Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following:
- an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;
- a procedure and a methodology to conduct the ICT risk assessment, identifying:
- vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions;
- the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);
- the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a);
- for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c):
- provisions on the identification of those residual ICT risks;
- the assignment of roles and responsibilities regarding:
- the acceptance of the residual ICT risks that exceed the financial entity’s risk tolerance level referred to in point (a);
- for the review process referred to in point (iv) of this point (d);
- the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance;
- provisions on the review of the accepted residual ICT risks at least once a year, including:
- the identification of any changes to the residual ICT risks;
- the assessment of available mitigation measures;
- the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review;
- provisions on the monitoring of:
- any changes to the ICT risk and cyber threat landscape;
- internal and external vulnerabilities and threats:
- ICT risk of the financial entity that enables promp detection of changes that could affect its ICT risk profile;
- provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account.
For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:
- the monitoring of the effectiveness of the ICT risk treatment measures implemented;
- the assessment of whether the established risk tolerance levels of the financial entity have been attained;
- the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.