We welcome the efforts made to develop a harmonized approach tho ICT and security risk management.
As part of the European Banking Federation (EBF) with which we have collaborated in drafting a common reply to these consultation, we fully endorse EBF’s reply to this consultation. Nevertheless, we would like to share a few additional comments on this consultation paper:
- It would be relevant to understand how these guidelines are related to the recent paper of the ECB Cyber resilience oversight expectations for financial market infrastructures as they seem highly aligned, but there are also some gaps between both.
- In paragraph 29 in section 4,4 (Information security), the sentence “and based on the relevant results of the risk assessment process.” should be deleted, since the Information Security Policy establishes the information security objectives and security framework of the financial institution. These objectives will determine the risk tolerance and how to manage the results of the Risk Assessment. However, the Information Security Policy is not based on the relevant results of the risk assessment process, as stated in the ICT Guidelines.
- Paragraph 49 in section 4.4.7 (Information security reviews, assessment and testing) should be placed before paragraph 47 as tests conducted in the event of a significant change occur after a major test