The European Banking Authority (EBA) released the Final Report on the Guidelines on ICT and security risk management (EBA/GL/2019/04) on November 28, 2019. The report outlines the requirements for credit institutions, investment firms, and payment service providers (PSPs) to effectively manage and mitigate ICT and security risks.
What is the goal of the EBA guidelines?
The purpose of the EBA’s guidelines is to increase cybersecurity by implementing tighter regulations for outsourcing services. These guidelines are designed for all financial institutions and cover all methods of payment, including electronic funds. They affect cloud outsourcing and deployment in FinTech and replace the 2006 Committee of European Banking Supervisors Guidelines on Outsourcing.
Which organizations do the guidelines apply to?
The guidelines are applicable to any institutions within the EBA’s jurisdiction, including banks, investment firms, payment institutions, and electronic money institutions. All institutions addressed in the report have had to adhere to the new rules since September, 2019.
The EBA guidelines include provisions for Payment Service Providers (PSPs), and apply to all PSPs, credit institutions, investment firms, competent authorities, and the European Central Bank in matters related to tasks conferred by the regulation.
The guidelines also cover the use of third-party providers, defining outsourcing as an arrangement between a regulated institution and a service provider who performs a process, service, or activity that would normally be undertaken internally. The institutions have to ensure that their risk-mitigating measures are effective when using third-party providers.
Why were the guidelines established?
The guidelines were established in response to the rising complexity of information and communication technologies and the increasing number of cyber attacks. They outline how financial institutions need to address security risks and safeguard their ICT infrastructure.
The guidelines aim to level the playing field for all institutions by integrating the rules published in December 2017 in Article 95 of PSD2, titled “Guidelines on security measures for operational and security risks of payment services.”
What are the key guidelines to follow?
The guidelines are divided into several categories. Here’s a brief summary of each:
Proportionality: Financial institutions must adhere to the guidelines in a manner that aligns with their size, structure, and risk level of their services.
Governance and Strategy: The management body ensures robust ICT strategies, quality standards, and staff skills.
ICT and Security Risk Management: Institutions must manage their infrastructure in line with ICT guidelines.
Information Security: The guidelines stipulate the requirements for an effective security risk management policy.
ICT Operations Management: Institutions should manage their ICT operations based on management-approved procedures.
ICT Project and Change Management: Institutions must establish a governance process for ICT projects, defining roles and responsibilities.
Business Continuity Management: Institutions should be prepared to recover smoothly from severe disruptions, such as cyber-attacks.
Payment Service User Relationship Management: PSPs must enhance user awareness of security risks associated with their services.
Concentric AI’s Semantic Intelligence solution offers a robust approach to data security, which can boost an institution’s efforts in achieving compliance with the EBA Guidelines on ICT and Security Risk Management.
Concentric AI provides visibility into the who, where, and how of sensitive data, enabling institutions to automatically remediate and minimize data risk. This process is particularly relevant to the EBA guidelines, which stress the importance of understanding and managing data access and usage.
For data governance and strategy, our solution autonomously identifies all sensitive data in the cloud, establishes what data is being shared with whom, tracks data lineage as it moves across the environment, and identifies where the data may be at risk.
Concentric AI’s solution also addresses the challenges of data security (Information Security guideline) in today’s cloud-centric environment. Traditional data protection methods like rule writing to discover what data is worth protecting are no longer sufficient. With Concentric, institutions can identify sensitive data without burdening security teams to craft rules or complex policies. When security teams have more time and resources, they are better-positioned to embrace a risk-based approach to ICT and security risk management.
Data discovery is only the first step — Concentric AI also provides automated data risk identification and remediation. It offers a consolidated view into the risk associated with inconsistent access privileges, permissions, activity, or location and automatically remediates permissions and sharing issues. This capability is crucial for compliance with the EBA guidelines, which require organizations to identify, assess, and mitigate ICT and security risks.
Best of all, Concentric AI’s solution is easy to implement. It is an agentless, API-based solution that can process both structured and unstructured data in the cloud or on-premises.
Our customers are successfully using our product in production for petabytes of data for:
Book a demo today to see firsthand — with your own data — how Concentric AI’s solution can quickly and easily be deployed to keep up with EBA guidelines in your organization or institution.
When it comes to data protection, the concept of data lineage is sometimes an afterthought. Without a solid grasp on data...
What is Data Detection and Response? Data Detection and Response (DDR) is a cybersecurity solution that protects cloud-based data against...
For the modern organization, data protection has evolved into a complex and multifaceted challenge. With exponential data growth, more organizations...
As cloud transformation continues its path towards ubiquity, the exponential growth of data is a reality that businesses in every...
What is the UK Data Protection Act 2018? The Data Protection Act 2018 is the UK’s implementation of the General...
Concentric and other vendors such as Varonis and Netwrix are some of the players in the data security marketplace, all...