IT and cyber risk: a constant challenge
18 August 2021
With the use of information technology having become a large part of daily life, and even more so during the coronavirus (COVID-19) pandemic, the potential downsides of an increasing dependence on technology have become even more apparent. Protecting critical services like hospitals, electricity supply and access to the financial system from attacks and outages is crucial. Banks are responsible for managing their IT risks and keeping their IT systems running without significant interruptions or drops in service quality caused by malicious intent or accidents. Therefore, ECB Banking Supervision has treated banks’ IT and cyber risks as a supervisory priority for several years.
Throughout the COVID-19 crisis, banks have had to deal with lockdowns in several countries, temporary closures of branches and an increased demand for online banking services, all while accommodating their own staff working remotely on a large scale. On the whole, ECB Banking Supervision did not observe any major disruptions to the provision of banking services in 2020 – and this was despite an increase of 54% in the number of cyber incidents reported to the ECB compared with 2019. Many of these reported incidents had a harmful intent. Therefore, this increase in cyber risk merits particular attention.
Reported incidents per quarter in 2019 and 2020
Source: ECB cyber incident reporting framework.
Through its cyber incident reporting framework, the ECB observed that the most frequent cyber incidents at banks in 2020 were distributed denial of service (DDoS) attacks, in which perpetrators interrupt banking services by flooding (and clogging) bank servers with fake requests. Later in 2020 a variant emerged in which the perpetrators threatened banks with a DDoS attack unless a ransom was paid. Also of note was the increase in cyber incidents at third-party service providers, emphasising the need for banks and supervisors to widen their focus and include these third parties in their monitoring and analyses.
Cyber incidents in 2019 and 2020 by type
(2019, 2020, percentages)
Sources: ECB cyber incident reporting framework and ECB calculations.
Note: Insider misuse is the intentional misuse of access rights by an insider.
Finally, 2020 also saw the emergence of a highly sophisticated cyberattack in which a widely used monitoring software was manipulated, causing organisations and firms to unknowingly download a piece of malware during the software’s normal update process. Only a very small number of banks under European banking supervision were affected and the impact on these banks was limited.
The ECB cyber incident reporting framework is just one element of the ECB’s approach to supervising banks’ IT and cyber risks. More generally, to gauge banks’ IT risk exposure and assess their risk management, ECB Banking Supervision asks banks to provide yearly self-assessments through a questionnaire, which is then reviewed by the Joint Supervisory Teams. The Annual Report on the outcome of the 2020 SREP IT Risk Questionnaire was published in July 2021. Although it was based on data from the end of 2019, so before the pandemic, some noteworthy trends were observed:
- IT security remains a challenge for banks. 40% of the banks were the target of at least one successful cyberattack in 2019, a considerable increase from the 28% reported in 2018.
- IT data quality management remains the least mature risk control category. This is a concern, as banks should have processes, roles and responsibilities in place to ensure the integrity of their IT data.
- 5% of the banks still reported not having functional independence between the first and second lines of defence in IT risk.
- IT outsourcing expenses increased by over 6% compared with 2018, while expenses for cloud services increased by more than 50%.
There were also several positive developments.
- For IT availability and continuity, the overall average unplanned downtime of critical IT systems decreased compared with previous years.
- Although the overall number of IT changes to the banks’ production environment increased, substantially fewer of these changes led to issues.
- The overall number of banks’ critical findings – from internal and external auditors and from supervisors – that were not remediated for longer than one year continued to decrease.
Total number of critical IT findings not remediated for more than one year across IT risk level categories
Source: Annual Report on the outcome of the 2020 SREP IT Risk Questionnaire.
Overall, the financial sector is becoming increasingly dependent on information technology. Further digitalisation and a greater reliance on third-party IT service providers have led to a legislative proposal for regulation at the European level, the Digital Operational Resilience Act (DORA). The ECB has recently published its legal opinion on DORA, stating that it welcomes this initiative to further harmonise and streamline European regulation and make the European financial sector stronger and more digitally resilient.
DORA covers several aspects of digital operational resilience:
- IT risk management requirements, which are broadly in line with existing guidelines and international standards;
- requirements for IT-related incidents management, aiming to harmonise different incident reporting frameworks;
- requirements for digital operational resilience testing, building on traditional IT testing techniques (including functional and end-to-end testing, performance testing, vulnerability assessments and physical security reviews) and incorporating more advanced digital operational resilience testing, i.e. threat-led penetration testing;
- information sharing arrangements to foster the exchange of intelligence on IT threats and vulnerabilities between financial entities;
- a proposed oversight framework for third-party IT service providers that play a critical role in the functioning of the European financial sector.
Within its mandate, ECB Banking Supervision will continue to contribute to this important regulation, as well as its implementation and subsequent application.
There is no doubt that the increased use of information technology adds value, but the associated risks must be properly managed. Awareness of the importance of proper IT risk management, especially in the financial sector, has significantly increased and a lot of progress has been made. But this is just the first step – banks’ IT landscapes and the threats to them are constantly evolving, so banks cannot afford to stand still. All stakeholders, and especially the banks themselves, need to continue working to ensure that the use of technology is safe and predictable.