IT risks to remain high, stocktake shows
The increased use of information technology (IT) in all kinds of banking processes, together with the growing danger of cyberattacks, has brought banks’ management of IT risks into sharp focus. Can cyberattacks be detected? Are banks’ infrastructures resilient enough?
To review the IT risk landscape, ECB Banking Supervision representatives talked to banking supervisors in the US, the UK, Canada, Singapore and Hong Kong earlier this year. They also met with chief information officers (CIOs) of global systemically important banks (G-SIBs) in Europe to identify common views and best practices. Most of the CIOs indicated that they currently deal with IT risks that exceed the level they are comfortable with in terms of risk appetite. This is, however, not unique to the euro area; the supervisors in the other jurisdictions expressed the same concerns. Despite the many risk-reduction programmes in these banks, the risks will remain high for years to come, a view shared by both bank officials and supervisors. The ECB expects therefore also explicit attention for IT risks from the Chief Risk Officers (CROs) of the banks, to efficiently and effectively govern these significant risks.
The stocktaking, when combined with analyses done by the national competent authorities (NCAs), the European Banking Authority (EBA) and the ECB, has revealed nine IT risk areas:
- cyber risk and cyber resilience;
- IT continuity and operational resilience;
- vendor management and outsourcing risks;
- identity and access management;
- patch and vulnerability management;
- IT complexity;
- transformation programme risk;
- data architecture, quality and governance;
- IT skills.
Two fairly recent trends – cloud computing and fintechs – did not make it on this list as they were not deemed to introduce specific IT risk. Most of the G-SIBs see cloud computing technology as an opportunity to move away from legacy infrastructure to more standardised solutions. Supervisors are mostly concerned with the use of external (public) cloud solutions, which in general is considered to be no different from regular IT outsourcing and subject to the same supervisory expectations. Similarly, fintech developments were seen more of a business/profitability issue for banks.
Banks want greater alignment worldwide and harmonised requirements for euro area
The largest institutions operate in widely diverse jurisdictions and need to comply with many different rules and regulations, which are not necessarily aligned between supervisors and may even be contradictory. The CIOs of European banks clearly said they would like a common understanding of IT risk and a single set of requirements, at least for the euro area. And they would also like regulations to be aligned with those of non-euro area supervisors, where possible. They welcomed principle-based and technology-agnostic supervision as this gives them choices between various risk mitigation measures. But in certain cases the principles they have to adhere to are too vague, creating uncertainty as to what is actually allowed and what is not. In these cases, they would favour a clarification eliminating as much uncertainty as possible.
European banking supervision seeks to refine its expectations
To improve their IT supervisory effectiveness, the SSM will continue to strengthen their IT risk assessment methodology as part of the Supervisory Review and Evaluation Process (SREP), drawing on the EBA’s work in this area and make sure it is consistently applied across the euro area. This should lead to assessments which are more comparable and which can be used to prioritise supervisory activities.
The ECB and NCAs will develop more detailed and uniform supervisory expectations for banks under European banking supervision on IT risk-related topics. By replacing or complementing guidance that already exists at national level, they will develop and fine tune a best practice approach. These supervisory expectations will address specific IT risks at a time and start with guidance on cyber risk. They will continue to be principle-based and technology-agnostic, but give banks more clarity as to what is expected. At the same time, these supervisory expectations will certainly “raise the bar”, i.e., will call for an increased level of IT risk awareness and IT risk management in banks. On the one hand, this will level the playing field for banks under European banking supervision, and, on the other hand, this will make the banks stronger and more resilient with respect to IT risk.