Continuing our discussion on cybersecurity-related issues, this time we discuss matters related to risk management in the area of ICT. The article is based on a webinar held on 21 October 2024, conducted by attorney-at-law- Monika Macura, on the fundamental threats, regulations, and best practices in the field of cybersecurity for financial institutions. The full recording of the webinar “Cybersecurity in Payment Solutions” is available on the YouTube channel.

ICT Risk Management

Managing risks related to information and communication technologies (ICT) is a fundamental requirement for financial institutions using payment systems, which includes the obligations to:

• introduce a coherent organization and ICT risk management framework;
• ensure that the management body of the financial entity defines, approves, and supervises the implementation of all arrangements regarding the ICT risk management framework;
• use and maintain updated ICT systems, protocols, and tools;
• identify, classify, and document ICT-based business functions;
• monitor and control the security of ICT systems, protocols, and tools;
• detect, respond to incidents, and restore functionality;
• implement a comprehensive ICT business continuity policy;
• develop and document backup creation rules;
• conduct periodic reviews, reporting, and improvements.

ICT Incident Management

Primarily involves the obligation to establish measures for detecting, managing, recording, and notifying ICT-related incidents and properly classifying incidents based on established criteria, as well as reporting major ICT-related incidents to the designated competent authority and unifying incident reporting related to payment services (PSD2).

Digital Resilience Testing

Covers obligations to:

• establish, maintain, and verify robust and comprehensive operational resilience testing programs;
• test ICT tools and systems;
• conduct periodic penetration tests;
• and perform advanced testing of ICT tools, systems, and processes using TLPT (threat-led penetration testing).

Legal Documentation Framework for ICT Risk Management includes:

• risk management policy;
• digital operational resilience strategy;
• security policy;
• business continuity policy / disaster recovery plan;
• incident management process, including incident response procedures;
• operational resilience testing procedure;
• ICT services risk strategy, including risks from external ICT service providers;
• backup creation procedures, as well as procedures and methods for data restoration and recovery;
• other required documents describing the information security management system.

Risk Management of External ICT Providers

The obligation to manage third-party risk is an integral part of the overall ICT risk and includes:

• the obligation to ensure that concluded ICT service agreements comply with established requirements;
• the obligation to maintain a register of contracts.

Outsourcing of Payment Services

The delegation of certain operational activities related to the provision of payment services or electronic money issuance (including critical activities) is defined in Article 86 of the Payment Services Act.

It is worth paying attention to the conditions for delegating payment services to an insourcer, according to which:

• the delegation shall not adversely affect the company’s operations in accordance with legal provisions and the license granted to it, nor the prudent and stable management of the company;
• the insourcer has the authority to perform activities under the contract;
• the insourcer has the necessary knowledge and experience and ensures the technical and organizational conditions required for the proper execution of the outsourcing agreement, in particular, has an appropriate risk management system meeting at least the standard required of a payment institution, appropriate technical and technological infrastructure, reporting capacity covering information on the service delivery process in line with the company’s requirements;
• the financial situation of the insourcer allows for proper execution of the agreement;
• the insourcer enables the company to effectively supervise the execution of delegated activities and manage the associated risk;
• the company has access to information and documents related to the execution of activities entrusted to the insourcer;
• the company has a contingency plan to ensure continuous, secure, and uninterrupted business operations in the scope covered by the agreement, also in the event of termination of the agreement.

The outsourcing regime is supplemented by soft law instruments, including:

• KNF Recommendation D on the management of IT and security of the ICT environment in banks;
• KNF Recommendation M on operational risk management in banks;
• EBA Guidelines on outsourcing dated 25.02.2019;
• EBA Guidelines on ICT and security risk management dated 28.11.2019;
• Position of the Polish Financial Supervision Authority (UKNF) on outsourcing;
• UKNF communication on cloud computing and the Q&A module on the application of the UKNF communication on cloud computing.

The policy on using ICT service providers should define:

• measures and key indicators for ongoing monitoring of external ICT service providers’ performance;
• principles for reporting activities and services;
• principles for assessing ICT providers’ performance using KPIs, key control indicators, audits, self-certification, and independent reviews;
• rules for notifying incidents;
• measures applied by the financial entity in case of deficiencies on the part of the ICT provider;
• exit plan from the agreement with the ICT provider, covering, among others, unforeseen and permanent service interruptions, inappropriate or discontinued service provision, unexpected contract termination;
• rules for entering into contracts with ICT providers supporting critical or important functions and the appointment of a responsible person;
• type of ICT services, place of service provision, ICT provider’s registered office, reference to the provider’s group affiliation;
• nature of the data transferred to the ICT provider;
• rules for using ICT providers authorized to provide services in another Member State;
• risk of dependency on external ICT providers;
• rules for migrating ICT services to another provider;
• impact of ICT service disruptions on the financial entity’s business continuity;
• rules for auditing and external review of ICT service providers;
• rules for ICT provider risk assessment;
• contractual provisions – model clauses.

What ICT service functions may there be?

Primarily, ICT development, i.e., services related to business analysis and design. ICT helpdesk involves software development and testing. ICT security management services include helpdesk support and assistance with ICT incidents. ICT security management services also cover ICT security, i.e., protection, detection, response, recovery, and handling of security incidents.

Other functions worth mentioning include:

• Provision of data – data provider services;
• Data analysis – data analysis support services;
• ICT facilities and hosting – provision of ICT infrastructure, facilities, and hosting services;
• Computation – provision of digital processing capacity;
• Non-Cloud Data storage – provision of data storage platforms (excluding cloud services);
• Telecom carrier – operations for telecom systems and traffic management;
• Network infrastructure – provision of network infrastructure;
• Hardware and physical devices – supply of workstations, phones, servers, data storage devices;
• Software licensing – supply of locally running software;
• ICT operation management – services related to infrastructure configuration, maintenance, installation, capacity management;
• ICT Consulting – provision of ICT knowledge services;
• ICT risk management – verification of compliance with risk management requirements;
• Infrastructure-as-a-Service / Platform-as-a-Service / Software-as-a-Service.

Model Contractual Clauses – ZBP Guidelines

Model clauses concerning cooperation with providers supporting critical or important services include rules and provisions regarding:

• termination of the contract;
• determination of the place of service provision;
• data security and rules for informing about data security incidents;
• provision of reports on ICT security and business continuity measures and testing;
• return, deletion, and access to data;
• cooperation of the provider with the financial entity;
• penetration testing;
• audit (including internal control audits and financial audits);
• as well as alternative levels of safeguards, provider obligations in the context of subcontractor agreements, incident response plans and business continuity plans, exit strategies, and guaranteed service levels (SLA).

The article is based on a webinar held on 21 October 2024, conducted by attorney-at-law Monika Macura, on the fundamental threats, regulations, and best practices in the field of cybersecurity for financial institutions. The full recording of the webinar “Cybersecurity in Payment Solutions” is available on the YouTube channel.