Regulatory Alerts2023-06-01
Joint Standard on IT Governance and Risk Management Requirements
The Financial Sector Conduct Authority and Prudential Authority have issued a consultation report finalizing the IT Governance and Risk Management Joint Standard, which mandates financial institutions to implement robust board-approved IT risk frameworks, conduct annual strategy reviews with quarterly action plan assessments, and report directly to their responsible regulatory authority. The finalized requirements adjust the initial commencement timeline to twelve months post-publication, clarify that IT risk management may operate within broader enterprise frameworks, and refine compliance obligations based on the nature, scale, and complexity of each institution. By consolidating reporting obligations and explicitly defining independent reviews and fit-and-proper standards for vendors, the standard ensures that financial entities maintain adequate cybersecurity resilience while mitigating compliance costs across small to medium enterprises.