Contents
- ICT risk management policies
- Development, Documentation and Implementation (Article 3 RTS RMF)
- Mandatory Content Elements (Article 3(a)–(f) RTS RMF)
- Article 3 RTS RMF
ICT risk management policies
Development, Documentation and Implementation (Article 3 RTS RMF)
- Financial entities must develop, document and implement ICT risk management policies and procedures.
- These policies must contain all mandatory elements listed in Article 3 of the RTS on the Risk Management Framework (RMF).
Mandatory Content Elements (Article 3(a)–(f) RTS RMF)
Approval of ICT Risk Tolerance Level
The policies must include:
- an indication of the approval of the ICT risk tolerance level established in accordance with Article 6(8)(b) DORA.
ICT Risk Assessment Procedure and Methodology
The policies must define the procedure and methodology for conducting ICT risk assessments, identifying:
Vulnerabilities and Threats
- vulnerabilities and threats that affect or may affect supported business functions, ICT systems and ICT assets.
Indicators for Measurement
- quantitative or qualitative indicators used to measure impact and likelihood of the vulnerabilities and threats identified under point (i).
ICT Risk Treatment Procedure
The policies must specify the procedure to identify, implement and document ICT risk treatment measures, including:
- the determination of ICT risk treatment measures necessary to bring ICT risk within the established risk tolerance level.
Additionally, the procedure must ensure:
- monitoring of the effectiveness of ICT risk treatment measures;
- assessment of whether the risk tolerance levels have been attained;
- assessment of whether the entity has taken actions to correct or improve risk treatment measures where necessary.
Management of Residual ICT Risks
For residual ICT risks that remain after treatment, the policies must include:
Identification
- provisions for identifying residual ICT risks.
Roles and Responsibilities
Assignment of roles and responsibilities for:
- accepting residual ICT risks that exceed the financial entity’s risk tolerance level;
- executing the review process referred to in point (iv).
Inventory of Accepted Residual Risks
- development of an inventory of accepted residual ICT risks, including the justification for acceptance.
Annual Review Process
Provisions for reviewing accepted residual ICT risks at least once per year, including:
- identification of changes to residual ICT risks;
- assessment of available mitigation measures;
- assessment of whether the reasons justifying acceptance remain valid at the date of review.
Monitoring Provisions
The policies must include provisions on monitoring:
ICT Risk and Cyber Threat Landscape
- any changes in the ICT risk and cyber threat landscape.
Vulnerabilities and Threats
- internal and external vulnerabilities and threats.
ICT Risk Profile Changes
- ICT risk of the financial entity, enabling prompt detection of changes affecting the ICT risk profile.
Alignment with Strategic Changes
The policies must ensure that changes to:
- the business strategy, and
- the digital operational resilience strategy,
are duly taken into account in the ICT risk management process.