Preparation for ICT and security risk management requirements of the Bank of Lithuania implementation services

Financial sector entities – banks, investment companies, insurance companies, credit institutions, etc. (hereinafter – Organizations) must ensure the requirements of Information and Communication Technologies (ICT) and Security Risk Management (hereinafter – Requirements) established in the resolution of the Board of the Bank of Lithuania. The Bank of Lithuania requires such organizations to manage ICT and security risks in the organization’s activities and in the provision of services and ensure the protection of information stored, processed and transmitted by ICT systems.

Organizations must implement appropriate technical and organizational ICT and security risk management measures to ensure a level of security commensurate with the risk. If the requirements of the Bank of Lithuania are not properly implemented, the organization’s license to engage in financial activities may be revoked, and in the event of a breach of personal data administrative fines may be imposed in accordance with GDPR provisions which may reach up to 2 – 4%. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.

Organizations can prepare for the implementation of the requirements of the Bank of Lithuania independently or use the service provided by us – Preparation for ICT and security risk management requirements implementation services.

• We carry out an assessment of compliance with the Requirements and prepare a plan for eliminating non-compliances
• We create or adjust the policies and procedures regulating the Organization’s information and cyber security management in accordance with the Requirements
• We perform ICT and security risks assessment and prepare a plan of risk management measures
• We perform ICT business impact analysis and define RTO (Recovery Time Objective) and RPO (Recovery Point Objective) together with information resource owners
• We carry out a technological vulnerability assessment
• We carry out business continuity testing exercise
• We perform other necessary activities as needed (e.g. we prepare an ICT strategy, etc.)
• We introduce the employees of the organization to the Requirements
• We provide consultancy services on the implementation of necessary activities and preparation for the implementation of the Requirements

• An assessment report on compliance with the Requirements and a non- compliances elimination plan are prepared
• The policies and procedures regulating the organization’s information and cyber security management are created or adjusted in accordance with the Requirements
• ICT and security risk assessment report and risk management measures plan are created
• Technological vulnerability assessment report and recommendations plan are created
• The report of the business continuity testing exercise is prepared
• Training materials created and employees are familiarized with the Requirements
• Consultations provided during the preparation for the implementation of the Requirements

• ICT and Security Risk Management processes are ensured
• Employees of the organization are familiarized with Requirements
• Technological vulnerabilities are identified and eliminated in a timely manner
• ICT and security risks are timely contained
• Operational resilience tested and assessed
• Compliance with the Requirements is ensured

In order to properly implement the Requirements, we would recommend the full implementation of an information security management system in accordance with the requirements of the IEC/ISO 27001 standard.