The Austrian Financial Market Authority (FMA) published a Guide on Security of information and communication technology (ICT) in credit institutions today. With the increasing significance of information and communication technology in banks, the associated risk are also growing. In the case of the failure of IT systems or their being misused, e.g. as a result of technical shortcomings or hacker attacks, individual institutions, their customers, and even the stability of the financial market may suffer considerable damage. “The opportunities and threats from the digitalisation of the financial market are current one of the FMA’s major thematic focuses. In this Guide we exchange what we expect from banks in relation to IT security. This provides transparency for institutions and increases the confidence of bank customers in digital technologies and data protection”, commented the FMA’s Executive Directors, Helmut Ettl and Klaus Kumpfmüller.
The Guide summarises the FMA’s expectations with regard to institutions’ IT security management:
- The management of IT risks is to be addressed within an IT strategy. This requires institutions to establish an IT Governance unit and to issue to the corresponding internal security policies.
- Both the hardware and software in IT systems must be kept at an acceptable technical level.
- The function of an information security officer is to be established that is centrally responsible for information security within an institution and towards third parties.
The Guide also refers to the requirements that must be complied with in the case of outsourcing of IT services to third-party providers, including cloud-based providers.
In the implementation of the Guide, the nature, scale and complexity of the activities and the risk structure of the institution may be taken into account on an individual basis. By doing so, the FMA sticks steadfastly to the principle of proportionality with regard to its supervisory requirements. A higher degree of risk is associated with increased requirements for IT risk management.
Financial market players are increasingly backing digital technologies, in order on the one hand to be able to design their internal procedures more efficiently and on the other hand the raised interest of customers towards digital services. In addition to many advantages, it also exposes companies to new hazards and risks. In recent years major attacks on corporate IT systems have become public and have highlighted the vulnerability of IT infrastructures.
The “FMA Guide on ICT Security in Credit Institutions” is the first stage of a comprehensive and cross-sector initiative in relation to the IT security in the Austrian financial market. Similar Guides for insurance undertakings and pension funds (Pensionskassen) as well as for investment firms and asset managers will enter a round of public consultation this month. Since the end of April, the FMA has also been an active member of the Cyber Security Platform housed in the Federal Chancellery. FMA Executive Board Members Helmut Ettl and Klaus Kumpfmüller remarked: “In recent years we have extended the FMA’s IT competence and has incorporated it into a competence centre for IT security and digitalisation.”
The “FMA Guide on ICT Security in Credit Institutions” can be found on the FMA website at https://www.fma.gv.at/en/fma/fma-guides/.
Journalists may address further enquiries to:
Mr. Stefan Maier
+43/(0)1/24959-6001
+43/(0)676/882 49 426