Last week, the European Banking Authority (EBA) published the final Guidelines on ICT and security risk management. This Guideline will come into effect on 30th of June 2020 which is a rather short deadline considering the organizational structure and level of detail stated.
The guideline defines the minimum requirements on how to manage ICT and security management risk across most of the banking and finance sector, as the regulation is applicable to banks, payment service companies and investment firms. FCG believes that the larger banks in Sweden will live up to the new guideline with relative ease as the guideline builds on well-known industry best practice, while PSPs, SME banks and investment firms will have to make more significant changes in order to comply.
A few words on the consultation process and content of the ICT and security risk management guideline
The draft version of the guideline was for the most part, positively received by the sector. However, some of the more descriptive parts were questioned, and later have been revised by the EBA. In Sweden, the discussion regarding the organizational placement of the Chief Information Security Officer (CISO) was of particular interest, and EBA has relaxed the descriptive language in the guideline. In reading their feedback on the consultation comments however it remains clear that EBA still places the responsibility for information security in the second line of defense.
The responsibility for ICT risk management still rests firmly within the second line of defense and we foresee the need to strengthen their IT and information security competence.
The information security section of the guideline is still descriptive in nature and puts forward specific security capacities that needs to be implemented. From a Nordic perspective, the governance around the testing section of information security introduces new requirements that for all institutions might not be perceived as current practice.
Furthermore, EBA has made some changes to the ICT project and change management section, making it more descriptive in nature and opening up for more agile development models.
Introduced changes in the Nordic market
The guideline follows the broad strokes of GL-11 with the second line risk management aligned towards strategic risk management (without sacrificing their grip on the control side). This becomes clear in the emphasis that is placed on strategy and the need for second line to engage and control the strategic work within the company with a holistic risk management practice.
Reverting back to the CISO organizational placement, we will follow the developments within the market with interest. FCG, who assist companies in all areas within the financial sector, also believes that the guideline introduces requirements within the project- and change management fields that are more stringent than the current practice in the Nordics. The requirements within the information security testing is also enhanced and requires proper governance such as a testing framework in the future.
We at FCG believe that this guideline is fairly well balanced (though somewhat descriptive in parts) and provides a good foundation of how to manage ICT and information security across the financial sector. We do expect further regulation within the area in the future as several national and EU institutions are either setting up workgroups or are already performing work within the information or cyber security area. We believe that this EBA ICT guideline is in-line with current practice and maturity within large institutions within the sector, however we also recognize that for smaller institutions, PSP’s, SME banks and investment firms this guideline is quite a stretch.
We at FCG believe that this guideline serve a good purpose within the financial eco-system, and that the sector and indeed society in general, will benefit if all payers live up to the EBA’s expectations. As such the guideline have the potential to redefine the finance industry, for business, people and society -, which coincidentally is not a paraphrase of FCG’s mission statement, but the exact statement!