Article 10 Vulnerability and patch management


    1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures.

    1. The vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures referred to in paragraph 1 shall:

      1. identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;

      2. ensure the performance of automated vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assets means a software or hardware asset in the network and information systems used by the financial entity;, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset means a software or hardware asset in the network and information systems used by the financial entity;;

      3. verify whether:

        1. ICT third-party service providers means an undertaking providing ICT services; handle vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; related to the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided to the financial entity;

        2. whether those service providers report to the financial entity at least the critical vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and statistics and trends in a timely manner;

      4. track the usage of:

        1. third-party libraries, including open-source libraries, used by ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;;

        2. ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider means an undertaking providing ICT services;;

      5. establish procedures for the responsible disclosure of vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; to clients, counterparties, and to the public;

      6. prioritise the deployment of patches and other mitigation measures to address the vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; identified;

      7. monitor and verify the remediation of vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;

      8. require the recording of any detected vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; affecting ICT systems and the monitoring of their resolution.

    2. For the purposes of point (b), financial entitiesas defined in Article 2, points (a) to (t) shall perform the automated vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assets means a software or hardware asset in the network and information systems used by the financial entity; for the ICT assets means a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on at least a weekly basis.

    3. For the purposes of point (c), financial entitiesas defined in Article 2, points (a) to (t) shall request that ICT third-party service providers means an undertaking providing ICT services; investigate the relevant vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, determine the root causes, and implement appropriate mitigating action.

    4. For the purposes of point (d), financial entitiesas defined in Article 2, points (a) to (t) shall, where appropriate in collaboration with the ICT third-party service provider means an undertaking providing ICT services;, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets means a software or hardware asset in the network and information systems used by the financial entity; or components of ICT assets means a software or hardware asset in the network and information systems used by the financial entity; acquired and used in the operation of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; not supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) shall track the usage to the extent possible of third-party libraries, including open-source libraries.

    5. For the purposes of point (f), financial entitiesas defined in Article 2, points (a) to (t) shall consider the criticality of the vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets means a software or hardware asset in the network and information systems used by the financial entity; affected by the identified vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;.

    1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document and implement patch management procedures.

    1. The patch management procedures referred to in paragraph 3 shall:

      1. to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;

      2. identify emergency procedures for the patching and updating of ICT assets means a software or hardware asset in the network and information systems used by the financial entity;;

      3. test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);

      4. set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod