While Europe’s financial institutions are struggling to absorb the shock caused by the COVID-19 pandemic, security risks and the frequency of Information and Communications Technology (ICT) and security-related incidents (including cyber incidents) are rising, which, in turn, has the potential to adversely impact financial institutions’ operational functioning.

The financial sector’s increasing digitalisation and the growing interconnectedness between financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that could potentially compromise their viability. As a result, sound ICT and security risk management are key for a financial institution to achieve its strategic, corporate, operational and reputational objectives.

For this reason, the European Banking Authority (EBA) issued its Guidelines on ICT and security risk management which entered into force on 30 June 2020. These guidelines set out EBA’s expectations on how financial institutions should manage the internal and external ICT and security risks.

Do you meet the requirements?

  • Financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management and mitigation of ICT and security risks through an independent and objective control function, appropriately segregated from ICT operations processes and not responsible for any internal audit, and an independent internal audit function.
  • Maintain up-to-date inventories of business functions and assess the operational risks related to ICT and the security risks and determine what measures are required to mitigate the identified risks.
  • Requirements to implement effective information security measures, including having an information security policy in place; establishing, implementing and testing information security measures; and establishing a training programme for all staff and contractors.
  • Requirements for ICT operations management including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery
  • Requirements for ICT project and change management, including the acquisition, development and maintenance of ICT systems and services.
  • Business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results. Ensure effective crisis communication measures in place so that all relevant internal and external stakeholders can be informed in a timely manner.

If you don’t know where to start and are uncertain as to the security risks that exist in your organisation and how they should be identified and controlled, we are here to help you.

How can MAPiTek assist you?

MAPiTek has extensive knowledge in helping firms comply with mandated regulations and guidelines and in providing solutions relating to each firm’s risk profile. We are committed to our goal of supporting the financial industry with expert guidance and advise on how to manage your ICT and information security risks, through our bespoke services:


Our bespoke Information security risk and auditing services are at your disposal to ensure compliance and add the value which contributes to building necessary trust in your organisation.

We can act as an extension of your internal audit where you need additional expertise for ICT and security risks audit. Furthermore, we can audit your third-party vendors/ service providers and provide you with the necessary assurance form your outsourced operations. We take out the burden of translating the complex cybersecurity and IT technical issues, break the silos and provide business actionable recommendation which your board and top team members can use for effective decision making.


We are well aware that many recommendations and obligations which relate to the field of your ICT infrastructure and the security posture of your organisation may be overwhelming, we are at your disposal to support you through our cybersecurity advisory services.

We will review and analyse security risks and perform a gap analysis to enable your organisation prioritise those actions and take the necessary measures to protect your assets and comply with legal and other requirements in terms of information and personal data protection.