The need for improved cyber resilience in euro area banks
Today’s banking system relies heavily on technology, as almost all of its business processes are digital. But although digitalisation can bring benefits for banks, it also comes with risks. It is the ECB’s goal as a prudential supervisor to ensure that banks manage these risks appropriately. Since the creation of the Single Supervisory Mechanism, ECB Banking Supervision has been keenly aware of information technology (IT) and cyber risk and has addressed it from various angles.
Supervision Newsletter February 2019: IT and cyber risk – the SSM perspective
In 2018, for example, the ECB conducted a thematic review on IT risks that was based on a comprehensive self-assessment questionnaire that banks were asked to complete. While the results of this review show that IT risks in the banking sector are not at alarmingly high levels, they also highlight deficiencies that banks need to tackle. Of these, IT risk management and data quality management stood out. This calls for the speedy inclusion of IT risks in banks’ general risk management procedures and compliance with the latest principles for effective risk data aggregation and risk reporting.
The review also found a general increase in IT outsourcing by banks. This trend will be closely monitored by the ECB in the future, as a great number of banks outsource their IT activities to only one provider and may not retain sufficiently skilled staff of their own to oversee the outsourced activities and the risks that come with outsourcing. Another finding is that critical processes in a high number of banks depend on systems that are nearing their end-of-life. This is especially concerning in the light of the current cyber threat landscape.
To better understand the cyber threat landscape and its impact on banks, in 2017 ECB Banking Supervision set up a reporting framework for cyber incidents. Since then, the ECB has been collecting information from the banks it supervises on cyber incidents that have occurred, with a view to identifying and monitoring trends in this area.
A recent ECB analysis of the first two years of data found a fairly low number of significant cyber incidents in the euro area banking system. In most cases, the incidents reported were detected –belatedly – by the banks themselves or by a third party. Most of them led to a short disruption of services with limited financial loss. The most frequently reported incidents were distributed denial of service attacks (in which massive amounts of fake web requests are used to flood the bank’s internet-facing servers and prevent access by legitimate users such as bank customers), unauthorised access requests, data leakage and phishing attacks.
The diverse nature of cyber incidents indicates that there is a range of vulnerabilities that banks need to address: from gaps in their IT security infrastructure to insufficient staff awareness. As shown by the ECB analysis, it is important for banks to improve their cyber resilience on the technical and human levels and to install efficient crisis management procedures to ensure they are prepared for the worst-case scenario.