European Banking Authority Publishes Guidelines on Assessment of ICT Risk Under the Supervisory Review and Evaluation Process (SREP)

The European Banking Authority has published Guidelines for national regulators aimed at ensuring the convergence of supervisory practices in the assessment of the information and communication technology (ICT) risk under the supervisory review and evaluation process (SREP). These new ICT Guidelines are intended to be read in conjunction with (and form an integral part of) the Guidelines published by the EBA in 2014 on common procedures and methodologies for SREP. ICT risk is not itself defined in the Guidelines, being a "catch-all" term that captures the varied risks that can arise from the operation of ICT systems and the provision of ICT services. Risks can arise from many sources, including operational failures, security breaches, outsourcing, systems change or failures in data integrity.
 
The outcome of the ICT risk assessment will, ordinarily, inform the findings of the assessment of operational risk. However, the ICT Guidelines state that, whilst national regulators should generally assess sub-categories of risks as part of the main categories (i.e. ICT risk will be assessed as part of operational risk), national regulators may assess on an individual basis any sub-categories that they deem as material. Where a national regulator considers that ICT risk should be treated as a material risk, the ICT Guidelines also provide a scoring table that should be used to provide a stand-alone sub-category score for ICT risk following the overall approach to scoring the risks to capital in the EBA SREP Guidelines.
 
The ICT Guidelines will apply to EU national regulators with effect from January 1, 2018.
 
View the EBA Guidelines (EBA/GL/2017/05).