ICT & Security Risk Management

ICT Governance / ICT Strategy

The Licence Holder should ensure that there is an adequate internal governance and internal control framework in place covering ICT risk management as part of an overarching operational risk management framework, in accordance with all applicable legal and regulatory requirements, and sector-specific guidelines. The License Holder should set clear roles and responsibilities on ICT management, cybersecurity/information security management, as well as business continuity management

ICT risk management

Licence Holders should identify and manage their ICT risks according to the three lines of defence model or similar internal control framework in use at their organisation that is approved by the Authority, and that ensures similar outcomes without prejudice to the Principle of Proportionality, applicable Acts, Regulations, rules or sector-specific guidelines.

The control framework governing ICT risk should include processes in place to:

a) determine an appropriate risk appetite for ICT risks;

b) identify and assess the ICT risks the Licence Holder is exposed to via an ICT risk assessment;

c) define mitigation measures, including controls, to mitigate ICT risks;

d) monitor the effectiveness of the controls implemented vis-à-vis the number of reported incidents affecting the ICT related activities;

e) report internally to the management body on the ICT risks and controls;

f) identify and assess whether new risks arise resulting from major changes to ICT systems or ICT services, IT processes or procedures, and/or after any significant operational security incident.

The framework should reflect a dynamic modus operandi, continually being updated and tweaked to reflect best practice, and formally documented.

Furthermore, Licence Holders should identify, establish and regularly update business function mappings. Mappings should include roles and supporting processes to identify key important areas and their respective ICT risks. Critical ICT systems and services are those that should fulfil at least one of the following conditions:

a) Support core business operations and/or distribution channels of the Licence Holders;

b) Support essential governance processes and corporate functions, including risk management;

c) Emanate from regulatory or commercial requirements that impose heightened availability, resilience, confidentiality or security requirements;

d) Process or store confidential / sensitive data to which unauthorised access would significantly impact the Licence Holder’s reputation, financial results or the soundness and continuity of its business;

e) Provide baseline functionalities that are vital for the adequate functioning of the Licence Holders.

Business functions need to be categorised in categories such as supporting process, information assets, various ICT systems (software and hardware components) making up the technology arrangement, and other physical assets such as server rooms and workplaces, in terms of criticality.

A risk assessment should be carried out and documented on at least an annual basis. When there are major changes to the IT infrastructure, IT process or procedures affecting the business functions, supporting processes or information assets should trigger an immediate update to the current risk assessment of Licence Holders. The ICT risk assessment is a key milestone in the management of ICT risk and should be proportionate to the size, structure and operational environment of the Licence Holders as well as the nature, scale and complexity of its activities. The ICT risk assessment would also determine which measures are required to mitigate the identified ICT risks to an acceptable level. The ICT Risk Assessment should be documented and reported to the Management Body in a timely manner, and, where applicable, to Authorities if when and requested.