Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 48

ICT risk describes the general threats to IT and communication systems which can disrupt operations. The EBA defines this risk as

“risk of loss due to breach of confidentiality, failure of integrity of systems and data, inappropriateness or unavailability of systems and data or inability to change IT within a reasonable time and with reasonable costs when the environment or business requirements change (i.e., agility). This includes security risks resulting from inadequate or failed internal processes or external events including cyber-attacks or inadequate physical security.”[71]

The core of information security, IT security and cybersecurity lies in the protection of information and data. This is referred to as the protection of assets. Assets can be hardware as well as software, so they can encompass data and information or IT systems, products or processes. The US National Institute of Standards and Technology (NIST) defines information security as the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.

The term ICT risk is mainly used in Europe, with the European Parliament proposing the following definition:

“ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems, including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event – which, if materialised, may compromise the security of the network and information systems, of any technology-dependent tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects.”[72]

The EBA provides a general definition of ICT risk:

“‘ICT risk’ means the risk of loss due to breach of confidentiality, failure of integrity of systems and data, inappropriateness or unavailability of systems and data, or inability to change IT within a reasonable time and costs when the environment or business requirements change (i.e. agility).”[73]

Accordingly, the aim of any policies “should ensure confidentiality, integrity and availability of a financial institution’s critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use.”[74]

The EBA also provides a view on ICT and security risks from a payment perspective, stating that the

“term ‘ICT and security risks’ addresses the operational and security risks mandate of Article 95 of the revised Payments Services Directive (PSD2). This term recognises that the operational risks for payment services refer predominantly to ICT and security risks because of the electronic nature of payment services (over ICT systems).”[75]

The US National Institute of Standards and Technology (NIST) defines cyber risk as the “risk of depending on cyber resources, i.e. the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace.” A more detailed definition of cyber risk, also provided by NIST, is the following:

“Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”[76]

The Canadian OSFI states that

“‘cyber risk’ or ‘cyber security risk’ is the risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of an institution’s information technology systems and/or the data contained therein.”[77]

The APRA defines data risk as follows:

“Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data. Consideration of data risk is relevant regardless of whether the data is in hard copy or soft copy form. Examples include: (a) fraud due to theft of data; (b) business disruption due to data corruption or unavailability; (c) execution delivery failure due to inaccurate data; and (d) breach of legal or compliance obligations resulting from disclosure of sensitive data.”[78]

As compared to other risk categories, there are some possible sub-categories to ICT and cyber risks, as described in the following sections.