IT security guidelines require demonstrable compliance

The importance of demonstrable compliance has grown in recent times in the area of data and cyber risk, particularly as the General Data Protection Regulation (GDPR) has imposed new record-keeping duties on organisations and sought to hard-wire the principle of accountability into data protection practices. For financial institutions, this theme has continued with the EBA's guidelines on ICT and security risk management.

The guidelines are addressed to payment service providers, credit institutions and investment firms and will begin to apply from 30 June 2020. The guidelines complement the EBA's guidelines on outsourcing already in effect by, for example, setting out certain requirements that address the specificities of ICT and security risk. Importantly, however, these guidelines apply in the context of all third party service provider agreements and not just outsourcing arrangements.

An ICT strategy

To manage and mitigate ICT and security risks, the EBA has said financial institutions must, among other things, establish and implement an ICT strategy.

According to the guidelines, this strategy should define:

• how the institutions’ ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties;
• the planned strategy and evolution of the architecture of ICT, including third party dependencies;
• clear information security objectives, focusing on ICT systems and ICT services, staff and processes.

This is a major administrative exercise. While this aspect of the guidance will not require financial institutions to review contracts with third parties like some other provisions do, it does require institutions to conduct risk assessments to understand in particular their dependence on third parties.

Financial institutions that have carried out broader risk assessments as part of their programme of compliance under the EBA's outsourcing guidelines may find that they already hold at least some of the information necessary to set out their ICT strategy under the IT security guidelines. That is because the outsourcing guidelines require the institutions to identify and manage all their risks, including risks caused by arrangements with third parties. Those guidelines specifically refer to that risk management exercise addressing cyber risks too.

Once the ICT strategy has been set, financial institutions are expected to draw up action plans that set measures to be taken to achieve the strategy's objectives, and communicate these to relevant staff, contractors and third party providers.

Where institutions identify measures that would require actions to be taken by service providers they will need to engage at an early stage of the process of drawing up the action plans to understand what solutions are feasible and who will pay for them. This feeds into a further requirement of the EBA's IT security guidelines that financial institutions "ensure the effectiveness of the risk-mitigating measures" they implement, including the measures relevant to operational functions of payment services and/or ICT services and ICT systems of any activity are outsourced, including to group entities, or when using third parties.

Documenting compliance

The ICT strategy is a central component of the risk management framework financial institutions are required to have in place under the EBA guidelines. The guidelines specifically mandate that the risk management framework is "documented, and continuously improved, based on ‘lessons learned’ during its implementation and monitoring".

However, the record-keeping obligations do not stop there, as institutions should recognise that many of the steps they take in setting the ICT strategy and developing and implementing action plans should also be documented as means of demonstrating their steps towards compliance.

A further example of this applies in the context of provisions the IT security guidelines require to be included in contracts between institutions and third parties.

The contracts should include "appropriate and proportionate information security-related objectives and measures", such as minimum cybersecurity requirements, a specification of the institution's data life cycle, any data encryption requirements, processes for monitoring network security, and the location of data centres, and must also contain "operational and security incident handling procedures including escalation and reporting".

To meet those obligations regarding contractual provisions, the institutions need to first make assessments about what information security-related objectives should be set and further outline and test their own procedures for handling operational and security incidents. These assessments and processes should be documented.

Regulators have wide information-gathering powers and they have shown a willingness to conduct market studies to explore whether financial institutions are taking their regulatory responsibilities seriously or merely engaging in box-ticking. Being compliant and being able to evidence that compliance is likely to become increasingly important as regulators take the growing data and cyber risk more seriously.