Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)


Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)

Executive Summary

These Guidelines are addressed to competent authorities and are intended to promote common procedures and methodologies for the assessment of the Information and Communication Technology (ICT) risk under the supervisory review and evaluation process (SREP), referred to in Article 97 of Directive 2013/36/EU1. In particular, these Guidelines drawn up pursuant to Article 107(3) of Directive 2013/36/EU, supplement and further specify criteria for the assessment of ICT risk as part of operational risk put forward in the EBA Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP)2 (from here on ‘EBA SREP Guidelines’). These Guidelines form an integral part of the EBA SREP Guidelines and should be read and applied along with it.
These Guidelines set out the requirements competent authorities should apply in their assessment of ICT focusing on the general provisions and application of scoring as part of the SREP assessment of risks to capital (Title 1), assessment of institutions’ governance and strategy on ICT (Title 2); and assessment of institutions’ ICT risk exposures and controls (Title 3). In particular, Title 1 of these Guidelines explains how the assessment of ICT risk contributes to the overall SREP assessment of an institution, noting that the assessment of ICT risk would contribute (1) to the assessment of operational risk, which is assessed as part of the assessment of risks to capital (Title 6 of the EBA SREP Guidelines), (2) the assessment of institutions’ governance and strategy on ICT would feed into the assessment of internal governance and institution-wide controls under Title 5 of the EBA SREP Guidelines, and (3) the assessment of all aspects of ICT covered by these Guidelines would also inform the business model analysis performed in accordance with Title 4 of the EBA SREP Guidelines. It is noted that whilst generally competent authorities would assess sub-categories of risks as part of the main categories (i.e. ICT risk will be assessed as part of operational risk), where competent authorities deem some categories material, they may assess such sub-categories on an individual basis. To this end, where ICT risk is identified as a material risk by the competent authority, these Guidelines also provide a scoring table that should be used to provide a stand-alone sub-category score for ICT risk following the overall approach to scoring the risks to capital in the EBA SREP Guidelines. Title 2, on the assessment of the institution’s governance and strategy on ICT covers how the institution’s overall internal governance and institution wide controls address ICT specifically ensuring adequate knowledge and understanding at the management body level, as well as assessing the institution’s ICT strategy from the perspective of both the governance of the ICT strategy and its alignment with, and impact on, the institution’s business model. The assessment of the alignment between the ICT strategy and the business strategy is included in these Guidelines because of the strong links between the two.

The assessment of ICT risk and the controls in place as a ‘risk to capital’ under Title 3 broadly follows the same structure of the EBA SREP Guidelines assessment of operational risk in that it starts by assessing the risk exposure, then the effectiveness of controls in order to complete the assessment and to be able to feed into the findings and score of operational risk where ICT risk was already included in the EBA SREP Guidelines (Table 6 of the EBA SREP Guidelines). When applying these Guidelines competent authorities should consider the principle of proportionality, in particular the depth and detail of the ICT risk assessment should be proportionate to the size, structure and operational environment of the institution as well as the nature, scale and complexity of its activities. These Guidelines are complemented by an ICT risk taxonomy in the annex which includes ICT risk categories specified in these Guidelines with a non-exhaustive list of examples of material ICT risks which competent authorities should reflect on as part of the assessment under Title 3 of these Guidelines. The EBA has held a public consultation on these Guidelines, and the text has been amended to reflect the outcomes of the consultation. The detailed analysis of the feedback received and the EBA response is provided in this final report.

Background and rationale

Information and communication technology (ICT) play and important role in the functioning of institutions, and the risks associated with ICT may pose significant prudential impact and even threaten the viability of an institution. Under the current EBA SREP Guidelines competent authorities are required to assess ICT risk as a sub-category of operational risk and the EBA SREP Guidelines provide broad criteria that competent authorities should consider in their assessments.
ICT, using the terminology from the EBA SREP Guidelines but also more commonly known as IT (Information Technology), is a key resource in developing and supporting banking services; ICT systems are not only key enablers of institutions’ strategies, forming the backbone of almost all banking processes and distribution channels, but they also support the automated controls environment on which core banking data is based. ICT systems and services also represent material proportions of institutions’ costs, investments and intangible assets. Furthermore, technological innovation plays a crucial role in the banking sector from a strategic standpoint, as a source of competitive advantage, as it is a fundamental tool to compete in the financial market with new products as well as through facilitating the restructuring and optimisation of the value chain. As a result of the increasing importance of ICT in the banking industry, some recent trends include:
a. the emergence of (new) cyber risks together with the increased potential for cybercrime and the appearance of cyber terrorism; and b. the increasing reliance on outsourced ICT services and third party products, often in the form of diverse packaged solutions resulting in manifold dependencies and potential constraints and new concentration risks.

In view of the growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, the EBA has developed this additional guidance to assist the competent authorities in their assessment of ICT risk as part of the SREP.
These Guidelines build on existing references to ICT risk in the SREP Guidelines and also feed into the SREP methodology more generally, whilst setting out the requirements competent authorities should apply in their assessment of ICT focusing on the general provisions and application of scoring as part of the SREP assessment of risks to capital (Title 1), assessment of institutions’ governance and strategy on ICT (Title 2); and assessment of institutions’ ICT risk exposures and controls (Title 3).
Acknowledging the growing importance of ICT systems and hence the increasing potential prudential impact from their failures on an institution and on the sector as a whole (in particular due to interlinkages between the institutions also in the cross-border context), and taking into account the technical specificities of ICT risk assessments and the objective to increase convergence of supervisory practices in the ICT supervisory risks assessments within the EEA, these Guidelines provide guidance to supervisors for assessing ICT risk in institutions.

Competent authorities should perform the assessment of ICT risk and the governance arrangement and ICT strategy as part of the SREP process following the minimum engagement model and proportionality criteria specified in Title 2 of the EBA SREP Guidelines. In particular, this means that:
a. the frequency of the ICT risk assessment would depend on the minimum engagement model driven by the SREP category an institution is assigned to and its specific supervisory examination programme; and
b. the depth, detail and intensity of the ICT assessment should be proportionate to the size, structure and operational environment of the institution as well as the nature, scale and complexity of its activities. These Guidelines mainly feed into and complement the existing ICT risk assessment component of the EBA SREP Guidelines, under operational risk (Section 6.4). Recognising the need for ICT to also be taken into account in an institution’s internal governance and institution-wide controls, these Guidelines additionally include references to what competent authorities should assess with regard to management of ICT risks at senior management level and management body level. This feeds into the assessment of an institution’s internal governance and institution-wide controls as specified in Title 5 of the EBA SREP Guidelines. Furthermore, these Guidelines also include guidance on the assessment of an institution’s ICT strategy and the alignment with the institution’s business strategy which should inform institutions’ the business model analysis performed in accordance with Title 4 of the EBA SREP Guidelines.
These Guidelines are aimed at addressing risks arising to market integrity and the viability of institutions from ICT. The Guidelines do not therefore explicitly address ICT risks arising to consumers, although the EBA would expect that beneficial effects will materialise indirectly, as a result of the comprehensive assessment of ICT risks as set out in the Guidelines. The focus of these Guidelines is on the ICT dimensions of the risk management processes covered in these Guidelines and not the business aspects. Like the EBA SREP Guidelines, these Guidelines do not specify whether onsite or offsite inspections are most appropriate to conduct the assessments contained within these Guidelines. This is left to competent authorities to decide what is the most efficient and effective manner to be able to complete the assessment for each institution taking into account the need for proportionality and allowing for discretion and judgment of the competent authorities given the specific features of national banking systems. These Guidelines do not introduce additional reporting obligations and assume that the assessments specified in the Guidelines are made on the basis of information already being collected or readily available information at the institution to which the competent authority has an easy and sufficient access, and/or already collected information by the competent authority in accordance with the Commission Implementing Regulation (EU) No 680/2014 on supervisory reporting3. However, where necessary, competent authorities should be able to request additional information from the institution.

