Update Q&A en Good Practice Informatiebeveiliging: de belangrijkste wijzigingen

DNB has released updated Q&A and Good Practice Information Security 2023 on Open Book Supervision.
The Good Practice provides supervised institutions with current guidelines and control measures to comply with legal requirements, ensuring the continuous availability, integrity, confidentiality, and authenticity of automated data processing.
The update is motivated by DNB’s findings in supervision investigations and the TIBER program, where they encountered effective control measure examples for managing information security risks. Additionally, input from various financial sectors contributed to improvements in the Good Practice Information Security 2019/2020.
The Good Practice Information Security 2023 follows the same structure as the 2019/2020 version but represents a deeper and more stringent approach in response to increasing and evolving cyber threats.
The key changes include:
– Focus on the digital operational resilience strategy in the short, medium, and long term, outlining the execution of the Risk Management Framework, including oversight of third parties
– Risk-based implementation for each control, allowing institutions to tailor information security measures to their specific needs
– Conducting a business impact analysis to assess an institution’s exposure to severe business disruptions and their potential consequences
– Emphasizing the desired role of the board in information security, explicitly naming the role in certain controls
– Developing and maintaining knowledge for daily management, boards, supervisory boards, and key function holders through targeted training to understand and address key IT and cyber risks
– Addressing opportunities and risks related to technological developments such as quantum computing and artificial intelligence
For ongoing investigations and the sector-wide analysis of information security in 2024, the Good Practice Information Security 2019/2020 remains the basis. However, from the second quarter of 2024 onwards, DNB will generally apply the Good Practice Information Security 2023 for new investigations and supervision activities.
The updated Q&A addresses the question: “How can institutions under DNB’s supervision comply with the statutory requirements regarding the integrity, continuous availability and security of electronic data processing?”
The answer provided is, that institutions supervised by DNB must implement measures to control IT risks, ensuring the integrity and security of electronic data. These measures, guided by risk analysis, cover technology, human actions, processes, and facilities. Regular assessments and adjustments are made to address evolving information security risks. Governance and organizational structures guide this process, encompassing outsourced activities and resilience testing. The associated Good Practices offer practical guidance, recommending control measures in various areas to meet regulatory requirements.
The answer has been amended to include sections on (sub)outsourcing, governance & key functions, training & education and a definition of information security & cybersecurity.