EBA ICT and risk management


    EBA ICT and risk management

    The European Banking Authority (‘EBA’) is an independent EU authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.

    The EBA has issued draft Guidelines on ICT and security risk management (‘the draft ICT and Risk Management Guidelines’) establishing requirements for credit institutions, investment firms and payment service providers (‘PSPs’) on the mitigation and management of their information and communication technology risks, to ensure a consistent and robust approach across the Single market.

    Last Updated: July 25, 2019

  • Requirements

    According to the draft ICT and Risk Management Guidelines, financial institutions should ensure the effectiveness of the risk mitigating measures as defined by their risk management framework, including the measures set out under the guidelines, when operational functions of payment services and/or ICT services and ICT systems, are outsourced, including to group entities, or when using third parties.

    Financial institutions should ensure that contracts and service level agreements with the provider (outsourcing provider, group entity, or third party provider) include the following:

    • appropriate and proportionate information security objectives and measures including requirements such as minimum cybersecurity requirements, specifications of financial institutions’ data life cycle, and any requirements regarding location of data centres and data encryption requirements network security and security monitoring processes;
    • service level agreements, to ensure continuity of ICT services and ICT systems and performance targets under normal circumstances as well as those provided by contingency plans in the event of service interruption; and
    • operational and security incident handling procedures including escalation and reporting. 9. Financial institutions should monitor and seek assurance on the level of compliance of these providers with their security objectives, measures and performance targets.
  • How OneTrust Helps

    OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews.

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions.

    For additional details on Vendorpedia, read more here.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.