 

General provisions

  •  Competent authorities should perform the assessment of ICT risk and the governance arrangement and ICT strategy as part of the SREP process following the minimum engagement model and proportionality criteria specified in Title 2 of the EBA SREP Guidelines. In particular, this means that:
    a. the frequency of the ICT risk assessment would depend on the minimum engagement model driven by the SREP category an institution is assigned to and its specific supervisory examination programme; and
    b. the depth, detail and intensity of ICT assessment should be proportionate to the size, structure and operational environment of the institution as well as the nature, scale and complexity of its activities.
    11. The principle of proportionality applies throughout these Guidelines to the scope, frequency and intensity of supervisory engagement and dialogue with an institution and supervisory expectations of the standards the institution should meet.
  • Competent authorities may rely on and take into consideration work already undertaken by the institution or by the competent authority in the context of the assessments of other risks or SREP elements in order to have an update of the assessment. Specifically, in conducting the assessments specified in these Guidelines competent authorities should select the most appropriate supervisory assessment approach and methodology that is best suited and proportionate to the institution and competent authorities should use existing and available documentation (e.g. relevant reports and other documents, meetings with (risk) management, on-site inspection findings) to inform the competent authorities’ assessment.
  •  Competent authorities should summarise the findings of their assessments of the criteria specified in these Guidelines and use them for the purposes of reaching conclusions on the assessment of the SREP elements as specified in the EBA SREP Guidelines.
    14. In particular, the assessment of governance and ICT strategy performed in accordance with Title 2 of these Guidelines should result in findings that inform the summary of findings of the assessment of internal governance and institution-wide controls element of SREP as specified in Title 5 of the EBA SREP Guidelines and be reflected the respective scoring of that SREP element. Furthermore, competent authorities should consider that any significant adverse impact of the ICT strategy assessment on the institution’s business strategy or any concerns that the institution may not have sufficient ICT resources and ICT capabilities to perform and support important planned strategic changes should inform the business model analysis performed in accordance with Title 4 of the EBA SREP Guidelines.
  • The outcome of the assessment of ICT risk as specified in Title 3 of these Guidelines should inform the findings of the assessment of operational risk and should be considered as informing the relevant score as specified in in Title 6.4 of the EBA SREP Guidelines.
  • It is noted that whilst generally competent authorities should assess sub-categories of risks as part of the main categories (i.e. ICT risk will be assessed as part of operational risk), where competent authorities deem some sub-categories material, they may assess such sub-categories on an individual basis. To this end, should ICT risk be identified as a material risk by the competent authority, these Guidelines also provide a scoring table (Table 1) that should be used to provide a stand-alone subcategory score for ICT risk following the overall approach to scoring the risks to capital in the EBA SREP Guidelines.
  • To reach a view on whether ICT risk should be considered as material and therefore the possibility for ICT risk to be assessed and scored as an individual sub-category of operational risk, competent authorities may use the criteria specified in Section 6.1 of the EBA SREP Guidelines.
  • When applying these Guidelines competent authorities should, where relevant, consider the nonexhaustive list of ICT risk sub-categories and risk scenarios as set out in the Annex, noting that the Annex focusses on ICT risks that may result in high severity losses. Competent authorities may exclude some of the ICT risks included in the taxonomy if not pertinent to their assessment. Institutions are expected to maintain their own risk taxonomies rather than using the ICT risk taxonomy set out in the Annex.
  • Where these Guidelines are applied in relation to cross-border banking groups and their entities, and a college of supervisors has been established, competent authorities involved should, in the context of their cooperation for the SREP assessment in accordance with Section 11.1 of the EBA SREP Guidelines, coordinate to the maximum extent possible the exact and detailed scope of each information item consistently for all group entities.

Assessment of institutions’ governance and strategy on ICT

General principles

  •  Competent authorities should assess whether the institution’s general governance and internal control framework duly cover the ICT systems and related risks and if the management body adequately addresses and manages these aspects, as ICT is integral to the proper functioning of an institution.
  • In conducting this assessment, competent authorities should refer to the requirements and standards of good internal governance and risk control arrangements as specified in the EBA Guidelines on Internal Governance (GL 44)7 and international guidance in this field to the extent these are applicable given the specificity of ICT systems and risks.
  •  The assessment in this Title does not cover the specific elements of the ICT system governance, risk management and controls that are focused on managing specific ICT risks addressed under Title 3 of these Guidelines, but focuses on the following areas: a. ICT strategy – whether the institution has an ICT strategy that is adequately governed and is in line with the institution’s business strategy; b. overall internal governance– whether the institution’s overall internal governance arrangements are adequate in relation to the institution’s ICT systems; and
  •  ICT risk in the institution’s Risk management framework –whether the institution’s risk management and internal control framework adequately safeguards the institution’s ICT systems.
  • Point a) referred to in paragraph 22, while providing information about elements of the institution’s governance, should mainly feed into the assessment of the business model addressed under Title 4 of the EBA SREP Guidelines. Points b) and c) further complement assessments of topics covered by Title 5 of the EBA SREP Guidelines and the assessment described in these Guidelines should feed into the respective assessment under Title 5 of the EBA SREP Guidelines.
  •  The outcome of this assessment should inform, where relevant, the assessment of risk management and controls in Title 3 of these Guidelines.

ICT strategy

Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution’s management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implementing important and complex ICT changes; and that supports the institution’s business model.

ICT strategy development and adequacy

Competent authorities should assess whether the institution has a framework in place, proportionate to the nature, scale and complexity of its ICT activities, for the preparation and development of the institution’s ICT strategy. In conducting this assessment competent authorities should take into account whether:

a. the senior management of the business line(s) is adequately involved in the definition of the institution’s strategic ICT priorities and that, in turn, senior management of the ICT function is aware of the development, design and initiation of major business strategies and initiatives to ensure the continued alignment between ICT systems, ICT services and the ICT function (i.e. those responsible for the management and deployment of these systems and services), and the institution’s business strategy, and that ICT are effectively up-dated;

b. the ICT strategy is documented and supported by concrete implementation plans, in particular regarding the important milestones and resource planning (including financial and human resources) to ensure that they are realistic and enable the delivery of the ICT strategy

c. the institution periodically updates its ICT strategy, in particular when changing the business strategy, to ensure continued alignment between the ICT and business medium-term to longterm objectives, plans and activities; and

d. the institution’s management body approves the ICT strategy, implementation plans and monitors its implementation

ICT strategy implementation

If the institution’s ICT strategy requires the implementation of important and complex ICT changes, or changes with material implications for the institution’s business model, competent authorities should assess whether the institution has a control framework in place, appropriate to its size, its ICT activities as well as the level of change activities, to support the effective implementation of the institution’s ICT strategy. In conducting this assessment competent authorities should take into account whether the control framework:

a. includes governance processes (e.g. progress and budget monitoring and reporting) and relevant bodies (e.g. a project management office (PMO), an ICT steering group or equivalent) to effectively support the implementation of the ICT strategic programmes;

b. has defined and allocated the roles and responsibilities for the implementation of ICT strategic programmes, paying particular attention to the experience of key stakeholders in organising, steering and monitoring important and complex ICT changes and the management of the wider organisational and human impacts (e.g. managing resistance to change, training, communication).

c. engages the independent control and internal audit functions to provide assurance that the risks associated with ICT strategy implementation have been identified, assessed and effectively mitigated and that the governance framework in place to implement the ICT strategy is effective; and

d. contains a planning and planning review process that provides flexibility to respond to important identified issues (e.g. encountered implementation problems or delays) or external developments (e.g. important changes in the business environment, technological issues or innovations) to ensure a timely adaptation of the strategic implementation plan.

