Protection and prevention

Article 9 details the specific protection and prevention measures financial entities must implement to safeguard their ICT systems and information assets. These measures form the defensive layer of the ICT risk management framework, addressing the most common vectors through which ICT disruptions occur.

Access management is a cornerstone requirement. Entities must implement the principle of least privilege, ensuring users and systems have only the minimum access necessary for their functions. Strong authentication mechanisms, including multi-factor authentication for critical systems, must be deployed. Access rights must be reviewed regularly and revoked promptly when no longer needed.

Encryption requirements cover both data at rest and data in transit. Financial entities must use cryptographic techniques that are current and appropriate for the sensitivity of the data being protected. Key management processes must be robust, with proper key rotation, storage, and lifecycle management. The use of outdated or compromised cryptographic algorithms creates unacceptable risk.

Patch management and vulnerability remediation are explicitly required. Entities must establish processes for timely identification and remediation of known vulnerabilities, with prioritization based on risk. The article also mandates comprehensive change management procedures, ensuring that modifications to ICT systems are properly authorized, tested, documented, and reversible.