The SSM supervisory priorities for 2024-26 establish that banks should address the information and communication technology (ICT) and security risks stemming from the digitalisation of banking services.
Amongst other things, this requires a bank’s management body to have a proper understanding of the evolution and materiality of such risks in order to take adequate and timely decisions to manage them.
Over the last few years, however, ongoing supervision has identified deficiencies in the collective knowledge and expertise of supervised banks’ management bodies in the area of ICT and security risks. Against this background, the ECB and national supervisors have collaborated to develop a dedicated policy for assessing the collective knowledge of the management body in the context of fit and proper assessments. This policy contains several key expectations which are also included in the ECB’s draft Guide on effective risk data aggregation and risk reporting.
Key principles
The policy is based on three key principles. First, the expectations will not affect the application of either national legal provisions or any other European legislation such as the EU’s upcoming Digital Operational Resilience Act (DORA) for the financial sector.
Second, the expectations follow the principle of proportionality in that the size of a bank, its exposure to ICT and security risks, and the management position in question should be given due consideration in any appointment and related fit and proper assessment conducted by the bank and the supervisor.
Finally, the expectations will apply on a case-by-case basis with no automaticity, in line with the principle of supervisory judgement.
Supervisory expectations
According to the policy, a fit and proper assessment must ensure that the following key expectations are met in the area of ICT and security risks.
First, members of the management body and internal control functions, including the heads of risk management, compliance and audit, must have a sufficient understanding of ICT and security risks, as well as the related data and reporting requirements.
Second, when assessing the collective suitability of the members of the management body, their knowledge, skills and experience relating to ICT and security risks should be considered. To this end, the management body should have at least one non-executive member with relevant and recent knowledge of, and expertise in, ICT and security risks (experience has shown that five years of relevant practical experience is an adequate threshold to ensure good management and decision making at board level). When assessing a bank’s fulfilment of this expectation, the ECB will take a risk-based approach in line with the second key principle above.
Finally, as good practice all members of the management body should undertake regular training (at least once a year) to ensure that individual members possess sufficiently up-to-date knowledge and skills to allow them to understand and assess a bank’s business and its main ICT and security risks. As DORA will also contain a similar requirement to organise regular training, supervised banks are encouraged to consider organising such training for their board members as soon as 2024. This will ensure the new rules are applied smoothly.
The new policy for assessing board members’ knowledge and experience in the area of ICT and security risks will apply as of 1 March 2024 and it emphasises the importance of sound internal governance arrangements for supervised banks. In particular, the policy highlights the key role that the collective suitability of the management body plays in ensuring that a bank’s operations are sufficiently protected against ICT and security risks. The ECB is aware of the challenges that banks are facing in managing their ICT and security risks, as well as the continuously evolving landscape in this regard. Therefore, based on the implementation of the policy, the ECB will assess its impact on bank boards’ collective knowledge and may consider updating its policy in the medium term.