EBA Guidelines on ICT and security risk management
This download includes the EBA Guidelines on ICT and security risk management so there are no mapped questions. Use this download if you just want the provisions and you want to create your own question set.
These guidelines integrate and are built on the requirements set out in the ‘Guidelines on security measures for operational and security risks of payment services’ (hereafter ‘Guidelines on security measures’), which were published in December 2017 (EBA/GL/2017/17) and which have applied since January 2018 in fulfilment of the mandate in Article 95(3) of Directive 2015/2366/EU (PSD2). Those guidelines were addressed to payment service providers (PSPs), and only applied to their payment services; however, they were in fact relevant to a broader set of institutions. For that
reason, these guidelines have been formulated to be addressed to a broader range of financial institutions under the EBA’s remit (namely to credit institutions which already fell within the scope of the guidelines on security measures for their payment services, but for which these guidelines will now apply for all activities) and to investment firms. These guidelines continue to apply to PSPs for the payment services they provide; they extend to other activities of credit institutions and also apply to investment firms for all activities. Collectively, the guidelines apply to financial institutions
as set out in paragraph 9 under the addressees section.
These guidelines set out how financial institutions should manage the ICT and security risks that they are exposed to. In addition, this guidance aims to provide the financial institutions to which the guidelines apply with a better understanding of supervisory expectations for the management of ICT and security risks.
These guidelines provide details on how financial institutions should comply in order to address ICT and security risks, with the following provisions in the Capital Requirements Directive (CRD)and PSD2:
(i) Article 74 of Directive 2013/36/EU (CRD), which strengthens the governance requirements for institutions, including the requirements to have robust governance arrangements with a clear organizational structure with well-defined, transparent, and consistent lines of responsibility and effective processes to identify, manage, monitor and report the risk they are or might be exposed to;
(ii) Article 95 of Directive2015/2366/EU (PSD2), which contains explicit provisions for the management of operation and security risks that require PSPs to have appropriate mitigation measures and control mechanisms to manage the operational and security risks and includes a mandate for the EBA to develop guidelines on this topic.
Getting StartedClick "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.
|Jurisdiction||European Union (EU)|
|Type||Laws or related obligations|