IT risk – ECB to roll out cyber incident reporting framework
As a key component of the financial ecosystem where money and valuable information are stored, banks have always been attractive targets for criminals. For that reason, and given their strong reliance on complex IT systems for their operations, ensuring cyber security is vital for banking institutions. Although managing their cyber security is first and foremost banks’ own responsibility, cyber risk has been a priority for ECB Banking Supervision since day one and has been addressed from various angles. First, supervisors assess cyber risk as part of their ongoing operational risk supervision. Second, various specific assessments have been made, such as the 2015 thematic review on cyber security risk or targeted on-site inspections. Last but not least, the ECB has initiated a reporting framework for significant cyber incidents that was implemented as a pilot scheme in 2016 and will be rolled out to all significant institutions in 2017.
The reporting framework for significant cyber incidents is designed to collect and store information on cybercrime incidents that have an impact on significant institutions. This will require incidents to be reported as soon as the banks detect them. The information will be used to identify and monitor trends in cyber incidents affecting significant institutions and will facilitate a fast reaction by the ECB in the event that a major incident affects one or more significant banks. Some countries already have an incident reporting process in place, requiring significant banks to report noteworthy cyber incidents to their national supervisor. In those countries, the banks will still report incidents to the national supervisors, who will then forward them to the ECB on behalf of the supervised entities.
In February 2016 the ECB launched a pilot scheme for reporting significant cyber incidents to test the set-up under which a reporting process could be implemented. For this pilot exercise 18 banks were selected, of which 15 reported directly to the ECB and 3 reported indirectly through their respective national competent authorities. Leveraging the existing knowledge on incident reporting from the IT experts at the ECB and the national authorities, a standardised reporting template was developed for the pilot and procedures were agreed with the banks to ensure timely and complete reporting. The pilot exercise was an opportunity to demonstrate that timely exchanges of information on cyber incidents are possible. This exercise lasted for over a year, allowing the ECB to gain sufficient experience and streamline the reporting processes. On the basis of the lessons learned from the exercise, and taking into account the feedback from the participating pilot banks, several improvements were made, including to the incident definitions, the reporting template and the reporting instructions.
The reporting framework is currently being finalised and is planned to go live in the third quarter of 2017, involving all significant institutions from the 19 euro area countries. In addition to allowing the ECB to react promptly in the event of a major cyber incident affecting one or more significant banks, the information will enable it to gain a better understanding of trends and developments in cybercrime. The outcome of the analysis will also feed into defining the key priorities with regard to the supervision of IT risk.