Overall internal governance

In accordance with Title 5 of the EBA SREP Guidelines, competent authorities should assess whether the institution has an appropriate and transparent corporate structure that is ‘fit for purpose’, and has implemented appropriate governance arrangements. With specific regard to ICT systems and in line with the EBA Guidelines on internal governance, this assessment should include an assessment of whether the institution demonstrates:

a. a robust and transparent organisational structure with clear responsibilities on ICT, including the management body and its committees and that key responsible persons for ICT (e.g. chief information officer ‘CIO’, chief operating officer ‘COO’ or equivalent role) have adequate indirect or direct access to the management body, to ensure that important ICT-related information or issues are adequately reported, discussed and decided upon at the level of the management body; and

b. that the management body knows and addresses the risks associated with the ICT;

 

Further to section 5.2 of the EBA SREP Guidelines, competent authorities should assess whether the institution’s ICT outsourcing policy and strategy considers, where relevant, the impact of ICT outsourcing on the institution’s business and business model.

 

ICT risk in the institution’s risk management framework 

In assessing the institution’s institution-wide risk management and internal controls, as provided by Title 5 of the EBA SREP Guidelines, competent authorities should consider whether the institution’s risk management and internal control framework adequately safeguards the institution’s ICT systems in a way which is commensurate to the size and activities of the institution and its ICT risk profile as defined in Title 3. In particular, competent authorities should determine whether:

  • a. the risk appetite and the ICAAP cover the ICT risks, as part of the broader operational risk category, for the definition of the overall risk strategy and determination of internal capital; and b. the ICT risks are within the scope of institution-wide risk management and internal control frameworks.
    Competent authorities should conduct the assessment under point (a) above having regard to both expected and adverse scenarios, e.g. scenarios included in the institution-specific or supervisory stress test.
  • With specific regard to b), competent authorities should assess whether the independent control and internal audit functions, as detailed in paragraphs 104 (a), 104 (d), 105 (a) and 105 (c) of the EBA SREP Guidelines, are appropriate to ensure a sufficient level of independence between the ICT and the control and audit functions, given the size and ICT risk profile of the institution.
  • Competent authorities should conduct the assessment under point (a) above having regard to both expected and adverse scenarios, e.g. scenarios included in the institution-specific or supervisory stress test.
  • With specific regard to b), competent authorities should assess whether the independent control and internal audit functions, as detailed in paragraphs 104 (a), 104 (d), 105 (a) and 105 (c) of the EBA SREP Guidelines, are appropriate to ensure a sufficient level of independence between the ICT and the control and audit functions, given the size and ICT risk profile of the institution.

Summary of findings

  • These results should be reflected in the summary of findings under Title 5 of the EBA SREP Guidelines and should form part of the respective scoring in line with the considerations in Table 3 of the EBA SREP Guidelines.
  • For the assessment of ICT strategy, the following points should be considered in concluding the above assessment: a. if competent authorities come to the conclusion that the institution’s governance framework is inadequate for developing and implementing the institution’s ICT strategy under 2.2 then this should inform the assessment of the institution’s internal governance in Title 5 of the EBA SREP Guidelines under point 87 (a); b. if competent authorities come to the conclusion from the above assessments under 2.2 that there would be a significant misalignment between the ICT strategy and the business strategy that may have a significant adverse impact of the institution’s long term business and/or financial objectives, the institution’s sustainability and/or business model, or the institution’s business areas/lines which have been determined as most material in paragraph 62 (a) of the EBA SREP Guidelines, then this should inform the business model assessment of Title 4 of the SREP GL under points 70 (b) and 70 (c); and
  • if competent authorities come to the conclusion from the above assessments under 2.2 that the institution may not have sufficient ICT resources and ICT implementation capabilities to perform and support important planned strategic changes this should inform the business model assessment of Title 4 of the EBA SREP Guidelines under point 70 (b).

Assessment of institutions’ ICT risks exposures and controls

General considerations

  • Competent authorities should assess whether the institution has properly identified, assessed and mitigated its ICT risks. This process should be part of the operational risk management framework and congruent to the approach applying to operational risk.
  • Competent authorities should first identify the material inherent ICT risks to which the institution is or might be exposed, followed by an assessment of the effectiveness of the institution’s ICT risks’ management framework, procedures and controls to mitigate these risks. The outcome of the assessment should be reflected in a summary of findings which feeds into the operational risk score in the SREP Guidelines. Where ICT risk is deemed to be material and competent authorities want to assign an individual score then Table 1 should be used to assign a score as a sub-risk of operational risk.
  •  When performing the assessment under this Title, competent authorities should use all available information sources as set out in paragraph 127 of Title 6 of the EBA SREP Guidelines e.g. institution’s risk management activities, reporting and outcomes, as a basis for the identification of their supervisory assessment priorities. Competent authorities should also use other sources of information to conduct this assessment, including the following where relevant: a. ICT risk and controls self-assessments (if provided in the ICAAP information);
  • ICT risk related Management Information (MI) submitted to the institution’s management body, e.g. periodic and incident driven ICT risk reporting (including in the operational loss database), ICT risk exposure data from the institution’s risk management function;
  • c. ICT related internal and external audit findings reported to the institution’s audit committee.

Identification of material ICT risks

Competent authorities should identify the material ICT risks to which the institution is or might be exposed following the steps below.

Review of the institution’s ICT risk profile

When reviewing the institution’s ICT risk profile, competent authorities should consider all relevant information about the institution’s ICT risk exposures, including the information under paragraph 37 and the identified material deficiencies or weaknesses in the ICT organisation and institution –wide controls under Title 2 of these Guidelines, and where relevant review this information in a proportionate manner. As part of this review, competent authorities should consider:

a. the potential impact of a significant disruption on the institution’s ICT systems on the financial system either at domestic or international level;

b. whether the institution may be subject to ICT security risks or ICT availability and continuity risks due to internet dependencies, high adoption of innovative ICT solutions or other business distribution channels that may make it a more likely target for cyber-attacks;

c.whether the institution may be more exposed to ICT security risks, ICT availability and continuity risks, ICT data integrity risks or ICT change risks due to the complexity (e.g. as a result of mergers or acquisitions) or outdated nature of its ICT systems;

d. whether the institution is implementing material changes to its ICT systems and/or ICT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core ICT systems), which may adversely impact the stability or orderly functioning of the ICT systems and can result in material ICT availability and continuity risks, ICT security risks, ICT change risks or ICT data integrity risks;

e. whether the institution has outsourced ICT services or ICT systems within or outside the group that may expose it to material ICT outsourcing risks;

f. whether the institution is implementing aggressive ICT cost cutting measures which may lead to the reduction of needed ICT investments, resources and IT expertise and can increase the exposure to all the ICT risks types in the taxonomy;

g. whether the location of important ICT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances which can lead to a material increase of ICT availability and continuity risks and ICT security risk

