EBA publishes final guidelines to assess ICT risk

11 May 2017

The EBA published its final Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the SREP. These Guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk.

The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole have prompted the European Banking Authority (EBA) to develop these Guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the Supervisory Review and Evaluation Process (SREP).

These Guidelines should, therefore, be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.

The Guidelines are structured around 3 main parts:

• the general provisions for applying these Guidelines;
• the assessment of the institution's ICT governance and strategy;
• the assessment of ICT risk and the controls in place in the context of risks to capital, which reflects the same structure as the EBA SREP Guidelines on the assessment of Operational risk. 

These Guidelines are complemented by an ICT risk taxonomy, which includes a list of 5 ICT risk categories and a non-exhaustive list of examples of material ICT risks, which competent authorities should reflect on as part of the assessment.

The Guidelines do not introduce any additional reporting obligation. However, competent authorities should be able to request, if necessary, additional information from the institution. 

These Guidelines are applicable from 01 January 2018. 

Press release

Final guidelines

© EBA