Guarding against IT and cyber risk
Frankfurt am Main, 13 May 2020
In recent months banks have become exceptionally reliant on IT systems owing to the coronavirus (COVID‑19) pandemic, which has led to temporary branch closures and the introduction of remote working arrangements on an unprecedented scale. Of course, regardless of the context, the more banks rely on IT systems, the more vulnerable they can become to IT and cyber risk. Ensuring comprehensive IT and cyber security is therefore vital.
In March 2020 ECB Banking Supervision issued a set of expectations for banks to help them address the risks associated with COVID-19. These expectations included appropriate actions in relation to IT and cyber risk. For example, banks were advised to proactively assess and test the capacity of their existing IT infrastructure, particularly in the light of a potential increase in cyberattacks and possible greater reliance on remote banking services. Banks were also encouraged to assess the risk of increased cyber security‑related fraud targeting them or their customers. Under the current circumstances, ECB Banking Supervision has stepped up its monitoring of cyber-related threats and continues to urge banks to be diligent in protecting their IT security.
While managing IT and cyber security is first and foremost banks’ own responsibility, IT and cyber risk is a key area of focus for ECB Banking Supervision. Outside the context of the COVID-19 pandemic, banks’ reliance on IT systems – and thus their vulnerability to IT-related risks – is increasing as they continue to digitalise and move towards round-the-clock availability of services. The SSM Risk Map for 2020 identifies cybercrime and IT deficiencies as one of the top three risks currently faced by the euro area banking system, as cyber incidents can result in significant costs or reputational losses for banks and can even have systemic consequences.
Among several initiatives developed by ECB Banking Supervision to monitor banks’ IT and cyber risk, the cyber incident reporting framework plays an important role. This framework requires all directly supervised banks to report significant cyber incidents to ECB Banking Supervision as soon as they are detected. Supervisors can then identify and monitor trends and react quickly in the event that a major cyber incident affects one or more supervised banks.
Analysis of the cyber incidents reported in 2019 reveals that the number of reported incidents grew last year and that the vast majority of cases involved malicious intent. Phishing attacks were the most frequently reported type of incident, followed by distributed denial of service attacks (deliberately overwhelming systems with requests) and accidental data leakages. Third parties discovered incidents roughly as often as banks did. This was mostly due to the incidents happening at the level of third-party providers (e.g. cloud service providers and consultants) that banks increasingly use for service delivery. In many cases, the incidents received both local and national media coverage, potentially affecting the banks’ reputation. Some incidents were reported in the international press.
In an increasingly digitalised world, cyber incidents are inevitable. However, banks can take actions to mitigate the associated risks. These actions range from training staff on how to minimise the potential consequences of cyberattacks (including raising staff awareness) to simplifying IT landscapes in order to reduce the attack surface and to make them easier to maintain and operate. Hackers are developing and improving their toolkits, and banks should be alert and ready to respond at all times. They should have tried-and-tested crisis and incident management processes in place, together with sound detection, response and recovery procedures, in accordance with the EBA Guidelines on ICT and security risk management.
Each year the ECB carries out an analysis of IT risk based on banks’ self‑assessments. What does the latest analysis tell us about how banks manage their IT risk? One important finding is that banks’ IT risk management seems to be better when their board members have a higher level of IT expertise. The analysis also shows that many banks’ critical banking services still depend on end-of-life systems, and that the use of IT outsourcing is increasing, with some banks concentrating on only one provider. Banks should comply with the applicable regulation on outsourcing and follow the EBA Guidelines on outsourcing arrangements. Moreover, if banks reduce their dependency on end-of-life systems and increase their audits of critical IT functions, they will be able to manage their IT risk more effectively – which is particularly important in the current circumstances.