Article 21, § 1, 7° of the Banking Law stipulates that IT control and security mechanisms should be put in place which are appropriate to the institution's activities and which are sufficiently robust to guarantee the security and authentication of the means of transferring information, minimise the risk of data corruption and unauthorised access and prevent information leaks in order to maintain data confidentiality at all times.

For example, the statutory governing body should ensure that the institution's governance system, in particular the risk management and internal control system, adequately manages the risks related to information and communication technology (ICT) and information security.

The statutory governing body should also ensure that the quantity and skills of the institution’s staff are adequate to support its ICT operational needs and ICT risk management processes and ensure the implementation of its ICT strategy. Furthermore, staff should receive adequate training on information security and the associated risks, on a regular basis.

The statutory governing body has overall responsibility for setting and approving the institution’s written ICT strategy as part of its overall business strategy, as well as for overseeing its communication and implementation. This includes determining the ICT risk tolerance, in accordance with the institution’s risk strategy, and drafting a regular written report about the result of the ICT risk management process.

It is useful for the institution to establish a written information security policy approved by the statutory governing body, which should define the high-level principles and rules to protect the confidentiality, integrity and availability of the institution’s information in order to support the implementation of its ICT strategy. The policy should include a description of the main roles and responsibilities for information security management. Based on this policy, the institution should establish and implement more specific information security procedures and measures to, inter alia, mitigate the ICT and security risks it is exposed to.

Institutions should, as part of their governance system and in accordance with the principle of proportionality, establish an information security function whose tasks should include: (i) providing guidance on the institution's information security vision and strategy, taking into account all relevant information; (ii) ensuring that the information security objectives and measures defined in this strategy are translated into a comprehensive information security policy framework; (iii) properly communicate this information security policy framework to all stakeholders, internally and, as appropriate, externally; (iv) assess, monitor and ensure compliance with the information security strategic framework and, as appropriate, adapt it; and (v) establish security risk management and reporting processes that are integrated into the institution's overall risk management framework.

Responsibility for the information security function may be assigned to the so-called Chief Information Security Officer (or CISO), who should have a sound knowledge of logical and physical security solutions, a thorough understanding of the institution's business model and organisational structure, and excellent leadership and communication skills.

The information security function should be a senior function (“N-1” level) within the institution that can report directly to the statutory governing body and the management committee. Institutions should ensure the independence and objectivity of the information security function by separating it appropriately from the processes related to ICT development and operations. To avoid any potential conflict of interest, it is recommended that institutions take the following measures: describe the function and tasks of the CISO and the information security function as a whole; determine the resources needed for the information security function; designate a budget for information security training sessions within the institution and for the training of the CISO and his or her staff; ensure that the CISO function is independent of the services responsible for the operation and development of ICT systems; and ensure that the CISO is not involved in internal audit activities.

For further information, please refer to the relevant thematic NBB circulars and to the document entitled Sound Practices for the Management and Supervision of Operational Risk, published by the Basel Committee on Banking Supervision on 30 June 2011. In exercising its supervision, the NBB takes into account the guidelines contained in this reference document; see, in this respect, Communication NBB_2011_05.

With regard to the use of outsourcing, see Circular NBB_2019_19, which applies to all cases of outsourcing, including cases of cloud outsourcing.

With regard to the provision of financial services via the internet, Circular NBB_2009_17 makes a series of recommendations and provides guidance on the main provisions of the existing regulatory and prudential framework. These recommendations are inter alia inspired by a number of international risk management standards, which may serve as a frame of reference for the Belgian practice. The EBA Guidelines of 19 December 2014 on the security of internet payments, transposed into Circular NBB_2016_29, also offer useful guidance in this context.

With regard to payment services, Circulars NBB_2020_23 and NBB_2021_21 clarify the applicable framework for the identification, implementation and monitoring of the security measures to be taken by institutions to control operational and security risks in the context of the provision of payment services and, where appropriate, report any major security incidents related thereto.