IT and cyber risk – the SSM perspective

Today’s banks strongly rely on complex IT systems – regardless of their business model. That means the potential impact of a cyber-attack on banks is significant and ensuring their cyber security is vital. But this is easier said than done, and poses challenges for banks and supervisors alike.

Most pressing among these challenges is the increasing scarcity of skilled staff with the necessary expertise to counter cyber risks. The constantly changing threat landscape and the speed with which new risks and technologies develop are another ongoing challenge. The ECB is not alone in addressing cyber risk. Other institutions, such as the European Union, the European Banking Authority (EBA), the Basel Committee on Banking Supervision and Europol, are also investigating cyber security. The organisations concerned must therefore guard against the risk of duplication of effort and, in the longer term, fragmented regulation.

The ECB has focused on IT and cyber risk since the early days of the Single Supervisory Mechanism (SSM) and has addressed it from various angles. First, the ECB conducted thematic reviews on the topic in 2015, 2016 and 2017 to gain a more detailed understanding of the scope of the problem. Second, the ECB has set up a cyber incident reporting process that puts banks in a position to detect and respond in a timely manner to incidents with a potentially systemic impact. Third, the ECB conducts frequent on-site inspections with a focus on IT and cyber security. And, last but not least, the ECB has also made a significant contribution to the development of EBA’s upcoming Guidelines on IT risk and cyber security, which are intended to achieve increased harmonisation of standards across Europe.

However, it is banks’ own responsibility to safeguard their cyber security. To tackle the threat, and in the light of the above challenges, they should focus on the following actions. In terms of personnel, banks need to increase their staff’s awareness that IT and cyber-attacks are an unfortunate but real threat to the daily business of each and every bank. Indeed, the entry point for a cyber-attack is often a phishing email to unsuspecting staff at any level or position in the organisation. Therefore, banks need to train their employees on how to detect and handle these incidents carefully. Similarly, IT and cyber risk should be included in banks’ general risk management procedures, so decision-makers, too, are aware of these risks and understand their potential impact.

On the technical side, banks should aim to simplify their IT landscape. This is not just because simpler IT landscapes have a smaller attack surface. It is also because the easier these complex systems are to understand and maintain the better they can be protected. In addition, banks should monitor cyber security events continuously on a global scale. On the basis of their observations, they should constantly adapt and update their IT and cyber security measures, as hackers too are developing and improving their toolkit at an increasingly fast pace. Banks should be alert and ready to act at all times.

Media contacts