5 min read

Exploring the EBA's New ICT and Security Risk Management Guidelines

Exploring the EBA's New ICT and Security Risk Management Guidelines

Considering the COVID-19 impact on digitalization, EBA’s updated Guidelines on ICT and Security Risk Assessment will help focus on priority areas, including compliance.

The COVID-19 crisis has forced rapid digitization for many financial institutions, businesses, and agencies, which has significantly increased the risk for ICT and security-related incidents. Because of their interconnectedness, financial institutions are a greater risk for ICT and security-related incidents that have the potential for systemic impacts. As a result, there is currently an increased focus on implementing the European Banking Authority’s (EBA) recently published Guidelines on ICT and Security Risk Assessment to protect financial transaction and critical customer data from potential operational and security risks.

The European Banking Authority’s Response

In their new guidelines, the EBA details how financial institutions should manage the ICT and security risks that they are exposed to. However, the document also attempts to give financial institutions a better understanding of the supervisory expectations for managing ICT and security risks. 

In doing so, EBA’s latest guidance integrates and builds on the requirements previously laid out in its December 2017 EBA/GL/2017/17 “Guidelines on security measures for operational and security risks of payment services.” The latter have been applied since January 2018 to fulfil the mandate put forth in Article 95(3) of Directive 2015/2366/EU (PSD2).

Their original intent was meant to apply to payment service providers (PSPs) for use with payments. However, they are also relevant to a wider range of financial institutions. The EBA’s latest guidelines has reformulated the former guidelines to apply to not just payment services, but also to financial institutions, including all activities conducted by credit institutions outside of payment services and investment firms.

Addressing Governance, ICT and Security Risks

EBA’s guidelines build on Article 74 of Directive 2013/36/EU (CRD), with the intent to strengthen governance of financial institutions in the increasingly digitized banking processes.

Because of the electronic nature of payment systems, the term “ICT and security risks” refers to the operational and security risks mandate included in the revised Payments Services Directive (PSD2) under Article 95.

The EBA Guidelines bases its definition of ICT and security risk on its revised common procedures and methodologies for the supervisory review and evaluation process and stress testing.

The guidelines not only include data integrity risk but have been expanded to provide additional details that clarify covering the impacts of the security risks.

The Capital Requirements Directive (CRD) and PSD2 detail how financial institutions should comply in addressing ICT and security risks with the following provisions:

Article 74 of Directive 2013/36/EU (CRD)

With EBA, Guidelines on ICT and Security Risk Management, governance requirements for institutions are strengthened by requiring:

  • Robust governance arrangements
  • A clear organizational structure
  • Consistent, transparent, and well-defined lines of responsibility
  • Effective processes that identify, manage, monitor, and report existing risks and possible risks


Article 95 of Directive 2015/2366/EU (PSD2)

Explicit provisions for managing operational and security risks that PSPs face and the need for appropriate measures for mitigation and mechanisms to manage those risks are addressed in Article 95 of Directive 2015/2366/EU, including:

  • Section 3.1, which recognizes that the guidelines should be scalable in accordance with the size, organizational structure, nature and complexity of operations, scope, and riskiness of the products and services offered by different financial institutions.
  • Section 3.2, which provides guidelines that focus on the management and mitigation of ICT and security risks through sound internal governance and an internal control framework. This guideline requires financial institutions to create an ICT strategy that aligns with their overall business strategy.
  • Section 3.3, which requires financial institutions to use an independent and objective control function to manage and mitigate ICT and security risks. This control function should be appropriately segregated ICT operations processes.
  • Section 3.4, which establishes requirements for information security in relation to the type of information stored on ICT systems. These requirements include:
    • Having an information security policy
    • Establishing, implementing, and testing information security procedures
    • Establishing a training program for all staff and contractors
  • Section 3.5, which specifies high-level principles for managing and improving the efficiency of ICT operations. Incident and problem management processes should also be established and implemented.
  • Section 3.6, which describes ICT project and change management requirements. This includes the acquisition, development, and maintenance of ICT systems and services.
  • Section 3.7, which specifies the expectations of business continuity management and developing a response and recovery plan. Financial institutions should have effective crisis communication measures in place.
  • Section 3.8, which applies to PSPs only regarding their payment services. This section provides requirements for payment service users (PSUs) relationship management, including ensuring transparency.

It is recommended that financial institutions should refer to leading best practices and existing standards when implementing these guidelines. Implementations should consider:

  • Scale and complexity of operations
  • Nature of the institution’s activities
  • Services the institution provides
  • Corresponding ICT and security risks that are related to the processes and services used and provided by the institution

Securing digital banking processes by Aligning Governance, Technology and Security

In demanding times like the Post-COVID era, banks need to follow the path of rapid digitalization without any trade off with respect to security and data privacy. To accomplish this and to comply with EBA's guidelines, there needs to be an alignment of governance, technology and security infrastructure throughout the bank’s digital supply chain.

Download white paperMany banks may need to modernize their applications and security infrastructure.
They will need to lay out their vision for their digital transformation. 

This generally includes:

  1. Identifying and prioritizing commercialization opportunities and use cases
  2. Selecting potential financial services and service partners
  3. Selecting potential (cloud) infrastructures 
  4. Defining operating models and technology requirements
  5. Developing clear paths to implementation

The 1-5 sequence is not a one time action plan. It is more likely that it may be run through regularly in an iterative and agile way, to adapt to rapidly evolving customer requirements.

What are the take-aways for the financial institutions?

Banks who execute well-rounded strategies in an agile alignment with digital end-to-end processes and compliant security infrastructure have good opportunities to create growth that will help them stay competitive in challenging times.

Cryptomathic has been protecting digital banking processes for 35 years with implementations in many of the leading banks worldwide. The company’s solutions and services fully respond to EBA’s guidelines in terms of technical features and service offer. They also comply with international banking regulations, namely PCI-DSS, Directive 2015/2366/EU (PSD2) and Directive 2013/36/EU (CRD).


Download white paper