Use of ISO 27xxx definitions or similar should be considered.
>> See .pdf version
ESBG (European Savings and Retail Banking Group)
Rue Marie-Thérèse, 11 - B-1000 Brussels
ESBG Transparency Register ID: 8765978796-80
Thank you for the opportunity to comment on the EBA consultation on guidelines on ICT risk assessment under the supervisory review and evaluation process (SREP). We would like to share with you the following reflections that we hope will be taken into account by the EBA.
The consultation paper evaluates risks arising from outsourcing. In the consultation paper, the EBA always refers to third party as well as to intra-group outsourcing. ESBG acknowledges risks arising from outsourcing, but would like to emphasise that one needs to take into account that there might be a difference between risks that result, on the one hand, from outsourcing to third parties and, on the other, from intra-group outsourcing.
Outsourcing within a group provides numerous benefits, such as efficiency, cost reduction, higher services quality, process optimisation, optimised controls, more elaborate monitoring, etc. Within a group, monitoring, quality assurance, and control mechanisms are enforced in a different (not comparable) way than if one would enforce these equivalent mechanisms with a third party contract partner. This has to be taken into consideration accordingly when judging risks. If exactly the same requirements apply to both categories of outsourcing, one has to fear that the benefits of intra-group outsourcing and perhaps intra-group outsourcing itself would disappear, which would lead to an extreme burden for banking groups in general.
Therefore ESBG proposes to amend Point 57 (please see below) accordingly to point out that there is a difference in terms of risk between outsourcing with third parties and intra-group outsourcing.
In general, ESBG believes that use of ISO 27xxx definitions or similar should be considered. More specifically, we would like to share with the EBA the subsequent comments:
We would like to suggest that information and communications technology (ICT) refers to all the technology of telecommunications (interconnecting network by telephone line and wireless signals), computers, enterprise software, storage, broadcast media, intelligent building management systems, audio-visual processing and transmission systems, and network-based control and monitoring functions which enables users to access, store, transmit, and manipulate information.
We would like to suggest that ICT services refer to the application of business and technical expertise to enable organisations in the creation, management and optimisation of or access to information and business processes. The ICT services market can be segmented by the type of skills that are employed to deliver the service (design, build, run). There are also different categories of service: business process services, application services and infrastructure services. If these services are outsourced, they are referred to as business process outsourcing (BPO), applications outsourcing (AO) and infrastructure outsourcing (Reference: Gartner IT Glossary).
In our view, this risk refers to the situation that availability of ICT systems and data are adversely impacted in their ability to perform their agreed function when required. This includes the inability to recover the IT services for service recipients in a timely manner. Availability is determined by reliability, maintainability, serviceability, performance and security (Reference: ITIL V3). ICT continuity (information technology continuity) is determined by a holistic approach to managing technology systems in the event of a major disruption.
ICT security risk should refer to the risk that availability of ICT systems, confidentiality, and integrity of data are adversely impacted by unauthorised user access. ICT security refers to the protection of information and information systems against unauthorized access or modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Information security includes those measures necessary to detect, document, and counter such threats. Information security is composed of computer security and communications security.
Different risks that may arise from intragroup outsourcing and outsourcing with third parties should be adequately assessed. The control over outsourced solutions in particular has to be done on a higher level than on outsourced systems.
It is said that the "ICT risk assessment should be part of Operational Risk (OpRisk) framework". In contrast to this, point 47 says that "Policies, […] can be part of the OpRisk framework or can be a separate document".
The OpRisk framework follows the Basel II classification logic which is not 1:1 compatible with the taxonomy provided in the annex. Therefore, we would like to know whether it is expected of the institution to make its own mapping or will it be provided by the EBA? In case ICT follows commercial assessments (like COBIT) will that commercial taxonomy be accepted as well?
In ESBG's opinion, there should be a difference between "in-house systems" (for which "operational controls" also have to be available) and outsourced solutions. For outsourced solutions, there are no known "operational controls" (more precisely, e.g. point 52(b)(ii): It's hardly possible to "ensure" with "operational controls" the distance between backups, because backups are done by distributed data storage). It is worth noting that banks always retain the ultimate responsibility and, moreover, we suggest that the EBA perhaps uses these guidelines to improve the operational controls of outsourced solutions by third parties.
