IT risk management under the scrutiny of regulators

Risk6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

Dutch regulators such as DNB (De Nederlandsche Bank) and the AFM (Netherlands Authority for the Financial Markets) treat IT risk management as a core part of their supervisory activities. For financial institutions this is no longer an IT department issue, but a top level management concern.

DNB and the AFM regularly send questionnaires to banks and insurers about their IT risk management practices. They ask in detail about governance, risk classification, incident management, third party management, and business continuity. The answers determine when inspectors go on site.

Governance is where regulators look most closely. They want to see that the CEO, CFO and Chief Risk Officer are formally accountable for IT risks, not only the CTO. Board reports must address IT risks explicitly. This is a paradigm shift for many organisations: IT is no longer 'back office'.

Regulators assess how organisations identify and prioritise critical IT systems. Which systems are 'critical to operations'? If these systems go down, the bank cannot function commercially. These are the systems that repeatedly require additional controls.

Incident management is also examined intensively. When cyber incidents occur, regulators want to see that: (a) incidents are detected quickly, (b) reported correctly to management and regulators, (c) investigated promptly, and (d) that lessons are learned and built in.

Third party risk management is a growing focus. Regulators recognise that many IT risks originate with external suppliers. They check whether organisations carry out adequate due diligence, impose contractual requirements, and monitor their suppliers.

Business continuity and disaster recovery are also critical. Regulators want to see that organisations can recover from major IT outages. This requires testing, scenario planning, and investment in redundancy and geographical spread.

Supervision has become stricter as a result of incidents in the fintech landscape. Breaches, ransomware attacks, and service outages have demonstrated that IT risks threaten financial stability. This has sharpened supervisory priorities.

For organisations under supervision: we help you build or improve your IT risk management practices so that you meet regulator expectations. Our auditors have direct experience with supervisory evaluations. Get in touch for an assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us