ITA CB issued market communication on ICT security drawing attention of directly supervised intermediaries to aspects of digital operational resilience and ICT risk.
Intermediaries are invited to evaluate their positioning re DORA and carry out a self-assessment of own ICT risk management framework to be submitted by Apr. 30, 2025.
Follows ITA CB Oct. 2024 issued IT survey re technology, security profiles, #230115.
Target Audience
Communication is intended for banks (excluding significant banks), investment firms, managers, payment institutions, electronic money institutions, issuers of tokens linked to assets, crypto-asset service providers, crowdfunding service providers.
It is not intended for those entities to which the DORA regulation does not apply.
Key Aspects
Regulatory evolution of imminent application requires strengthening control of ICT risk.
DORA will introduce obligations for financial entities in terms of ICT risk management re protection and prevention of ICT risk and detection of anomalous activities, etc.
In light of that, other issues recalled, all intermediaries directly supervised are required to assess, on consolidated basis for groups and individually for entities not belonging to groups, their positioning with respect to requirements introduced by DORA.
That, with particular reference to strategies on third-party risk, on renewal of supply contracts and on transmission of Information Registry to ITA CB.
Adaptation of internal protections and policies; activities and test of digital resilience.
They are also required to carry out self-assessment of their ICT risk management system, to ensure policies, procedures, protocols, tools in ICT risk field are adequate.
I.e. prevent/promptly detect, violations of confidentiality of data or services provided.
Such in-depth analyses must include assessment of measures adopted to prevent the loss of integrity, availability and confidentiality of data, including any data leakage.
Also assessment of measures relating to access control, including any abuse of access rights granted to their own personnel and/or personnel of their service providers.
Assessment of control and monitoring activities of ICT systems adopted to identify anomalous activities that may impact confidentiality of data/or services.
To reduce risk arising from ICT changes intermediaries are required to assess if their ICT change management framework is in line with DORA, related implementing rules in terms of practices, policies, assignment of responsibilities and security monitoring.
Administrative body must approve the self-assessment, conducted with involvement of second and third level control functions, and transmit it to ITA CB by Apr. 30, 2025.
Context
In preparation for DORA application and in line with own prerrogatives issued this com.
As data in reports of serious operational/security incidents in recent document Digital resilience in Italian financial sector: evidences from supervisory incident reporting framework, show increase in reports of both operational, cyber events in last 3 years.
Points emerged from survey conducted to improve knowledge of processes, practices of aggregation, reporting of risk data adopted by ITA banks (Risk Data Aggregation).
Possible shortcomings in ability to manage, aggregate risk data, inadequacies of ICT systems used to support decision-making processes, risk management activities may compromise soundness of decision-making process, effectiveness of risk governance.
Effectiveness
Data must be submitted by Apr. 30, 2025.
Regulators
ITA CB
Entity Types
Bank; Corp; HF; Inv Co; MSB
Reference
Surv, Com, PR, 12/23/2024; DORA Dir 2022/2556, Reg 2022/2554