Taking into account the necessity to establish mechanisms in order to ensure the integrity and quality of the data used in institutions, a certain trend has been tried to be implemented by big consulting and technological firms. More precisely, this trend is based on the convenient thought of defining, within the organisation, roles and responsibilities for all the phases that comprise the life cycle of data (e.g. data architects, data officers, data custodians, data owners/stewards). These are roles that intervene in the governance of the overall processes of providing, transforming and delivering the information.
However, the complexity of the applications map of an institution, which covers all the operations along with the great number of lines of codes involved in this specific life cycle (millions of lines of codes within the process of providing, transforming and delivering the information), advise reliance on the technology itself for the purpose of establishing mechanisms for the governance of data quality, such as quality control frameworks. In our opinion, these mechanisms are much more efficient (economically speaking) and have been implemented in institutions for quite a long time.
The approach of creating organisational structures, in this respect, has not shown better results due to the complexity, specialisation and sheer quantity of information to be dealt with. Such an approach would lead to the need for large levels of expertise with voluminous structures of professionals.
Additionally, the banking industry of certain countries, being well aware of the importance of all of the above, has, throughout the past years, been working on technological models with designs that ensure the integrity and quality of the data. These models incorporate mechanisms of reconciliation and guarantee the integrity between the accounting information and business information regarding contracts and clients. These models also incorporate event registration systems that allow the traceability of the recorded accounting information with all the accounting events and movements generated in the institution's day-to-day activity. Furthermore, these designs incorporate a single view of the client, around which business information revolves and that ensures the traceability of the information.
In short, we would like to highlight the appropriateness of established mechanisms to assure data quality and believe that focusing on the perceived need to create organisational structures for this end would not best contribute to this objective. In addition to this, this approach would undermine the efficiency of institutions by creating structures that may not be effective according to their size.
In our view, a last sentence could be included referring to the treatment of the risks of intragroup outsourcing: "When assessing ICT intragroup outsourcing risk, competent authorities should adapt the assessment adequately."
The following two categories of risk description referring to inadequate internal ICT security (pages 34-35) are, in our opinion, ambiguously worded and overlap concerning their meaning.
Installing key stroke loggers (key loggers) to steal user IDs and passwords to gain unauthorised access to confidential data and/or commit fraud.
Cracking/guessing weak passwords to gain illegitimate or elevated access rights.
System administrator uses operating systems or database utilities (for direct database modifications) to commit fraud.
Failure to disable or delete unnecessary accounts such as those of staff that changed functions and/or left the institution, including guests or suppliers who no longer need access, providing unauthorized access to ICT systems.
Granting excessive access rights and privileges, allowing unauthorised accesses and/or making it possible to hide rogue activities.
Since, in ESBG's opinion, the difference between the two "risk descriptions" under "inadequate internal ICT security" is not clear, a rewording might be necessary. As a consequence, we would like to suggest a simplification and would recommend using a different wording:
Ad1): "Gaining unauthorised access to critical ICT systems from within the institution due to weak ICT access controls (deployment of malicious software, cracking of passwords, exploiting vulnerabilities in ICT systems, etc.)".
Ad2): "Unauthorised ICT access and/or manipulations due to inadequate ICT access management procedures (regarding separation of duties, least privileges, privilege escalation, removal of unused accounts, etc.)".
ESBG brings together nearly 1000 savings and retail banks in 20 European countries that believe in a common identity for European policies. ESBG members represent one of the largest European retail banking networks, comprising one-third of the retail banking market in Europe, with 190 million customers, more than 60,000 outlets, total assets of €7.1 trillion, non-bank deposits of €3.5 trillion, and non-bank loans of €3.7 trillion. ESBG members come together to agree on and promote common positions on relevant regulatory or supervisory matters.
European Savings and Retail Banking Group – aisbl
Rue Marie-Thérèse, 11 ￭ B-1000 Brussels ￭ Tel: +32 2 211 11 11 ￭ Fax: +32 2 211 11 99
Info@wsbi-esbg.org ￭ www.wsbi-esbg.org
Published by ESBG. January 2017.
>> See .pdf version