Review of the critical ICT systems and services 

  • As part of the process to identify the ICT risks with a potential significant prudential impact on the institution, competent authorities should review documentation from the institution and form an opinion on which ICT systems and services are critical for the adequate functioning, availability, continuity and security of the institution’s essential activities.
  • To this end, competent authorities should review the methodology and processes applied by the institution to identify the ICT systems and services that are critical, taking into consideration that some ICT systems and services may be considered critical by the institution from a business continuity and availability perspective, a security (e.g. fraud prevention) and/or a confidentiality perspective (e.g. confidential data). When performing the review, competent authorities should conduct their review taking into consideration that critical ICT systems and services should fulfil at least one of the following conditions:
  • a. they support the core business operations and distribution channels (e.g. ATMs, internet and mobile banking) of the institution;
  • b. they support essential governance processes and corporate functions, including risk management (e.g. risk management and treasury management systems);
  • c. they fall under special legal or regulatory requirements (if any) that impose heightened availability, resilience, confidentiality or security requirements (e.g. data protection legislation or possible ‘Recovery Time Objectives’ (RTO, the maximum time within which a system or process must be restored after an incident) and ‘Recovery Point Objective’ (RPO, the maximum time period during which data can be lost in case of an incident)) for some systemically important services (if and where applicable));
  • d. they process or store confidential or sensitive data to which unauthorised access could significantly impact the institution’s reputation, financial results or the soundness and continuity of its business (e.g. databases with sensitive customer data); and/or
  • e. they provide base line functionalities that are vital for the adequate functioning of the institution (e.g. telecom and connectivity services, ICT and cyber security services).

Identification of material ICT risks to critical ICT Systems and Services

  • Taking into account the performed reviews of the institution’s ICT risk profile and critical ICT systems and services above, competent authorities should form an opinion on the material ICT risks that, in their supervisory judgement, can have a significant prudential impact on the institution’s critical ICT systems and services.
  • When assessing the potential impact of ICT risks on the critical ICT systems and services of an institution, competent authorities should consider:
  • a. The financial impact, including (but not limited to) loss of funds or assets, potential customer compensation, legal and remediation costs, contractual damages, lost revenue;
  • b. The potential for business disruption, considering (but not limited to) the criticality of the financial services affected; the number of customers and/or branches and employees potentially affected;
  • c. The potential reputational impact on the institution based on the criticality of the banking service or operational activity affected (e.g. theft of customer data); the external profile/visibility of the ICT systems and services affected (e.g. mobile or on-line banking systems, point of sale, ATMs or payment systems);
  • d. The regulatory impact, including the potential for public censure by the regulator, fines or even variation of permissions.
  • e. The strategic impact on the institution, for example if strategic product or business plans are compromised or stolen.
  • Competent authorities should then map the identified ICT risks that are considered material into the following ICT risk categories for which additional risk descriptions and examples are provided in the Annex. Competent authorities should reflect on the ICT risks in the Annex as part of the assessment under Title 3: a. ICT availability and continuity risk b. ICT security risk c. ICT change risk d. ICT data integrity risk e. ICT outsourcing risk
    The mapping is to assist competent authorities in determining which risks are material (if any) and therefore should be subject to a closer and/or deeper review in the following assessment steps.

Assessment of the controls to mitigate material ICT risks

  • To assess the institution’s residual ICT risk exposure, competent authorities should review how the institution identifies, monitors, assesses and mitigates the material risks identified by the competent authorities in the assessment above.
  • To this end, for the identified material ICT risks, competent authorities should review the applicable: a. ICT risk management policy, processes and risk tolerance thresholds; b. Organisational management and oversight framework; c. Internal audit coverage and findings; and d. ICT risk controls that are specific for the identified material ICT risk.
  • The assessment should take into account the outcome of the analysis of the overall risk management and internal control framework as referred to in Title 5 of the EBA SREP Guidelines, as well as the institution’s governance and strategy addressed in Title 2 of these Guidelines, as significant deficiencies identified in these areas may influence the ability of the institution to manage and mitigate its ICT risk exposures. Where relevant, competent authorities should also make use of information sources in paragraph 37 of these Guidelines.
  • Competent authorities should perform the following assessment steps in a manner that is proportionate to the nature, scale and complexity of the institution’s activities and by applying a supervisory review that is appropriate to the institution’s ICT risk profile.

ICT risk management policy, processes and tolerance thresholds

Competent authorities should review whether the institution has appropriate risk management policies, processes and tolerance thresholds in place for the identified material ICT risks. These can be a part of the operational risk management framework or a separate document. For this assessment competent authorities should take into account whether:

a. the risk management policy is formalised and approved by the management body and contains sufficient guidance on the institution’s ICT risk appetite, and on the main pursued ICT risk management objectives and/or applied ICT risk tolerance thresholds. The relevant ICT risk management policy should also be communicated to all relevant stakeholders;

b. the applicable policy covers all significant elements for the risk management of the identified material ICT risks;

c. the institution has implemented a process and underlying procedures for the identification (e.g. ‘risk control self-assessments’ (RCSA), risk scenario analysis) and monitoring of the involved material ICT risks; and

d. the institution has an ICT risk management reporting in place that provides timely information to senior management and the management body, and which allows senior management and/or the management body to assess and monitor whether the institution´s ICT risk mitigation plans and measures are consistent with the approved risk appetite and/or tolerance thresholds (where relevant) and to monitor changes of material ICT risks.

Organisational management and oversight framework

  • Competent authorities should assess how the applicable risk management roles and responsibilities are embedded and integrated in the internal organisation to manage and oversee the identified material ICT risks. In this regard competent authorities should assess whether the institution demonstrates:
  • a. clear roles and responsibilities for the identification, assessment, monitoring, mitigation, reporting and oversight of the involved material ICT risk;
  • b. that the risk responsibilities and roles are clearly communicated, allocated and embedded in all relevant parts (e.g. business lines, IT) and processes of the organisation, including the roles and responsibilities for gathering and aggregating the risk information and reporting it to senior management and/or the management body;
  • c. that the ICT risk management activities are performed with sufficient and qualitatively appropriate human and technical resources. To assess the credibility of the applicable risk mitigation plans, competent authorities should also assess whether the institution has allocated sufficient financial budgets and/or other required resources for their implementation;
  • d. an adequate follow-up and response of the management body regarding important findings from the independent control functions regarding the ICT risk(s), taking into account the possible delegation of some aspects to a committee, where this exists; and
  • e. that exceptions from applicable ICT regulations and policies are recorded and subject to a documented review and reporting by the independent control function with a focus on the related risks.

Internal audit coverage and findings

Competent authorities should consider whether the Internal Audit Function is effective with regards to auditing the applicable ICT risk control framework, by reviewing whether:

a. the ICT risk control framework is audited with the required quality, depth and frequency and commensurate with the size, activities and the ICT risk profile of the institution;

b. the audit plan includes audits on the critical ICT risks identified by the institution; c. the important ICT audit findings, including agreed actions, are reported to the management body; and

d. ICT audit findings, including agreed actions, are followed up and progress reports periodically reviewed by the senior management and/or the audit committee.

ICT risk controls that are specific for the identified material ICT risks

  • For the identified material ICT risks, competent authorities should assess whether the institution has specific controls in place to address these risks. The following sections provide a non-exhaustive list of the specific controls to be considered when assessing the material risks identified under point 3.2.3 that were mapped to the following ICT risk categories:
  • a. ICT availability and continuity risks;
  • b. ICT security risks;
  • c. ICT change risks;
  • d. ICT data integrity risks;
  • e. ICT outsourcing risks.

