EU: EBA publishes guidelines on ICT and security risk management
The European Banking Authority ('EBA') published, on 28 November 2019, guidelines on ICT and security risk management ('the Guidelines') for credit institutions, investment firms and payment service providers. In particular, the Guidelines highlight that the increasing digitalisation in the financial sector and the growing interconnectedness across financial institutions and third parties make financial institutions' operations vulnerable to internal and external ICT and security risks that can potentially compromise their viability. In addition, the Guidelines set out expectations on how all financial institutions should manage internal and external ICT and security risks. Moreover, the Guidelines provide financial institutions with a better understanding of supervisory expectations for the management of security risks, covering sound internal governance, information security requirements, ICT operations, project and change management, and business continuity management.
The Guidelines will enter into force on 30 June 2020.