LU - Circular on requirements regarding IT risk management
On 25 August 2020, the “Commission de Surveillance du Secteur Financier” (CSSF) published Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management, implementing in Luxembourg the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04, “the guidelines”).
The guidelines establish the requirements for credit institutions, investment firms, payment institutions and electronic money institutions to mitigate and manage their information and communication technology (ICT) risks, aiming to ensure a consistent and robust approach across all European Union (EU) member states. However, the circular extends the scope of the guidelines to include all professionals of the financial sector.
The guidelines give financial institutions a better understanding of the supervisory expectations for risk management, covering areas such as ICT governance and strategy, ICT risk management frameworks, information security, ICT operations management, ICT project and change management, and business continuity management. The guidelines are principle-based and flexible enough to be applied to all the sector’s relevant institutions.