BCBS report on ICT risk management for non-malicious incidents

The Basel Committee on Banking Supervision (BCBS) has published a report outlining observed practices in banks' information and communication technology (ICT) risk. The report aims to compare regulatory, supervisory and industry practices across jurisdictions relevant to addressing non-malicious ICT incidents in global systemically important banks, domestic systemically important banks and other banks of interest (e.g., digital-only banks) that affect the delivery of critical operations. It complements the BCBS's earlier cyber resilience work.

Drawing on a survey of 16 jurisdictions and industry engagement, the BCBS identifies key findings, including that non malicious ICT incidents have varied across jurisdictions in recent years and are most driven by change control gaps, weaknesses in system design, capacity and performance issues, and failures linked to external dependencies. The report highlights core practices adopted by banks relating to governance, business continuity, change management, technology solutions and third-party risk management. It is intended to serve as a reference point for firms and supervisors in strengthening their ICT risk management practices for their specific circumstances. The BCBS will continue to monitor developments related to the digitalisation of finance and financial technology from a prudential perspective, including developments in AI models and the implications for banks' cybersecurity.

Return to main website.