The importance of IT Risk and Cyber Security issues has grown increasingly in line with the business’s development towards digital and data-driven models. Recent years have seen a sharp increase in the use of digital services by bank clients, and the IT and security risks associated with such activities have risen proportionately. This means that companies are increasingly required to implement new technology solutions with innovative and interconnected approaches and architectural models that are able to mitigate the related IT risk.

Within the Group we have adopted an IT Risk Framework to guarantee IT risks are governed and monitored, and to ensure protection against cyber threats through specific capabilities in IT risk management, coverage of information security activities, and security incident/IT fraud prevention and mitigation. The culture of cyber risk and cyber security is also embedded through an awareness programme rolled out to all Group staff, which is updated continuously to keep pace with the developments in terms of threats.

The strategy defined by the IT Risk Framework uses a risk-based approach. The technical choices are then driven by the size and type of risk that has to be mitigated.
The Framework is implemented through the following four approaches:

  • Preventative:
    A priori analysis of the whole IT system, seeking for flaws or vulnerabilities that could lead to attacks, before the attacks actually occur.
  • Predictive:
    Analysing information obtained from different sources (including deep and dark web services) to anticipate security measures able to block new threats, vulnerabilities or techniques of attack. The scope of this activity is limited to the financial sector, but without losing sight of geopolitical trends;
    Seeking to understand the business context, the components that support critical functions, and the related IT risks.
  • Proactive:
    Limiting the impact of a potential impact by managing identities and access, protecting data and systems, and implementing security procedures and processes;
    identifying the occurrence of risk events that could compromise protection of the Group’s IT capital.
  • Reactive:
    Managing events/incidents and restoring operations, limiting the impact on business (resilience) and avoiding possible reputational impact (vis-à-vis clients and stakeholders).
P34 RPA

We devote unceasing attention to monitoring the developments entailed by changes in technology, because they potentially expose companies to new risks (for example those entailed by the development of cloud computing), and to emerging risks (such as those associated with third parties) which require new measures and controls. We are reading for the need to implement new technologies that provide tools which are fit for the purpose of implementing adequate mitigation plans: sophisticated cyber threat intelligence and security rating instruments, for example, enhance visibility of the new attack surfaces extending along the digital supply chain, and assess the degree of exposure to cyber risk scenarios.

We also monitor the provision of critical services at Group level with a dedicated Business Continuity team responsible for ensuring that the IT infrastructure is adequate for the requirements in terms of the availability of the business processes.

The authorities too are focusing increasing attention on the issue of digital operational resilience, in particular since the pandemic in recent years has highlighted the need for more robust digital infrastructures, those used in the financial sector especially.

Sector regulation has for some time now been emphasizing the need for solid risk management in relation to risks deriving from the adoption of information and communication technologies, and more recently, the issue of digital operational resilience has been the subject of specific measures introduced at EU as well as national level.

On one hand, this new regulatory scenario is a major challenge for us, because it forces us to focus consistent efforts on responding to the regulator’s expectations. On the other, it also gives us a significant opportunity to strengthen our competitive positioning and increase our digital operational resilience, ensuring improved business continuity levels even in stress scenarios, and so enhancing market and consumer confidence in us.
For this reason we are committed to investing in innovative technologies and IT and security risk management solutions that are always aligned with the scenario in which we operate and the risks to which we are exposed, at the same time ensuring adequate training is provided to our staff to tackle the challenges posed by digital transformation.
Digital operational resilience is a priority for us, not just in order to comply with the regulator’s requirements, but also to improve our competitiveness and the quality of our services.