The emergence of cyber-attacks in recent years has heightened concerns about IT risk.

These concerns are not specific to the banking and insurance sectors, but they are of particular relevance to these sectors, which are essential components of a properly functioning economy and key actors in protecting public interests.

To address these concerns, the supervisory authorities have gradually ramped up their actions in this field. International bodies have developed new IT risk rules, and authorities, such as the ACPR, acting in particular within the framework of the European Single Supervisory Mechanism for the banking system, have strengthened their supervision.

This discussion paper emphasises that IT risk management is no longer a topic specific to IT teams, but must be part of an overall approach to risk control and risk management coordinated by the risk management function. Therefore, the operational risk management reference framework must be refined to more effectively include all aspects of IT risk within the recognised categories of operational risk. Under such an organisation, the management body must be directly involved in ensuring the alignment of its IT strategy with its risk appetite, but also in implementing and monitoring the risk management framework.
Based on their supervisory experience, the various departments of the ACPR have developed a definition and classification of IT risk that cover its various aspects and enable treating it globally. Institutions supervised by the ACPR can use this classification to develop or reinforce their own risk map.

This classification covers the three main processes applicable to implementation and management of information systems, i.e. issues in relation to the organisation, proper functioning and security of information systems. For each of these major processes, this discussion paper describes a set of risk factors, which are examined on two levels to enable a fairly detailed analysis. For each risk factor, the main expected measures for mitigating and controlling risks are presented. These measures are optional and institutions can tailor them to their specific context.

They illustrate the best practices usually observed by the ACPR and they aim to create a common ground for controlling IT risk management in the banking and insurance sectors.