IT Risk e cybersecurity

The importance of IT risk and cyber security issues has grown increasingly in recent years, in line with the development of the Group’s business towards digital and data-driven models. In recent years there has been a sharp increase in the use of digital services by bank clients, and the IT and security risks related to such activities have also grown accordingly. This means that companies are required to implement new technology solutions featuring innovative and interconnected approaches and architectural models that are capable of mitigating the related IT risk.

Within the Group we have adopted an IT Risk framework in order to guarantee that IT risks are governed and monitored, and to ensure protection from cyber threats through specific IT risk management capabilities, information security governance, and security incident/IT fraud prevention and mitigation activities. A cyber risk and cyber security culture is also embedded through an awareness campaign rolled out to all Group staff members, which is updated on an ongoing basis to keep pace with developments in terms of threats.

The IT strategy defined by the IT risk framework features a risk-based approach. The choices made at the technology level are then geared to the size and type of risk to be mitigated.

The framework is applied through the implementation of four approaches:

Preventative:
A priori analysis of the whole IT system, looking for flaws or vulnerabilities that could lead to attacks before the attacks occur.

Predictive:

  • Analysing information obtained from various sources (including deep and dark web services), in order to anticipate security measures above to block new threats, vulnerabilities or attack techniques. The scope of this activity is limited to the financial sector, but it also takes account of geopolitical trends.
  • Seeking to understand the business scenario, the components which support critical functions, and the related IT risks.

Proactive:

  • Limiting the impacts of a potential incident by managing identity and access, protecting data and systems, and enforcing security procedures and processes.
  • Identifying the occurrence of risk events that could compromise the protection of the Group’s information capital.

Reactive:
Managing events and incidents and restoring operations, limiting the impacts on the business (resilience), and avoiding possible reputational impacts (versus clients and stakeholders).

P34 RPA

We consistently monitor developments in relation to changes in technology, as they potentially expose companies to new risks (e.g. those related to use of cloud-based solutions) or to emerging risks (e.g. those related to third parties) which require new measures and new controls to be put in place. We are ready to implement new technologies that provide the tools required for adequate mitigation plans to be adopted: for instance, sophisticated cyber threat intelligence and security rating instruments provide enhanced visibility of the new attack surfaces that extend across the digital supply chain, assess the degree of exposure to cyber risk scenarios.

We also monitor the provision of critical services at Group level through a dedicated Business Continuity team responsible for ensuring that the IT infrastructure is adequate for the requirements in terms of the availability of the business processes.

The supervisory authorities are also focusing increasing attention on the issue of digital operational resilience, in particular since the pandemic which has highlighted the need for more robust digital infrastructures, in particular those used in the financial sector.

Sector regulation has for some time now been emphasizing the need for solid management of the risks resulting from the adoption of information and communication technologies, and more recently, the issue of digital operational resilience has been the subject of specific measures introduced at EU as well as national level.

In one sense this new regulatory scenario represents a major challenge for us, in that it forces us to guarantee ongoing commitment to meeting the regulatory authorities’ expectations. At the same time, however, it also represents a major opportunity for us to strengthen our competitive position and increase our digital operational resilience, ensuring higher business continuity levels even in stress situations, and improved market and consumer confidence in us.
For this reason we are committed to investing in innovative technologies and in IT and security risk management solutions that are continually aligned with the scenario in which we operate and the risks to which we are exposed, at the same time ensuring adequate staff training is provided to tackle the challenges posed by the digital transformation.
Digital operational resilience is a priority for us, not just in order to comply with the regulatory requirements, but also to improve our competitiveness and the quality of our services.