ECB sets new standards for bank board expertise on digital security risks

ECB

In a move aimed at bolstering the banking sector’s resilience to ICT and security challenges, the ECB has introduced a new policy set to take effect on 1 March.

This policy mandates an increase in the collective knowledge and expertise of bank management bodies, particularly in managing the risks associated with the digitalisation of banking services. The ECB’s Supervisory Board has outlined this requirement as part of the Single Supervisory Mechanism (SSM) supervisory priorities for 2024-26, underscoring the critical need for banks to adequately address ICT and security risks.

The ECB’s initiative stems from ongoing supervision, which has revealed a lack of sufficient collective expertise among the management bodies of supervised banks in the realm of ICT and security risks. To combat this, the ECB, in collaboration with national supervisors, has developed a policy focusing on the fit and proper assessments of bank management. This policy includes several key expectations and aligns with the ECB’s draft Guide on effective risk data aggregation and risk reporting.

Central to this policy are three principles ensuring its alignment with existing national and European legislation, including the forthcoming Digital Operational Resilience Act (DORA) for the financial sector. The principles of proportionality and supervisory judgement will guide the application of these expectations, taking into account the size of the bank, its exposure to ICT and security risks, and the specific management position in question.

The policy outlines specific expectations for members of the management body and internal control functions, emphasizing the need for a deep understanding of ICT and security risks. This includes the necessity for at least one non-executive member of the management body to have recent and relevant expertise in these areas. Additionally, the policy encourages regular training for all management body members to maintain up-to-date knowledge and skills essential for assessing and managing the bank’s ICT and security risks effectively.

The ECB’s new policy highlights the importance of sound internal governance arrangements in safeguarding against ICT and security risks. It reflects the ECB’s recognition of the evolving challenges banks face in this area and its commitment to assessing and potentially updating its policy based on its impact on bank boards’ collective knowledge.

“The ECB is aware of the challenges that banks are facing in managing their ICT and security risks, as well as the continuously evolving landscape in this regard. Therefore, based on the implementation of the policy, the ECB will assess its impact on bank boards’ collective knowledge and may consider updating its policy in the medium term.”

Copyright © 2024 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.