EBA Guidelines on ICT and security risk management –EBA/GL/2019/04Establishing harmonized requirements for ICT and security risk management across the Single Market

03

EBA Guidelines on ICT and Security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

IntroductionOn 28 November 2019, the European Banking Authority (EBA)published the Final Report on the Guidelines on ICT andsecurity risk management (EBA/GL/2019/04) to establishrequirements for credit institutions, investment firms andpayment service providers (PSPs) on the mitigation andmanagement of ICT and security risks.

The purpose of the Guidelines is to establish requirements forthe management of ICT and security risks, both of which haveescalated in recent years due to the increasing digitalization ofthe financial sector and the growing interconnectedness withother financial institutions and third parties throughtelecommunication channels.

The Guidelines, which will enter into force on 30 June 2020, setout expectations of how all financial institutions shouldmanage internal and external ICT and security risks that theymay be exposed to.

• Why effective ICT andsecurity risk management isimportant to financialinstitutions?

• How are the differentfinancial institutionsimpacted by the Guidelines?

• What are the main principlesand domains of theGuidelines?

• How can Deloitte help?

The Guidelines represent a further stepin harmonizing the ICT and security riskmanagement approach in the EuropeanSingle Market.

The Guidelines include the principlesalready defined for all Payment ServiceProviders (PSP) in the 2017 Guidelineson the security measures foroperational and security risks ofpayment services under Directive (EU)2015/2366 (PSD2) – EBA/GL/2017/17.

This article is intended for creditinstitutions, investment firms andpayment service providers operating inLuxembourg and will cover the followingkey questions:

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

Why effective ICT and security risk management is important to financial institutions?

Failure of ICT systems and services can have dramatic consequences for financial institutions.

Backbone of almost all banking processes and distribution channels

• Given the growingreliance of financialinstitutions on ICT fortheir operationalfunctioning, failure ofICT systems andservices can have adramatic impact onfinancial institutions.

Source of competitive advantage

• Technological innovationplays a crucial role in thebanking sector from astrategic standpoint andas a source ofcompetitive advantage. Itis a fundamental tool tocompete in the financialmarket with newproducts as well asthrough facilitating therestructuring andoptimization of the valuechain.

Support the automated controls environment

• ICT systems are notonly key enablers ofinstitutions’ strategies,forming the backboneof almost all bankingprocesses anddistribution channels,but they also supportthe automated controlsenvironment on whichcore banking data isbased.

Materiality of ICT costs and investments

• ICT systems andservices alsorepresent materialproportions ofinstitutions’ costs,investments andintangible assets.

ICT (Information and CommunicationTechnology), using the terminologyfrom the EBA Guidelines, but alsomore commonly known as IT(Information Technology), is a keyresource in developing andsupporting banking services.

Financial institutions are embracinglarge scale digitalization and rely onthe use of ICT for processing andanalyzing information andreengineering operations.

04

ICT can be implemented by financialinstitutions to improve internalprocesses or to offer innovativeservices and new functions tocustomers in order to best servetheir ever-increasing expectationsand needs.

However, the complexity of adoptedtechnologies, and the continuouslygrowing dependency on them, canitself lead to greater ICT and securityrelated incidents.

In this regard, ICT and security riskmanagement is an essential and integralpart of successful enterprisemanagement.

According to the definition provided in theGuidelines, the concept of ICT andSecurity Risk implies a risk of loss due to:

• Breach of confidentiality, failure ofintegrity of systems and data

• Inappropriateness or unavailability ofsystems and data

• Inability to change informationtechnology within a reasonable timeand with reasonable costs when theenvironment or businessrequirements change

This includes security risks resulting from:• Inadequate or failed internal

processes• External events including cyber-attacks• Inadequate physical security

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

05

Operational risk

Taxonomy structure

Information and communication technology risk

Information security risk

The concept so defined promotes aconsistency with an operational riskapproach (i.e., risks arising frominadequate or failed internalprocesses, people and systems orfrom external events) because, if therisk is realized, it results in a loss.

The correlation with operational risks isfurther prescribed by current EBASupervisory Review and Evaluation Process(SREP) Guidelines. In the Guidelines,intended to promote common proceduresand methodologies for the supervisoryevaluation process, competent authoritiesare required to assess ICT and security riskas a sub-category of operational risk.

Indeed, in the broader context of the CapitalRequirements Directive IV (CRD IV), ICT andsecurity risk management plays a crucial rolein the calibration of the additional capitalrequirements covering material risks.

The Guidelines also highlight the new role ofICT and security risk management as anaccelerator for financial institutions toimprove their operational resilience bycontinuously adapting to the evolution ofthreats.

Consequently, operational, ICT,information security and more specificrisks (i.e. Cyber risks) are now directlyinterrelated, as presented in thetaxonomy below.

Cyber risk

How are the different financial institutions impacted by the Guidelines?

Article 74 of Directive 2013/36/EU(CRD), mandates the European BankingAuthority to harmonize governance,processes and mechanisms of allfinancial institutions.

Furthermore, establishment,implementation and monitoring ofsecurity aspects for operational risks isderived from a mandate to issueguidelines on Article 95(3) of Directive(EU) 2015/2366 (PSD2).

Both above-mentioned directivessupport the action plan set forth byEuropean Commission, due to which,the Guidelines on ICT and security riskmanagement have been developed andwill be mandatory to comply with as of30 June 2020.

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

The Guidelines are intendedto help with defining howorganizations should complywith provisions of CRD IV(Directive 2013/36/EU –Article 74) and PSD2(Directive 2015/2366/EU –Article 95)

06

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

When focusing on the scope of the Guidelines, theprevious Guidelines in force (EBA/GL/2017/17) areapplicable only for Payment Service Providers, fortheir payment services.

