On 6 October 2016, the European Banking Authority (EBA) launched a consultation on its draft "Guidelines on Information and Communication Technology (ICT) Risk Assessment" (the Guidelines) under the Supervisory Review and Evaluation Process (SREP). The consultation runs until 6 January 2017.

Context

The EBA seeks to enhance the existing SREP Guidelines, establish common practice and application by National Competent Authorities (NCAs) in ICT risk assessment, and strengthen prudential supervision.

The Guidelines flesh out key expectations regarding ICT risk assessment which have been hinted at in previous publications – the EBA SREP Guidelines, Guidelines on ICAAP-ILAAP information requirements and the EBA report on convergence. These Guidelines are consistent with the European Central Bank's (ECB) 2016 priorities around risk governance and data quality and business model & profitability risk as well as the EBA's assessment of 'material emerging risks' in Europe: ICT and conduct risks. 

We see these Guidelines thematically as consistent with an overall trend of increasing supervisory pressure on financial services firms to enhance their IT and cybersecurity resilience and to demonstrate tangible improvements. Significantly, these Guidelines are addressed to both NCAs and financial institutions (FIs), a departure from the tone of the SREP Guidelines.

Overall observations

The proposed Guidelines will have a significant organisational impact on how FIs plan, assess and manage ICT risks. Particularly, there is greater emphasis on the relationship between ICT strategy and business model strategy, ICT risk appetite with the overall risk strategy, comprehensive assessment of ICT risk, and greater diligence in ICT related documentation.

The Guidelines apply to areas beyond the current industry focus of risk and finance data management to also cover data and services for baseline functions (e.g. telecoms, connectivity) and operations and distribution channels (e.g. ATMs, mobile banking). A thorough and wider assessment of FIs' ICT risk profile is required including robust identification and documentation of critical ICT systems and services, which, given operational complexities, will be far from a clear cut task.

The approach for assessing the criticality of data will have to be re-visited, to consider the adequate functioning, availability, continuity and security of essential activities as key criteria. Given that the scope of data policies at many FIs is restricted to critical data, changes to the data criticality assessment approach may significantly impact the effort required to adopt and become compliant.

Finally, where ICT risk will be deemed material for an FI, it will be assessed and scored separately as a sub-category of operational risk, using the ICT specific scoring table. This assessment is likely to carry increased weight towards risk scoring and any material inadequacies will lead to increased Pillar 2 requirements for FIs.

Key Themes

Theme 1: Risks in focus: EBA has articulated key ICT risks requiring increased supervisory attention:

  • Threat of cyber risks and cyber terrorism for which the EBA recommends stress testing by NCAs; and,
  • Risks from significant reliance on outsourcing and third party products with the potential to create vulnerabilities and concentrations. These will be assessed in line with CEBS outsourcing Guidelines.

FIs will need to demonstrate that they have established appropriate risk assessment processes and controls to manage these risks.

Theme 2: Explicit link between ICT strategy, business model analysis and risk strategy: FIs will need to demonstrate that their ICT strategies are adequate for the nature and complexity of their business, consistent with their business strategy and support their business model. FIs will be expected to articulate and evaluate their ICT priorities, relevant risk exposures, their preparedness, required investment and plans, change and implementation management and demonstrate that the strategy is resilient for their business models. This is the first instance where a direct linkage between risk assessment and business model analysis has been articulated by the EBA.

Theme 3: Significant emphasis on robust documentation: While no additional reporting obligations for FIs are expected, we expect more diligence will be required in maintaining robust internal ICT documentation, including details of project implementation plans, governance, internal audit reports, documented data architecture and models, especially where they have been maintained haphazardly previously.

Theme 4: Emphasis on Risk Governance: FIs will need to demonstrate that senior management are familiar with, have oversight of, and assess the ICT strategy and risks. They should have at their disposal the ICT risk information required to make sound business and risk management decisions. FIs should demonstrate the clear assignment of roles and responsibilities for the identification, assessment, monitoring, mitigation, reporting and oversight of ICT risks.

Theme 5: Specific risk taxonomy: The EBA has provided 5 broad categories of ICT risks into which institution specific ICT risks should be mapped. The risks may impact various categories but should be mapped into the category they most impact. FIs will have to overhaul their risk taxonomies and update their operational risk registers.

Theme 6: Impact on Pillar 2 Quantifications: FIs will need to assess the impact of ICT risks within their wider operational risk profile.  Supervisors may expect FIs to develop specific Pillar 2 stress tests and scenarios for capital quantification, with a robust analysis of direct and indirect financial and non-financial (e.g. reputational) impacts.

Theme 7: Link to BCBS239: FIs will need to leverage their BCBS239 programmes and capabilities to support the assessment and management of ICT risks. Where firms have not taken steps in this direction, their BCBS239 or other IT / data programmes will need to consider the challenges presented by these Guidelines. Given that the assessment of controls for managing data integrity was found to be the least implemented by NCAs across Europe, we expect NCAs to pay increasing attention to data integrity issues.

Conclusion

The Guidelines are expected to have a significant impact on FIs assessment and management of their ICT risks. In addition, they are expected to impact FIs' supervisory scoring and assessment, leading to potential impacts on SREP engagement and capital requirements.

FIs should therefore undertake a detailed review of these Guidelines, identify key areas of impact and initiate appropriate programmes and actions to address the key issues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.