Controls for managing material ICT availability and continuity risks

  • In addition to the requirements in the EBA SREP Guidelines (para 279 – 281) competent authorities should assess whether the institution has an appropriate framework in place for identifying, understanding, measuring and mitigating ICT availability and continuity risks.
  • For this assessment, competent authorities should, in particular, take into account whether the framework:
    a. identifies the critical ICT processes and the relevant supporting ICT systems that should be part of the business resilience and continuity plans with:
  • a comprehensive analysis of dependencies between the critical business processes and supporting systems; ii. determination of recovery objectives for the supporting ICT systems (e.g. typically determined by the business and/or regulations in terms of RTO and RPO);
  • appropriate contingency planning to enable the availability, continuity, and recovery of critical ICT systems and services to minimize disruption to an institution’s operations within acceptable limits.
  • has business resilience, continuity control environment policies and standards and operational controls which include:
  • Measures to avoid that a single scenario, incident or disaster might impact both ICT production and recovery systems;
  • ICT system backup and recovery procedures for critical software and data, that ensure that these backups are stored in a secure and sufficiently remote location, so that an incident or disaster cannot destroy or corrupt these critical data; iii. monitoring solutions for the timely detection of ICT availability or continuity incidents;
  • iv. a documented incident management and escalation process, that also provides guidance on the different incident management and escalation roles and responsibilities, the members of the crisis committee(s) and the chain of command in case of emergency;
  • physical measures to both protect the institution’s critical ICT infrastructure (e.g. data centres) from environmental risks (e.g. flooding and other natural disasters) and ensure an appropriate operating environment for ICT systems (e.g. air conditioning);
  • processes, roles and responsibilities to ensure that also outsourced ICT systems and services are covered by adequate business resilience and continuity solutions and plans;
  •  ICT performance and capacity planning and monitoring solutions for critical ICT systems and services with defined availability requirements, to detect important performance and capacity constraints in a timely manner;
  •  solutions to protect critical internet activities or services (e.g. e-banking services), where necessary and appropriate, against denial of service and other cyber-attacks from the internet, aimed at preventing or disturbing access to these activities and services.
  •  tests ICT availability and continuity solutions, against a range of realistic scenarios including cyberattacks, fail-over tests and tests of back-ups for critical software and data which:
  •  are planned, formalised and documented, and the test results used to strengthen the effectiveness of the ICT availability and continuity solutions;
  • include stakeholders and functions within the organisation, such as business line management including business continuity, incident and crisis response teams, as well as relevant external stakeholders in the ecosystem;
  • management body and senior management are appropriately involved in (e.g. as part of crisis management teams) and are informed of test results.
  • Controls for managing material ICT security risks 55. Competent authorities should assess whether the institution has an effective framework in place for identifying, understanding, measuring and mitigating ICT security risk. For this assessment competent authorities should, in particular, take into account whether the framework considers:
  • clearly defined roles and responsibilities regarding:
  • the person(s) and/or committees that are responsible and/or accountable for the day to day ICT security management and the elaboration of the overarching ICT security policies, with attention for their needed independence;
  • the design, implementation, management and monitoring of ICT security controls;
  • the protection of critical ICT systems and services by adopting for example a vulnerability assessment process, software patch management, end point protection (e.g. malware virus), Intrusion detection and prevention tools;
  • the monitoring, classification and handling of external or internal ICT security incidents; including incident response and the resumption and recovery of the ICT systems and services;
  • regular and proactive threat assessments to maintain appropriate security controls.

b. an ICT security policy that takes into consideration and, where appropriate, adheres to internationally recognised ICT security standards and security principles (e.g. the ‘principle of least privilege’ i.e. limiting access to the minimal level that will allow normal functioning for access right management and the principle of “defence in depth” i.e. layered security mechanisms increase security of the system as a whole for designing a security architecture); c. a process to identify ICT systems, services and commensurate security requirements reflecting potential fraud risk and/or possible misuses and/or abuses of confidential data along with documented security expectations to be adhered to for these identified ICT systems, services and data, aligned with the institution’s risk tolerance and monitored for their correct implementation;

d. a documented security incident management and escalation process, that provides guidance on the different incident management and escalation roles and responsibilities, the members of the crisis committee(s) and the chain of command in case of security emergencies;

e. user and administrative activity logging to enable effective monitoring and the timely detection and response to unauthorised activity; to assist in or to conduct forensic investigations of security incidents. The institution should have in place logging policies that define appropriate types of logs to be maintained and their retention period;

f. awareness and information campaigns or initiatives to inform all levels in the institution on the safe use and protection of the institution’s ICT systems and the main ICT security (and other) risks they should be aware of, in particular regarding the existing and evolving cyber threats (e.g. computer viruses, possible internal or external abuses or attacks, cyber-attacks) and their role in mitigating security breaches;

g. adequate physical security measures (e.g. CCTV, burglar alarm, security doors) to prevent unauthorised physical access to critical and sensitive ICT systems (e.g. data centres);

h. measures to protect the ICT systems from attacks from the Internet (i.e. cyber-attacks) or other external networks (e.g. traditional telecom connections or connections with trusted partners). Competent authorities should review whether the institution’s framework considers

i. a process and solutions to maintain a complete and up to date inventory and overview of all the outward facing network connection points (e.g. websites, internet applications, WIFI, remote access) through which third parties could break into the internal ICT systems.

ii. closely managed and monitored security measures (e.g. firewalls, proxy servers, mail relays, antivirus and content scanners) to secure the incoming and outgoing network traffic (e.g. email) and the outward facing network connections through which third parties could break into the internal ICT systems;

iii. processes and solutions to secure websites and applications that can be directly attacked from the internet and/or the outside, that can serve as an entry point into the internal ICT systems. In general these include a combination of recognised secure development practices, ICT system hardening and vulnerability scanning practices, and/or the implementation of additional security solutions like for example application firewalls and/or intrusion detection (IDS) and/or intrusion prevention (IPS) systems;

iv. periodic security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. These tests should be performed by staff and/or external experts with the necessary expertise, with documented test results and conclusions reported to senior management and/or the management body. Where needed and applicable, the institution should learn from these tests where to further improve the security controls and processes and/or to obtain better assurance on their effectiveness.