The new Guidelines (EBA/GL/2019/04) areapplicable to:

Credit institutions and investmentfirms, as defined in the CapitalRequirements Regulation (EU) No.575/2013, applicable to all theirservices

Payment Service Providers (PSPs)subject to the revised PaymentService Directive (PSD2), applicableto all their payment services

PSPs

Investment Firms

Credit Institutions

PSPs

2018

2019

2020

2021

2022

EBA/GL/2017/17

EBA/GL/2019/04

The Guidelines on securitymeasures for operational andsecurity risks under PSD2(EBA/GL/2017/17) have beenfully integrated in the EBAGuidelines on ICT andSecurity risk managementand will be repealed when thelatter enters into force.

Guidelines on ICT and Security riskmanagement will repeal the Guidelineson security measures for operational andsecurity risks under PSD2 on 30 June2020

07

08

What are the main principles and domains of the Guidelines?

The Guidelines are principle-based and outline expectations in the following domains to mitigate ICT and security risks:

Business continuity managementEstablishment of a soundbusiness continuity managementprocess, including businessimpact analysis, businesscontinuity planning, andresponse and recovery planningactivities

ICT operations managementImplementation of documentedprocesses to manage ICToperations in a controlled manner,including capacity management,incident management and problemmanagement

Governance and strategyImplementation of adequategovernance, accountability andthe alignment of the ICT strategywith the overall businessstrategy

ICT project and changemanagementImplementation of processesgoverning and supporting theICT System acquisition, ICTchange management and ICTproject management

Information SecurityDocumentation anddevelopment of a comprehensiveset of documents and othercontrols to achieve theimplementation of adequatelevels of logical and physicalsecurity, trainings and constantmonitoring

ICT and security riskmanagement frameworkEstablishment of an ICT and securityrisk management frameworkrequired by the Guidelines,including the performance ofregular risk assessments, audit andreporting activities

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

09

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

The implementation of the Guidelinesshould be done in accordance with theprinciple of proportionality The Guidelines complement and should

be read in conjunction with the SREPGuidelines (EBA/GL/2017/05) and the EBAGuidelines on outsourcing arrangements(EBA/GL/2019/02)

The Guidelines do not outline howfinancial institutions are expected toimplement the 3 Lines of Defense model,but they are compatible with the model(and aligned with EBA Guidelines oninternal governance)

Focus on the responsibilities of themanagement body and the second line ofdefence (which usually includes theinformation security function)

Cyber risks may require some mitigatingmeasures that differ from traditionalinformation security measures

Introduce new concept of “operationalresilience” through business continuityimpact analyses

Complying with the Guidelineswill allow financial institutionsto develop secure ICT riskmanagement.

Attention should be directedto the key themes andprinciples introduced in theGuideline and defined below.

How can Deloitte help?Deloitte helps organizations to establish and improve their ICT and security risk management practices by supporting companies in:

• Regulatory compliance assessment – gap assessment against the regulatory requirements set forth in the EBA Guidelines on ICT and security risk management

• ICT and security risk management capability enhancement – ICT and security risk management policies and standards, processes, tools and technologies

• ICT and security risk reporting and culture – ICT, business and board ICT and Security risk reporting using KRIs to provide visibility to senior management

• ICT and security risk assessment - ICT and security risk assessment in the context of digital initiatives or major ICT changes, tailored to the organizations’ risk profile and integrated into the organizations’ risk management framework

• Readiness ICT and security assessment – simulation of competent authorities’ on-site inspection to test the readiness of companies’ processes and practices towards regulatory requirements set forth in EBA Guidelines

10

Deloitte success stories• ICT risk management framework –

Deloitte tailored a comprehensive ICTrisk management program coveringdefinition and implementation ofstrategy, operating model, policies,management processes, tools,reporting, etc.

• ICT Risk assessment – the assistanceincluded the identification andevaluation of ICT risks based on apredefined ICT risk assessmentmethodology, including applicable EBAGuidelines principles and industry bestpractices

• ICT risk measurement and monitoring– Deloitte assisted the design andimplementation of ICT risk dashboards(and related processes), supporting theorganization in the definition of KRIsreporting functionalities to seniormanagement

Our approach and methodologyDeloitte has developed a rich suite ofproven accelerators and tools, supportedby market insights, in order to address ICTrisk management challenges. This includesa tested ICT risk management framework,comprehensive ICT risk and controlcatalogs aligned with latest regulatoryrequirements and standards, and more.

EBA Guidelines on ICT and security risk management – EBA/GL/2019/04 | Establishing harmonized requirements for ICT and security risk management across the Single Market

Deloitte Luxembourg20 Boulevard de Kockelscheuer L-1821 Luxembourg Grand Duchy of Luxembourg

Tel.: +352 451 451www.deloitte.lu

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2020 Deloitte Tax & Consulting.

Contacts

Roland BastinPartner – Risk Advisory+352 451 452 213rbastin@deloitte.lu

Irina Gabriela HedeaPartner – Risk Advisory+352 451 452 944ighedea@deloitte.lu

Frederic de PauwSenior Manager – Risk Advisory+352 451 454 383 fdepauw@deloitte.lu

Stéphane HurtaudPartner – Risk Advisory+352 451 454 434shurtaud@deloitte.lu

Onur OzdemirDirector – Risk Advisory+352 451 452 207oozdemir@deloitte.lu

Francesco MartiniSenior Manager – Risk Advisory+352 451 454 018fmartini@deloitte.lu