Information security in financial sector entities is assessed in several stages. Information security refers to arrangements aimed at ensuring the confidentiality, integrity and availability of information.1
Information security requirements for the financial sector are laid down in legislation and the FIN-FSA’s regulations and guidelines
Supervision of information security is an integral part of the supervision of the operational risks2 of service providers in the financial sector, which is one of the FIN-FSA’s basic tasks. The requirements for information security are laid down in several special acts, and financial sector participants must comply with them. For example, the Credit Institutions Act stipulates that a credit institution must must have measures to identify, assess and manage operational risks. A credit institution must have adequate, safe and reliable payment, securities and other information systems. A credit institution must also ensure that contingency and business continuity plans are in place to ensure its ability to operate on an ongoing basis and limit losses in the event of severe business disruption.
The FIN-FSA has been given, in several special acts, powers to issue more detailed regulations and guidelines on the adequate level of information security in its supervised entities.3
Information security is assessed already prior to start-up of activity
Operating in the financial sector is subject to authorisation. Only applicants that meet the minimum regulatory requirements may be authorised to carry out activities in the sector. In order for authorisation to be granted, the applicant entity must demonstrate that it meets the requirements for operational risk management. Applicants often demonstrate that they meet the information security requirements by obtaining an external independent assessor’s statement on information security (auditing).
Once authorisation has been granted, the entity becomes an entity supervised by the FIN-FSA and is subject to ongoing supervision. The FIN-FSA may conduct a supervisor’s review and evaluation (risk assessment, SREP) of the supervised entity, which may also comprise an assessment of the entity’s compliance with information security requirements. Other instruments available to the supervisor include inspections and assessments of outsourcing in the case of outsourcing of material IT activities.
Information security must also be taken into account when provision of services is to be discontinued. A plan in case of the cessation of service provision or the transfer of services is often required already when an entity applies for authorisation.
1 Confidentiality means that information is only available to authorised users and is not disclosed to others. Integrity means that information has not been modified without authorisation or by accident and that any changes can be verified. Availability refers to how information, an information system or a service can be used at the desired time and in the required manner. Availability also includes the aspect that there are necessary back-up facilities in place in case of faults and disruptions.
2 Operational risk means the risk of loss associated with
• inadequate or failed internal processes
• external factors.
3 See e.g. Regulations and Guidelines 8/2014, Management of operational risk in supervised entities of the financial sector