Controls for managing material ICT change

Competent authorities should assess whether the institution has an effective framework in place for identifying, understanding, measuring and mitigating ICT change risk commensurate with the nature, scale and complexity of the institution’s activities and the ICT risk profile of the institution. The institution’s framework should cover the risks associated with the development, testing and approval of ICT systems changes, including the development or change of software, before they are migrated to the production environment and ensure an adequate ICT lifecycle management. For this assessment competent authorities should, in particular, take into account whether the framework considers:

a. documented processes for managing and controlling changes to ICT systems (e.g. configuration and patch management) and data (e.g. bug fixing or data corrections), ensuring the adequate involvement of ICT risk management for important ICT changes that may significantly impact the institution’s risk profile or exposure;

b. specifications regarding the required segregation of duties during the different phases of the implemented ICT change processes (e.g. solution design and development, testing and approval of new software and/or changes, migration and implementation in the production environment, and bug fixing), with a focus on the implemented solutions and segregation of duties to manage and control changes to the production ICT systems and data by ICT staff (e.g. developers, ICT system administrators, data base administrators) or any other party (e.g. business users, service providers);

c. test environments that adequately reflect production environments;

d. an asset inventory of the existing applications and ICT systems in the production environment, as well as the test and development environment, so that required changes (e.g. version updates or upgrades, systems patching, configuration changes) can be properly managed, implemented and monitored for the involved ICT systems.

e. a process to monitor and manage the life cycle of the used ICT systems, to ensure that they continue to meet and support the actual business and risk management requirements and to make sure that the used ICT solutions and systems are still supported by their vendors; and that this is accompanied by adequate software development life cycle (SDLC) procedures.

f. a software source code control system and appropriate procedures to prevent unauthorised changes in the source code of software that is developed in-house;

g. a process to conduct a security and vulnerability screening of new or materially modified ICT systems and software, before releasing them into production and exposing them to possible cyberattacks;

h. a process and solutions to prevent the unauthorised or unintended disclosure of confidential data, when replacing, archiving, discarding or destroying ICT systems;

i. an independent review and validation processes to reduce the risks for human errors when performing changes to the ICT systems that may have an important adverse effect on the availability, continuity or security of the institution (e.g. important changes to the firewall configuration), or security of the institution (e.g. changes to the firewalls).

Controls for managing material ICT data integrity risks 57

Competent authorities should assess whether the institution has an effective framework in place for identifying understanding, measuring and mitigating ICT data integrity risk commensurate with the nature, scale and complexity of the institution’s activities and the ICT risk profile of the institution. The institution’s framework should consider the risks associated with preserving the integrity of the data stored and processed by the ICT systems. For this assessment, competent authorities should, in particular take into account whether the framework considers:
a. a policy that defines the roles and responsibilities for managing the integrity of the data in the ICT systems (e.g. data architect, data officers9, data custodians10, data owners/stewards11) and provides guidance on which data are critical from a data integrity perspective and should be subject to specific ICT controls (e.g. automated input validation controls, data transfer controls, reconciliations, etc.) or reviews (e.g. a compatibility check with the data architecture) in the different phases of ICT data life cycle;

b. a documented data architecture, data model and/or dictionary, that is validated with relevant business and IT stakeholders to support the needed data consistency across the ICT systems and to make sure that the data architecture, data model and/or dictionary remain aligned with business and risk management needs;

c. a policy regarding the allowed usage of and reliance on End User Computing, in particular regarding the identification, registration and documentation of important end user computing solutions (e.g. when processing important data) and the expected security levels to prevent unauthorised modifications, both in the tool itself, as well as data stored in it; d. documented exception handling processes to resolve identified ICT data integrity issues in line with their criticality and sensitivity

For supervised institutions that fall under the scope of the BCBS 239 principles for effective risk data aggregation and risk reporting12, competent authorities should review the institution’s risk analysis of its risk reporting and data aggregation capabilities compared to the principles and the prepared documentation thereon, taking into consideration the implementation timeline and transitional arrangements in these principles.

Controls for managing material ICT outsourcing risks

Competent authorities should assess whether the institution’s outsourcing strategy, in line with the requirements of the CEBS outsourcing Guidelines (2006) and further to the requirement in paragraph 85 (d) of the EBA SREP Guidelines, adequately applies to ICT outsourcing, including intra-group outsourcing providing ICT services within the group. When assessing the ICT outsourcing risks, competent authorities should take into consideration that the ICT outsourcing risks can also be covered as part of the assessment of inherent operational risks under paragraph 240 (j) of the EBA SREP Guidelines, to avoid any duplication of work or double counting.

In particular competent authorities should assess whether the institution has an effective framework in place for identifying, understanding and measuring ICT outsourcing risk, and in particular, controls and a control environment in place for mitigating risks related to material outsourced ICT services that are commensurate with the size, activities and the ICT risk profile of the institution and include:

a. an assessment of the impact of the ICT outsourcing on the risk management of the institution related to the use of service providers (e.g. cloud service providers) and their services during the procurement process that is documented and is taken into account by senior management or the management body for the decision to outsource the services or not. The institution should review the ICT risk management policies and the ICT controls and control environment of the service provider to ensure that they meet the institution’s internal risk management objectives and risk appetite. This review should be periodically updated during the contractual outsourcing period, taking into account the characteristics of the outsourced services ;

b. a monitoring of the ICT risks of the outsourced services during the contractual outsourcing period as part of the institution’s risk management, that feeds into the institution’s ICT risk management reporting (e.g. business continuity reporting, security reporting);

c. a monitoring and comparison of the received service levels with the contractually agreed upon service levels which should form part of the outsourcing contract or service level agreement (SLA); and

d. adequate staff, resources and competences to monitor and manage the ICT risks from the outsourced services.

Summary of findings and scoring

Following the above assessment, competent authorities should form an opinion on the institution’s ICT risk. This opinion should be reflected in a summary of findings which competent authorities should consider when assigning the score of operational risk in Table 6 of the EBA SREP Guidelines. Competent authorities should base their view on material ICT risks taking into account the following considerations to feed into the operational risk assessment:

a. Risk Considerations

i. The institution’s ICT risk profile and exposures;

ii. The identified critical ICT systems and services; and

iii. The materiality of ICT risk regarding critical ICT systems.

b. Management and Controls considerations

i. Whether there is consistency between the institution’s ICT risk management policy and strategy and its overall strategy and risk appetite; ii. Whether the organisational framework for ICT risk management is robust with clear responsibilities and a clear separation of tasks between risk owners and management and control functions;

iii. Whether ICT risk measurement, monitoring and reporting systems are appropriate.; and iv. Whether the control frameworks for material ICT risks are sound.

If competent authorities deem ICT risk to be material and the competent authority decides to assess and score this risk as a sub-category of operational risk the table below (Table 1) provides the ICT risk score considerations.

Accompanying documents

Draft cost-benefit analysis / impact assessment

These Guidelines are designed to complement the EBA Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP). As per Article 16(2) of the EBA regulation (Regulation (EU) No 1093/2010 of the European Parliament and of the Council), any Guidelines developed by the EBA shall be accompanied by an Impact Assessment (IA) annex which analyses ‘the potential related costs and benefits’. Such annex shall provide the reader with an overview of the findings as regards the problem identification, the options identified to remove the problem and their potential impacts.

For the purposes of the IA section of the Consultation Paper, the EBA prepared a qualitative questionnaire to collect information on the baseline, i.e. the practices currently in place in Member States and, the expected costs and benefits in relation to ICT risk assessment and the provisions covered under these Guidelines. The questionnaire targeted national competent authorities. This annex presents the IA with cost-benefit analysis of the provisions included in the Guidelines described in this Consultation Paper. Given the nature of the study, the IA is high-level and qualitative in nature.

Problem identification

The EBA SREP Guidelines introduce assessment criteria for competent authorities when evaluating, amongst other elements, the institutions’ business models, their internal governance and institution-wide controls and risks to capital. ICT risk is one important risk that competent authorities should consider in the implementation of these provisions, however, the EBA SREP Guidelines only elaborate to a limited extent on ICT risk under operational risk. Given the importance and the potential significant prudential impact of ICT risk on an institution and on the banking sector as whole, as mentioned in the ‘Background and rationale’ section of the current Guidelines, the lack of specific guidance and a more detailed assessment for supervisors to assess ICT risk in the EBA SREP Guidelines may lead to an incomplete risk assessment of an institution in the prudential supervisory framework.

