EBA publishes final guidelines to assess ICT risk

  • Press Release
  • 11 May 2017
The European Banking Authority (EBA) published today its final Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the Supervisory Review and Evaluation Process (SREP). These Guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk.
 
The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole have prompted the EBA to develop these Guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the SREP. These Guidelines should, therefore, be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.
 
The Guidelines are structured around 3 main parts: (i) the general provisions for applying these Guidelines; (ii) the assessment of the institution's ICT governance and strategy; (iii) the assessment of ICT risk and the controls in place in the context of risks to capital, which reflects the same structure as the EBA SREP Guidelines on the assessment of Operational risk. 
 
These Guidelines are complemented by an ICT risk taxonomy, which includes a list of 5 ICT risk categories and a non-exhaustive list of examples of material ICT risks, which competent authorities should reflect on as part of the assessment.
 
The Guidelines do not introduce any additional reporting obligation. However, competent authorities should be able to request, if necessary, additional information from the institution. 
These Guidelines are applicable from 01 January 2018. 

Legal basis

These final Guidelines have been developed on the EBA's own initiative in accordance with Article 16 of Regulation (EU) No 1093/2010, which envisages that the Authority shall issue guidelines with a view to ensuring the common, uniform and consistent application of Union law and to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision.
These Guidelines supplement the EBA Guidelines on common procedures and methodologies for SREP (EBA/GL/2014/13). 
 

Documents

Final Guidelines on ICT Risk Assessment under SREP (EBA-GL-2017-05)

(789.14 KB - PDF) Last update 11 May 2017

Press contacts

Franca Rosa Congiu