Article 10 Vulnerability and patch management
-
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures.
-
The vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures referred to in paragraph 1 shall:
-
identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;
-
ensure the performance of automated vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity;;
-
verify whether:
-
ICT third-party service providersmeans an undertaking providing ICT services; handle vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; related to the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided to the financial entity;
-
whether those service providers report to the financial entity at least the critical vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and statistics and trends in a timely manner;
-
-
track the usage of:
-
third-party libraries, including open-source libraries, used by ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;;
-
ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service providermeans an undertaking providing ICT services;;
-
-
establish procedures for the responsible disclosure of vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; to clients, counterparties, and to the public;
-
prioritise the deployment of patches and other mitigation measures to address the vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; identified;
-
monitor and verify the remediation of vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;
-
require the recording of any detected vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; affecting ICT systems and the monitoring of their resolution.
For the purposes of point (b), financial entitiesas defined in Article 2, points (a) to (t) shall perform the automated vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; for the ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on at least a weekly basis.
For the purposes of point (c), financial entitiesas defined in Article 2, points (a) to (t) shall request that ICT third-party service providersmeans an undertaking providing ICT services; investigate the relevant vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, determine the root causes, and implement appropriate mitigating action.
For the purposes of point (d), financial entitiesas defined in Article 2, points (a) to (t) shall, where appropriate in collaboration with the ICT third-party service providermeans an undertaking providing ICT services;, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; or components of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; acquired and used in the operation of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; not supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) shall track the usage to the extent possible of third-party libraries, including open-source libraries.
For the purposes of point (f), financial entitiesas defined in Article 2, points (a) to (t) shall consider the criticality of the vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; affected by the identified vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;.
-
-
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document and implement patch management procedures.
-
The patch management procedures referred to in paragraph 3 shall:
-
to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;
-
identify emergency procedures for the patching and updating of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;;
-
test and deploy the software and hardware patches and the updates referred to in Article 8(2), point (b), points (v), (vi) and (vii);A typographical error has been corrected here. The original authentic source said: Article 8(2), points (b)(v), (vi) and (vii);
-
set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.
-