessment of Trust Service Providers - Technical guidelines on trust services (2017), by the European Agency for Cyber Security
- Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
- About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission