Skip to main content
Version date: 31 March 2021 - onwards

Information and communication technology (paras. 58-62)

 Principle 10: Banks should implement a robust ICT ["Information and communication technology" refers to the underlying physical and logical design of information technology and communication systems, the individual hardware and software components, data, and the operating environments.] risk management programme in alignment with their operational risk management framework.

58. Effective ICT performance and security are paramount for a bank to conduct its business properly. The appropriate use and implementation of sound ICT risk management contributes to the effectiveness of the control environment and is fundamental to the achievement of a bank's strategic objectives. A bank's ICT risk assessment should ensure that its ICT fully supports and facilitates its operations. ICT risk management should reduce a bank's operational risk exposure to direct losses, legal claims, reputational damage, ICT disruption and misuse of technology in alignment with its risk appetite and tolerance statement.

59. ICT risk management includes:

a) ICT risk identification and assessment.

b) ICT risk mitigation measures consistent with the assessed risk level (eg cybersecurity, response and recovery programmes, ICT change management processes, ICT incident management processes, including relevant information transmission to users on a timely basis).

c) Monitoring of these mitigation measures (including regular tests).