Interview with Il Sole 24 Ore

Interview with Anneli Tuominen, Member of the Supervisory Board of the ECB, conducted by Isabella Bufacchi

28 March 2024

Are information technology (IT) risks on the rise? If so, why?

More attention has been paid to the European banking sector’s IT and cyber risks in recent years. European banks are more digital than they used to be, but some still have ageing IT systems. Their use of outsourced services has also increased, making them more vulnerable to cyber risks. It is important that banks invest more in their IT infrastructure, including IT risk management and cyber hygiene. But they should not lower their cost-to-income ratio at the expense of sound IT risk management. Digitalisation is not just about cutting costs and increasing efficiency, but also about meeting customer needs and having user-friendly, competitive services. So far, banks have proven to be resilient, but they should not be complacent.

IT risk management is not quite as new as climate change risk management in the banking world. Banks have been dealing with the Internet, software, hardware and digitalisation for decades. Why are banking supervisors focusing more on IT risk management now?

Business models may have been simpler in the past. Today, almost every bank offers digital services, which are a “must” for them to survive in the current landscape. As a result, their IT infrastructure has become more complex. Legacy IT systems, outsourced services and cyber threats have forced supervisors to place greater focus on this risk area.

We have noticed that not all boards have enough knowledge of IT and cyber risks, and there are still boards without a member who has specific IT expertise. We want banks’ boards to have a sound understanding of IT risks so that they can assess the impact of these risks in the bank’s various business areas. Our supervisors have carried out numerous on-site inspections and targeted reviews on this topic. Our findings show that there is still room for improvement in meeting our expectations regarding IT and cyber risk management.

Your new supervisory expectations about board members’ knowledge and experience of information and communication technology and digital security risks came into force at the start of the month. What changes are you recommending banks should make?

Our aim is to improve the collective suitability of banks at board level. This means that at least one non-executive board member should have in-depth IT expertise. But in this respect, we always apply the proportionality principle and we assess any appointment on a case-by-case basis. This means that our assessment may differ depending on various bank-specific factors.

Can you give an example of what you mean by IT standards? How does a bank know if it is not up to the required standard?

All banks should have an IT map for how the bank operates, including all their IT assets and interdependencies, and any third-party services they rely on. They should know and regularly test their IT risk management strategy and the tools they have available. They should have multi-layer security in place to protect against external and internal risks. Identity checks and access controls have become more important, because cyber crime is increasingly common. And since banks depend on data, they need back-up systems to recover critical data in case something goes wrong. Data recovery is part of what we test when we conduct our cyber resilience stress test.

Can you tell us more about ECB Banking Supervision’s first ever cyber resilience stress test due to be conducted this year?

For the first time, banks will be asked to show how they would respond to a successful cyberattack that disrupts their core services. A “successful” cyberattack means that the bank would not be able to continue to provide its core service following the attack. We want to see how banks respond, recover and, also, how they would communicate the cyberattack to their clients. It is compulsory to report cyber incidents to the supervisory authorities, but banks should also be ready to communicate with the outside world in these kinds of situations.

Why is communication with clients so important in IT risk management?

Banks should plan how they will communicate a cyberattack to the outside world or how they intend to counter fake news. We saw how important this was in Bulgaria before the Single Supervisory Mechanism entered into operation. In July 2014 a combination of a cyberattack and a spam newsletter spread on social media triggered bank runs on two major Bulgarian banks. And last year’s regional bank crisis in the United States showed how today bank runs can be triggered in just a matter of minutes on social media.

A bank’s number one priority is to report an incident like this to the supervisor in accordance with the incident reporting framework. But banks should also inform their clients of these incidents. As part of its crisis communication plan, a bank should be able to communicate without delay if it becomes a victim of harmful fake news or disinformation spread via social media or any other channel.

In the event of a cyberattack or IT problems, banks rely on having a good reputation for communication built up over an extended period. They need to gain client trust in the good times, so that when a problem arises, communication is effective and reliable. And, of course, it helps if a bank has a good capital base, adequate liquidity, a profitable business model and well-functioning infrastructure.

Have cyberattacks increased? If so, by how much?

The number of reported cyber incidents in the European banking sector almost doubled in 2023 compared with 2022. The cyber environment has become more hostile than before owing to the aggressive acts of authoritarian states or cyber criminals linked to them. The attacks have increased in number and have become more sophisticated. We cannot overemphasise how important it is that banks remain vigilant and continue to focus on their resilience. The European Systemic Risk Board is looking into the systemic impact of cyberattacks on the banking system and the loss of confidence in the sector they can cause, as well as how banks can prepare for such scenarios.

What are the most common types of cyberattack against banks?

Distributed denial of service attacks have been reported as the most prevalent type of cyberattack in recent years. Ransomware attacks have also become more common, which is alarming because they block a bank’s access to its own data. Cyberattacks also frequently target third-party service providers. To mitigate IT risk, banks need to run checks on the level of IT security put in place by third parties. And they must consider where outsourcing takes place: third parties in countries with fragile political situations or weak infrastructure might be cheaper but they are also much riskier. The new EU Regulation on digital operational resilience (DORA), which enters into force on 17 January 2025, will help in this regard.

Why is DORA so important?

Thanks to DORA, critical third-party service providers will come under supervision. Although ECB Banking Supervision will not be directly responsible, it will take part in the new joint supervisory teams. It is a completely new area involving special reporting by banks and threat-led penetration tests conducted by independent external experts. As the ECB will have broader powers in this area, we too will need to recruit more experts in this growing field, although this may present a challenge given the current scarcity of relevant skilled labour.