Europejski Urząd Nadzoru Bankowego, Raport ze wzajemnej oceny szacowania ryzyka ICT na bazie SREP

EBA/REP/2022/25

17 OCTOBER 2022

REPORT ON THE PEER REVIEW ON ICT RISK ASSESSMENT UNDER THE SREP

Executive Summary

The findings from the EBA peer review on the ICT risk assessment under the SREP suggest that competent authorities (CAs) across the EU have largely implemented the EBA Guidelines on ICT Risk Assessment under the SREP and applied the Guidelines in their supervisory practices. The CAs generally apply a risk-based approach to the supervision of ICT risk where the frequency and depth of the assessments correlate with the level of ICT risk of the institutions. The main challenges faced by CAs are building the necessary ICT supervisory capacity and expertise, applying proportionality in the assessment, and incorporating the ICT risk assessment into the overall SREP. No significant concerns regarding the ICT risk assessment under the SREP were identified in the course of the peer review, but the EBA makes a number of recommendations for further improvements of supervisory practices.