[OR] [RBI] [15] Information and Communication Technology (ICT) including Cyber Security

Strengthening ICT Risk Management and Cybersecurity for Operational Resilience

Financial institutions must prioritize robust Information and Communication Technology (ICT) risk management in today's technology-driven environment to ensure operational resilience. Effective ICT performance and security are critical for regulated entities (REs) to conduct business smoothly, manage operational risks, and safeguard their strategic objectives.

Principle 15: Comprehensive Strengthening ICT Risk Management and Cybersecurity for Operational Resilience

Emphasizes the importance of comprehensive ICT (Information and Communication Technology) risk management and cybersecurity as fundamental pillars for operational resilience, especially in a rapidly evolving digital landscape. This principle advocates for financial institutions to adopt a holistic approach to identifying, assessing, and mitigating ICT-related risks that could compromise critical operations. By implementing robust cybersecurity measures, continuous monitoring, and regular stress testing, institutions can protect against cyber threats and ensure their systems' integrity, availability, and confidentiality. Strengthening ICT risk management and cybersecurity is essential for safeguarding assets and sensitive information and maintaining trust and stability within the financial sector.

Critical Components of ICT Risk Management

ICT risk management encompasses several core functions, including:

• Risk Identification and Assessment: Identifying critical information, assets, and infrastructure vulnerable to ICT-related risks such as cyberattacks and system failures.
• Mitigation Measures: Implementing risk-reduction strategies, such as cybersecurity protocols, recovery programs, change management, and incident management processes, to minimize exposure to operational losses, reputational damage, or legal claims.
• Monitoring and Testing: Continuously monitoring these mitigation measures through regular tests and updates to ensure ongoing protection against evolving threats.

Governance and Oversight

The success of ICT risk management depends heavily on governance and oversight:

• Board Oversight: The Board of Directors or its relevant committees should regularly review the effectiveness of ICT risk management frameworks.
• Senior Management Involvement: Management must routinely assess and align ICT risk strategies with the broader organizational goals, ensuring they comply with privacy laws and risk appetite statements.

Regular evaluations of cybersecurity controls, incident response mechanisms, and disaster recovery plans are essential to maintain data and system confidentiality, integrity, and availability.

Enhancing Cybersecurity Posture

Financial institutions should follow best practices and industry standards to address emerging risks. This includes:

• Frequent **vulnerability testing** of critical information assets to ensure resilience against cyber threats.
• A focus on **ICT readiness** for stressed scenarios, including remote access and rapid infrastructure deployment in disruptive events.
• Prioritization of **cybersecurity efforts** based on the significance of critical information assets and compliance with regulatory requirements.

Preparedness for Cyber Incidents

Given the reliance on technology, REs must develop and implement robust plans to protect critical data during cyber events. This includes:

• Secure storage of essential data on **offline backup systems** to protect against ransomware and other cyber threats.
• 
  Continuous updates to ICT systems to maintain a strong security posture and readiness for potential breaches.

By embedding strong ICT risk management practices into their operational frameworks, REs can significantly reduce operational risk exposure and ensure the resilience of critical operations in an increasingly digital landscape.

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.