On 6 October 2016, the European Banking Authority (EBA) launched a Consultation Paper on the Guidelines on Information and Communication Technology (ICT) Risk Management under the Supervisory Review and Evaluation process (SREP). The draft Guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk.
The guidelines are structured around three key areas:
The guidelines supplement the existing (albeit, limited) information in the EBA SREP guidelines on how to assess ICT risk and harmonizing the methodology for doing so. The guidelines are complemented by an ICT risk taxonomy in the annex that includes a list of 5 ICT risk categories with a non-exhaustive list of examples of material ICT risks.
The EBA does not specify whether onsite or offsite inspections are most appropriate to conduct the assessments contained within these guidelines, nor do the guidelines introduce any additional reporting obligation for banks.
These guidelines will be applied proportionally to the size, structure and operational environment of institutions as well as the nature, scale and complexity of their activities. They will be applied in line with the frequency and intensity as per the SREP categorization of institutions.
Findings and scoring will be used as following:
If ICT risk is considered material, it could be assessed and scored individually as a sub-category of Operational Risk.
With regard to the ICT strategy development and implementation, the key elements addressed by these guidelines are:
With regard to the ICT Governance and its inclusion in the risk management framework, supervisors will check whether:
The second important part of the Guidelines aims to identify the material ICT risks to which the institution is or might be exposed, which are mapped into the following ICT risk categories:
For the identified material ICT risks, the Guidelines list the topics that should be reviewed:
IT risk is widely regarded as one of the biggest risks facing the banking sector. KPMG professionals from our ECB Office have been meeting with IT risk management experts, banks and supervisors to discuss the growing importance and increasing complexity of IT risk. Among the key issues, there are two key priorities emerging that need immediate attention in order to bring clarity across the industry and to level the playing field:
Some IT risks can be covered by existing international frameworks and standards but also by national and/or global requirements. Nevertheless, there are inconsistencies, overlaps, gaps and discrepancies between these standards and requirements. For example, cyber risk is a top IT risk for banks and is covered by different and very high level national binding requirements; while at the same time, banks refer to other international standards, such as CobIT, ISO 27001 and ITIL to address this risk.
Many of the existing requirements are very high level guidelines and do not provide concrete implementation or assessment guidance. Complicating the issue further, we have, emerging technologies such as blockchain that present risks that are not covered at all by the existing requirements and standards.
The EBA’s initiative was necessary. These guidelines are very important both for supervisors and banks as they provide supervisors with a common methodology to assess ICT risk by creating a 'same playing field' for all the European countries.
For the banks, these guidelines could be seen as ICT risk management requirements because:
Generally for the assessment of ICT risk all banks have mechanisms and measures in certain forms. However, there are also variations in the current level of practices across banks. While some banks have practices in place that are fully or largely in line with the provisions of the draft guidelines, some banks have work to do to bring their practices in line with the guidance.
Examining the ECB’s expectations around data, technology, and cyber security.