The core gap that the current Guidelines aim to address is the lack of in depth guidance for the supervisory assessment of ICT risk in institutions and therefore room for lack of assessment of this risk, as well as inconsistency in assessing ICT risk across MS leading to a lack of comparability of supervisory practices across the EU which is crucial given the cross-border nature of ICT risk. Additionally the current level of detail in the EBA SREP Guidelines on how to assess ICT risk could lead to an insufficient measurement of ICT risks in the EU.

ICT is an intrinsic component of banks’ operational functioning and with the elaboration in recent years of accessibility to banking products and communications through technology, ICT is fundamental to the implementation and development of an institution’s business model. Concurrently the prudential risks that ICT may give rise to need to be managed by the institution. It is this risk and the related controls that these Guidelines provide guidance on to supervisors in the context of the SREP, i.e. that there is an impact on the institution’s business model, governance and capital deriving from ICT risk

Policy objectives

The main objective of the Guidelines is to specify a set of principle-based rules that complement the EBA SREP Guidelines for competent authorities to apply, using the principle of proportionality, in their supervisory assessment of ICT risk. Precisely, the Guidelines aim to inform supervisors how they should supervise this risk and to create consistent practices and a common level-playing field across jurisdictions. In this way, the current Guidelines are expected to respond pro-actively to the challenges in the prudential supervision of ICT-related risks

Baseline scenario

Table 1 presents the baseline scenario by Member State on the ‘compliance’ of the institutions and the competent authorities with these Guidelines. Precisely, it presents in each Member State an overview of current implementation and practices in relation to the major sections of the Guidelines. This presentation gives an overview of potential further efforts that the competent authorities may make and an indication of corresponding costs and benefits of further compliance.

The information provided shows that all Member States have, for the assessment of ICT risk, mechanisms and measures in certain forms. However, there are also variations in the current level of practices across Member States in relation to future implementation of the Guidelines. Currently, while some Member States (e.g. CZ, FI, NL and PL) have practices in place that are fully or largely in line with the provisions of the Guidelines, the practices of some other Member States (BE, UK) do not show similarities with these provisions. On average, the current practices in Member States mostly cover the provisions of the Guidelines.

Table 2 shows the share of implementation level indicated by the Member States in percentage. In terms of the sections of the Guidelines except two sections of the Guidelines, all Member States either mostly or fully cover all the sections. In other words, the share of categories mostly implemented and fully implemented in total exceed 50% in all categories except in two sections.

Assessment of the options considered and the preferred options

This section presents the major policy options considered in the drafting of the current Guidelines. In drafting the Guidelines many policy options were considered however here we assess four of these.

i. Development of ICT risk assessment Guidelines to complement the existing EBA SREP Guidelines or development of a separate methodology for assessment of ICT risk

As described above, ICT risk is an important operational risk which was so far addressed but to a limited extent in the EBA SREP Guidelines.
The assessment of ICT risk is undertaken with the intention of complementing the existing references in the operational risk assessment elaborated in the EBA SREP Guidelines. However it was noted that a complete ICT risk assessment would complement not only the operational risk assessment in section 6.4 of the EBA SREP Guidelines but also the business model assessment in Title 4 and the institution’s internal governance and institution-wide controls assessment in Title 5 of the EBA SREP Guidelines. Furthermore, in order to complement the operational risk assessment, the methodology in the assessment of ICT risk broadly follows the same process.
To develop a separate methodology would create duplication of aspects already covered in the EBA SREP Guidelines and in parallel may potentially increase regulatory cost for the industry and competent authorities. For example there are a number of components in the ICT risk assessment Guidelines which are not only relevant in the context of operational risk but also in the elements mentioned in the paragraph above. To give context to the ICT risk assessment it is necessary to link them to the EBA SREP Guidelines’ provisions and highlight that the ICT risk assessment Guidelines elaborate on the existing SREP provisions.
As such these Guidelines are designed to complement the existing EBA SREP Guidelines and do not introduce a new methodology.

ii. Inclusion or exclusion of a provision specific to ICT strategy to complement the business model assessment in the EBA SREP Guideline

ICT strategy presents an important share of institutions’ intangible assets, investments and operational costs and it forms a key part of business strategies, sources of competitive advantage as well as potential causes of material operational disruptions, investment write-offs or reputational damage. As a result of this important link, the EBA considered including provisions specifically on the assessment of ICT strategy in the Guidelines. These provisions go beyond the general business model assessment (BMA) in the EBA SREP Guidelines and guide supervisors to incorporate the results of the ICT strategy assessment as a part of the BMA in the EBA SREP Guidelines. If such provisions are not specified in these Guidelines then the BMA i) may not be able to identify whether the business model of an institution has adequate ICT resources to implement the intended strategy and activities, and ii) may not be able to identify if the institution has an adequate and sustainable business strategy given the ICT resources available to it. Therefore, a major disadvantage of excluding these specific provisions on ICT strategy may jeopardise both an adequate assessment of institutions’ risk and viability in line with SREP Guidelines (in particular provisions 70b, 70c and 72e) and a full understanding of the institution’s strategy. This may further have a prudential impact on institutions. On the other hand, the inclusion of a provision on assessment of ICT strategy requires that when assessing ICT risk, competent authorities consider the alignment between the ICT strategy and the institution’s business model. ICT risk is included under the BMA because of the strong links between the two: as highlighted in the EBA SREP Guidelines (70.b, 70.c and 72.e) ineffective ICT capabilities and strategies as well as insufficient execution capabilities have a strong impact in terms of sustainability of the institution. The outcome of the ICT strategy assessment should not be reflected in the scoring of ICT operational risk or that of internal governance and controls but, where relevant, should be considered as part of the BMA assessment, since the main effects it can have are reductions in earnings, rigidity in cost structures and loss of franchise in or disaffection with the institution by investors, or market participants. Given these arguments, the EBA decided to include ICT strategy in these Guidelines in order to complement the assessment of business models in Title 3 of the SREP Guidelines.

iii Specification or exclusion of material ICT risk controls

The section on ‘Operational risk controls – 6.4.4’ under ‘risks to capital’ in the EBA SREP Guidelines covers controls including organisation, management, audit and policies at a relatively high level. Due to the specificity of ICT risk and the fact that it is an area where guidance for general supervisors does not already exist, the EBA believes that there is scope to elaborate what type of controls could be used to mitigate the five broad ICT risk categories (from the risk taxonomy in the annex). In the Guidelines (section 3.2.3) supervisors are asked to identify the material risks under the five broad risk categories listed in the taxonomy. To provide a consistent approach that is useful to the supervisors a specific list of controls applicable to these risk categories is included in the controls section 3.3. This specific list of controls is expected to facilitate the supervisors to understand exactly which mitigating factors can control the risks identified. This mapping therefore builds a bridge directly from the risks to the controls, going beyond general organisational and managerial aspects which are also included in these Guidelines and, is very specific to the risk categories identified. This is important for generalist supervisors who have not had experience to know what kind of controls are used in these circumstances. A major downside of not including such guidance on risk controls is that the general controls and high level guidance only go so far in explaining how to mitigate ICT risks. ICT risks are particular in nature and their comprehensive assessment is new to the SREP assessment. The EBA therefore believes that these controls give the authorities the tools and knowledge to supervise and measure these risks. Consequently, the preferred option is to specify material ICT risk controls in the Guidelines.

