On 16 March 2018 was published in the Official Gazette of Romania, the Norm No. 4/2018 regarding the management of operational risks generated by IT software used by the entities authorized / approved / registered, regulated and / or supervised by the Financial Supervisory Authority (“Norm”).
The new Norm applies to wide range of entities regulated or supervised by the Financial Supervisory Authority (“FSA”), including asset management companies, central securities depositories, traders, insurance companies, insurance intermediaries, and private pensions funds administrators (“Regulated Entities”).
The Norm designates standards for Regulated Entities that address the identification, prevention, and mitigation of the potential harms ancillary to risks arising from the operation of technology and communication. The areas of risk include human interactions, internal processes and systems, and external factors, including cybercrime.
The Norm also regulates activities and operations related to the evaluation, monitoring, and control of operational risks generated by the use of IT software. It also addresses the management of risks arising from IT software, in order to ensure the IT security of Regulated Entities.
In order to comply with the mandatory regulations provided under the Norm, Regulated Entities must identify all the important IT systems used on their hardware and software infrastructure that are essential for their activity. The Regulated Entities must also maintain and update a registry containing all these relevant IT systems.
The FSA will evaluate each Regulated Entity to determine the risk classification (i.e., major, important, medium, or low) based on the nature, extent, and complexity of the activity of each Regulated Entity and also identify the risks that might arise and further affect their activities.
The Norm was published in the Official Gazette, Part I, No. 233 on 16 March 2018 and became effective on 15 April 2018.