Written by Marcus Clayden.
The FCA has notified the EBA that it intends to comply with the EBA’s guidelines on ICT and security risk management – the final version of which were published in November 2019.
The key points to flag are:
1. Scope: the guidelines apply to credit institutions and investment firms under the Capital Requirements Directive and to payment services providers caught by PSD2.
2. Effective date: those institutions are expected by the FCA and the EBA to make every effort to comply with the guidelines from 30 June 2020.
3. Contents: responding to the potentially systemic risk that ICT and security-related incidents increasingly represent, the guidelines outline how financial institutions should manage the ICT and security risks to which they are exposed and underpin the security obligations which apply under the CRD and PSD2. There is particular focus on:
- governance (with an internal control function responsible for setting a risk management strategy and responsibilities and to that then be subject to independent internal audit)
- a reminder that ICT and security risk assessments have critical importance when a financial institution is considering outsourcing to a third party
- internal record-keeping / inventory management
- security measures to be adopted, how ICT operations should be managed and how appropriate training is provided to staff
- how change is handled within the context of ICT systems and operations
- business continuity management.
4. Regulatory approach: the FCA highlights that, per their respective guidance, both the FCA and EBA will be flexible in how they supervise compliance with these guidelines. The instruction to firms is to focus attention on information security, ICT operational and business continuity risk issues, so that critical regulated functions continue to be fulfilled despite the pandemic. There’s also very topical overlap (which the FCA identifies) with the FCA’s on-going consultation on operational resilience (the outcome of which is expected to be published in Q1 2021 and which will give more detail about the FCA’s approach to operational resilience issues and the EBA’s guidelines in this area).