Inclusion or exclusion of a non-exhaustive risk taxonomy

ICT risks in banking come from a number of different sources and can have a significant prudential impact on institutions. Furthermore the in-depth supervision of ICT risks in banks is relatively new to many supervisors. For these reasons these Guidelines aim to bring about consistency in how supervisors assess the ICT risks to which an institution is exposed. To bring about such a harmonised EU approach, a common understanding of ICT risk terminology was deemed necessary. As a result, it was considered necessary to identify the broad risk categories under which ICT risks fall and, for this reason, an ICT risk taxonomy was developed for supervisors to adhere to a uniform understanding of the main risk categories of ICT risk. The risk taxonomy contains non – exhaustive examples of ICT risks under the risk categories to facilitate this understanding. Up until now either competent authorities had their own national taxonomy or such a taxonomy did not exist. This taxonomy aims to bring about a uniform understanding of five broad risk categories and facilitate a common language with a non-exhaustive list of risks under each category with descriptions and examples. The ICT risks under the five broad risk categories are not exhaustive allowing competent authorities the flexibility to consider other ICT risks in their assessment. Additionally, the inclusion of this taxonomy also brings about a common assessment methodology of ICT risk as the Guidelines, specifically Title 3, use the five ICT risk categories in the identification of material ICT risks and in the elaboration of specific controls relevant for those risk categories. Without such a taxonomy the convergence in the assessment of ICT risks would be limited, as these risks are, by their nature, cross -border and there is a need to have a common understanding across MS. The EBA therefore decided to include non-exhaustive risk taxonomy.

Cost-Benefit Analysis

The EBA prepared a qualitative questionnaire to investigate the overall expected costs and benefits of the Guidelines for the institutions and the competent authorities. Most of the responses to the questionnaire indicate that the costs associated with the implementation of the Guidelines will be higher for the competent authorities than the expected cost for the institutions. Most of the institutions already have in place similar internal measures and procedures for ICT assessment foreseen in the Guidelines. Potential sources of additional costs for institutions in the implementation of the Guidelines are (i) formalisation of their current measures and procedures because many banks do not have a formalised framework to develop the ICT strategy, (ii) further efforts to put the internal practices in line with the provisions of the Guidelines, as banks mostly have risk management and internal control functions in place but not all of them assess the ICT risks in relation to risk appetite or ICAAP, (iii) training and potentially additional IT staff to comply with the regulatory framework. Some large Member States (ES, FR, NL and UK) expect large costs for the institutions while some other Member States (CY, CZ, PL and LU) indicate small costs.

Similarly, Member States expect costs associated with the implementation of the Guidelines for national competent authorities. The sources of these costs are (i) training of the current IT personnel and recruitment of additional IT experts, (ii) introduction of a new ICT supervisory framework or formalisation of such framework if already in place, (iii) preparation or update of manuals to assist and train the institutions for compliance, (iv) additional time and resources for on-site inspection. Most of the Member States (FI, FR, HR, NL and SE) indicate an expectation, on average, of medium to high levels of cost for the competent authorities. The taxonomy is deemed to be a step forward in establishing a link between the concepts and concerns from the often very elaborate, detailed and highly technical existing IT audit frameworks (Cobit, CMMI, ISO etc.) that are little known and understood by non-IT experts and the practical and more intuitive language and thinking frameworks of generalist supervisors regarding the main ICT risks. It is a costly activity but is also crucial to build a sound framework for ICT assessment. On the benefits side, overall the Member States expect the benefits to exceed the costs. Most of the Member States that indicate low benefits from the implementation of the Guidelines are also the ones that remain at the highest level in the baseline (CZ, PL), i.e. the Member States in which the current practices are already highly in line with the provision of the Guidelines. ICT is a crucial element of modern banking services with a significant impact on the institution’s competitiveness and cost effectiveness. The Guidelines help draw a sound framework for better management of ICT risk and other ICT practices within the institutions. The Guidelines will also help establish the necessary management focus and support for important risks such as the evergrowing cyber risks and important evolutions like FinTech that may have a pervasive impact on the institution’s business model, competitiveness and profitability. At more micro-level the implementation of the Guidelines is expected to (i) increase ICT risk awareness for both institutions and competent authorities, (ii) increase data quality and integrity, (iii) improve the monitoring of critical systems, (iv) standardise ICT risk categories and (v) standardise risk taxonomy which implies homogenous language and common understanding. Across all Member States, when average costs and the average benefits are compared, a majority of the participants (about 65%) believe that the expected net benefits are positive, i.e. expected benefits exceed the expected costs. Six Member States (FI, FR, HR, NL, PL and UK) state that the expected average net benefits are negative. For these Member States, although the potential costs for the institutions are somewhat smaller, the expected costs that may fall on the competent authorities are large and are deemed by them to exceed the benefits of the Guidelines.

Feedback on the public consultation

The EBA publicly consulted on the draft proposal contained in this paper. The consultation period lasted for 3 months from 06 October 2016 to 06 January 2017. A total of 16 responses were received, 12 of which were published on the EBA website. The Banking Stakeholders Group did not provide any opinion. This section presents a summary of the key points and other comments arising from the consultation, the analysis and discussion triggered by these comments and the actions taken to address them if deemed necessary. In many cases several industry bodies made similar comments. In such cases, the comments, and EBA’s analysis are included in the section of this paper where EBA considers them most appropriate. Changes to the Guidelines have been incorporated as a result of the responses received during the public consultation.
Summary of key issues and the EBA’s response
All comments were unanimously supportive and positive on the need to define a common framework for the assessment of Information and Communication Technology risk under the Supervisory Review and Evaluation process (SREP) highlighting the importance of technology in banking as well as the significance of ICT risk and its continuous evolution along with the increased regulatory focus on this area. All respondents welcomed the effort to promote common procedures and methodologies in assessing ICT risk and recognised it will enhance consistency in practices and a level-playing field across jurisdictions. The industry found these Guidelines consistent with the EBA SREP Guidelines and generally viewed ICT risk as part of operational risk which should be managed and controlled as part of an integrated risk framework. These Guidelines were also welcomed as a positive step in addressing the need for a tailored regime for non-bank and non-systemic investment firms taking into account the distinct characteristics of such firms. The industry has also highlighted and appreciated the fact that these Guidelines do not introduce additional reporting obligations to institutions. The main points raised by the industry with regard to the draft Guidelines were the following:

1) The need to ensure consistency with other relevant regulations and initiatives across jurisdictions at a global level was highlighted along with the industry’s availability and readiness to further discuss how it can support the EBA in fostering the development of a globally harmonised approach to technology risk in banking.

2) The ICT risk taxonomy included in the Annex of these Guidelines raised a number of comments due to identified overlaps in the mapping and an unclear distinction between causes, events and impacts. In general, a common issue was that an event could lead into more than one ICT risks and thus may not facilitate the ICT risk assessment. To this end, additional clarity was required for correctly mapping events to ICT risk categories

3) A common question was whether institutions should align their existing own risk taxonomies with the proposed ICT risk taxonomy included in the Annex or if these should be maintained.

4) The importance of the proportionality principle in the application of these Guidelines was highlighted by the majority of respondents. In some cases, additional clarity was requested on its application across jurisdictions and global institutions.

5) The level of involvement and the required role of the management body as well as the possibility of delegation raised concern among a number of respondents.

6) Further guidance was requested in relation to the assessment of institutions’ risk reporting and data aggregation capabilities compared to the BCBS 239 principles for effective risk data aggregation and risk reporting.

7) Differentiation between external and intra-group ICT outsourcing risk was requested by some respondents given the different risks may arise from each outsourcing risk type.