Basel Committee Surveys Global ICT Risk Management Practices Across Banking Sector

Key Takeaways

• Focus on Non-Malicious ICT Incidents: The report examines how banks and supervisors manage technology failures, outages, software defects, and other non-malicious ICT incidents that can disrupt critical operations and services.
• Operational Resilience Is the Core Objective: The Basel Committee reinforces that ICT risk management is a fundamental component of operational risk management and a key contributor to operational resilience.
• Global Practices Compared: The report identifies and compares observed ICT risk management practices and supervisory approaches across jurisdictions, providing insight into how regulators are addressing technology-related operational risks.
• Reference Point Rather Than New Rules: The publication does not introduce new requirements but is intended to help banks and supervisory authorities evaluate and strengthen their own ICT risk management frameworks.
• Digitalization and AI Remain Areas of Supervisory Focus: The Committee said it will continue monitoring developments in financial technology and artificial intelligence, including the implications for banks' cybersecurity and prudential risk management.

Deep Dive

The Basel Committee latest report examines how banks and regulators are managing the technology failures that happen without malicious intent yet can still disrupt critical services, lock customers out of accounts, interrupt payments, or leave institutions scrambling to restore operations.

The distinction matters. A cyberattack arrives with an obvious adversary. A software defect, failed system upgrade, cloud outage, or infrastructure failure does not. Yet from a customer's perspective, the result may be indistinguishable.

That reality sits at the center of the Basel Committee's new report on information and communication technology (ICT) risk management, which compares observed practices and supervisory approaches across jurisdictions. The publication is intended as a reference point rather than a new set of requirements, offering a snapshot of how banks and regulators are approaching non-malicious technology disruptions as financial services become more dependent on complex digital infrastructure.

The report arrives at a time when operational resilience has moved from a niche supervisory concern to a board-level issue. Regulators around the world have spent the past several years asking banks a deceptively simple question: what happens when the technology stops working?

Answering that question has become more complicated as institutions shift workloads to the cloud, automate more processes, connect larger ecosystems of third-party providers, and layer artificial intelligence tools onto existing technology environments.

The Basel Committee describes ICT as a core component of operational risk management and an important contributor to operational resilience. The report notes that banks' resilience to ICT incidents has become increasingly important in a technology landscape that is both evolving and becoming more digital.

That observation may sound obvious. It is also difficult to argue with.

Modern banking runs on technology that customers rarely see and often assume will always be available. When it works, it is invisible. When it fails, it quickly becomes the only thing anyone notices.

The Committee's report complements its earlier work on cyber resilience by concentrating specifically on non-malicious incidents that affect the delivery of critical operations and services. Rather than focusing on threat actors and attack scenarios, it examines the governance, risk management, supervisory practices, and resilience measures used to address disruptions that originate from within the technology environment itself.

The goal is straightforward. The report seeks to identify, describe, and compare observed ICT risk management practices among banks and supervisory authorities across jurisdictions. The Committee said the practices documented in the report may help banks and regulators assess and develop approaches that fit their own circumstances.

For risk and resilience professionals, the report reflects a broader shift underway in banking supervision. Regulators remain deeply focused on cyber threats, but there is growing recognition that resilience is ultimately tested by disruption itself, not by the source of that disruption.

A payment system does not become less critical because it failed due to a software bug instead of a cyberattack. Customers do not care whether an outage originated from a coding error, a cloud provider issue, or a malicious actor. The operational consequences are often the same.

The Committee indicated it will continue monitoring developments related to the digitalization of finance and financial technology from a prudential perspective. That work will include ongoing exchanges of supervisory insights as well as attention to developments in artificial intelligence models and their implications for banks' cybersecurity.

That final point appears almost in passing near the end of the announcement. It is also likely where many supervisors are already looking next.

As banks adopt AI tools across their operations, the line between technology risk, operational resilience, and cybersecurity continues to blur. The Basel Committee's latest report does not attempt to answer those questions. Instead, it serves as a reminder that long before institutions confront the risks of tomorrow's technologies, they still need to ensure today's systems remain available when customers need them.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.