IT security guidance should spur contracts review

Out-Law News | 02 Dec 2019 | 4:46 pm | 2 min. read

Financial institutions should review their contracts with outsourcing providers and third parties in light of new IT security guidelines issued by the European Banking Authority (EBA), an expert in financial services and technology law has said.

Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said some institutions might also need to revisit risk assessments they have already carried out as a result of the EBA's finalised guidelines on ICT and security risk management.

The EBA's new guidelines are addressed to payment service providers, credit institutions and investment firms. They will apply from 30 June 2020 when they will replace current guidelines on the security measures for operational and security risks of payment services, which will be repealed on the same date.

The guidelines have a broad application, as they apply to institutions' internal approach to ICT and security risk management and sets out further obligations in respect of their oversight of the approach taken by their outsourcing providers and with other third parties they engage with too.

"It will be important for financial institutions to review the new guidance to check whether their existing contracts with third parties comply," Scanlon said. "It may be that some contracts and service level agreements have to be updated to reflect the new requirements."

The new guidance mandates institutions, among other things, to include certain provisions in their agreements with third parties. These include "appropriate and proportionate information security-related objectives and measures", such as minimum cybersecurity requirements, a specification of the institution's data life cycle, any data encryption requirements, processes for monitoring network security, and the location of data centres.

The contracts must also contain "operational and security incident handling procedures including escalation and reporting".

The new ICT and security risk management guidance builds on requirements payment service providers are obliged to meet to address operational and security risks under the EU's second Payment Services Directive (PSD2), and they also intersect with the EBA's guidelines on outsourcing, which began to apply on 30 September 2019.

To comply with the EBA's outsourcing guidelines, institutions have had to carry out an assessment of how their outsourcing would impact their operational risk. However, the EBA has now set out further detailed risk assessment obligations in its latest guidance.

Institutions must identify their business functions, roles and supporting processes and then classify the various functions, processes and information assets according to their criticality. They are then obliged to identify the ICT and security risks that impact on those functions, processes and information assets according to their criticality. This assessment needs to be carried out at least annually, or more regularly if necessary, and it needs to be updated when there are "any major changes in infrastructure, processes or procedures affecting the business functions, supporting processes or information assets".

Scanlon said: "Many institutions will already have been through an extensive risk assessment exercise, including in relation to security, as part of their efforts to comply with the EBA's outsourcing guidelines. Just months later, the EBA has set out further risk assessment obligations. It is incumbent on regulators to consider the financial cost and resourcing and administrative burdens of regulatory compliance and try to better streamline the requirements they impose."

Scanlon said greater coordination is also needed across regulators to reduce the burdens of compliance.

He said: "In this instance there is a risk of duplication of risk assessments since the EBA has set out separate requirements in two documents published within just months of each other. For financial institutions, however, there are other guidelines from other regulators that could well impact on this area. In the UK, we are anticipating the imminent release of new outsourcing guidelines from the Prudential Regulation Authority (PRA), and at European level finalised cloud outsourcing guidance is expected soon from the European Insurance and Occupational Pensions Authority (EIOPA). Other bodies, such as the European Securities and Markets Authority (ESMA), might also wade in with their own guidelines."

"For financial institutions, particularly ones with both investment banking and insurance arms, there is a clear need to ensure compliance work can be standardised and streamlined as best as possible," he said.