IT and cybersecurity: no grounds for complacency

15 November 2023

ECB Banking Supervision evaluates banks’ management of IT risk based on, among other things, two complementary sources of information: banks’ self-assessments and supervisors’ findings from on-site inspections. The information received from these sources consistently shows that banks need to improve their IT and cybersecurity risk controls.

Two assessments, similar pictures

Banks rate their own IT risk level and the maturity of their IT risk controls through an IT risk questionnaire as part of the annual Supervisory Review and Evaluation Process. The questionnaire covers these self-assessments and quantitative data, which together form the basis for a horizontal analysis.

In addition, supervisors conduct on-site inspections at banks’ premises, which provide more in-depth information on banks’ IT risk management and thereby help supervisors to form a more complete picture. Between 2020 and 2023, ECB Banking Supervision conducted a series of these inspections across a sample of banks, focusing on cybersecurity.

The two sources of information provide similar views on the state of IT risk management at supervised banks. While the results of the horizontal analysis show that banks made little progress in terms of resolving existing gaps, the on-site inspections highlight that banks need to step up their efforts to manage cyber risks. The findings of the inspections also call for further self-reflection from the banks and further supervisory assessments of larger samples. Overall, the assessments broadly confirm the supervisory priorities and justify related follow-up activities.

Banks report no red flags but little progress in IT risk management

The main observations from the IT risk questionnaires can be broadly divided into five areas, all of which were also highlighted to some extent in last year’s analysis. The data were collected in the first quarter of 2023 and build on year-end 2022 information.

IT outsourcing risk

While overall IT outsourcing expenses remained stable compared to the previous year, cloud expenses continued to increase sharply, albeit from a low basis compared with other IT outsourcing expenses. The ECB expects that the shift towards cloud usage will result in increased concentration risks in the medium term, as banks typically purchase from a small pool of service providers. Against this backdrop, banks need to ensure that their contingency and exit plans for outsourced services are fit for purpose and tested. Some institutions reported weaknesses in this area.

In 2022 banks reported an increase in losses caused by the unavailability or poor quality of outsourced services. These losses were related to a small number of high-volume events and further highlight the need to properly manage risks arising from reliance on service providers.

Data quality management

Fifteen years ago, the global financial crisis highlighted that reliable data are the foundation of sound business decisions. Banks nevertheless consistently identified data quality management as the least mature IT risk control category in previous years. European banking supervision is therefore gearing up to make sure that banks improve their frameworks, also in light of the Basel Committee’s principles for effective risk data aggregation and risk reporting (BCBS 239). Complementing previous guidance, the ECB has detailed its supervisory expectations in the draft Guide on risk data aggregation and risk reporting. Management bodies will be held accountable for their bank’s progress and supervisors will escalate through enforcement measures, if needed.

IT change risk

Although there was an increase in the number of critical projects and related expenses, banks reported a decrease in the number of changes that caused production environment issues. However, IT changes and software issues were again identified as the root cause behind critical services downtime. Banks therefore need to further strengthen governance and processes around change management. Precautions of this kind, along with a carefully prepared communication strategy, are even more important when major migrations of IT systems or other software changes are expected to affect customers.

IT governance and risk management

Since IT functions are highly relevant to banks’ operations but also serve as a business enabler, banks need to ensure that their management bodies possess the necessary expertise to steer and oversee IT and related risks. Generally, institutions where management bodies have sufficient IT expertise reported greater awareness of IT risks. Only a few banks reported that none of their board members had specific IT expertise. European banking supervision will follow up with these banks as part of its fit and proper assessments.

Some banks reported gaps in fundamental IT risk management controls, such as IT asset management, which is a prerequisite for proper management of IT risk and IT change.

Cyber and IT security risk

Although banks are operating in an increasingly hostile cyber risk environment, the number of significant cyber incidents reported to the ECB decreased in 2022 compared with 2021. While distributed denial-of-service attacks remained the most common type of incident in 2022, a recent increase in ransomware incidents has raised supervisory concerns.

Banks still rely heavily on end-of-life systems for critical activities and this reliance necessitates a considerable amount of management attention. Some institutions continue to report gaps in risk control areas considered fundamental to cyber hygiene, such as proper identity and access management, timely vulnerability patching or network security. Some gaps also remained in banks’ security awareness programmes.

It is paramount that banks remain vigilant and continue to defend themselves against cyber threat actors and close any gaps as soon as possible.

On-site inspections on IT and cybersecurity identify important shortcomings

The ECB regularly performs on-site inspections to determine whether banks’ IT and cybersecurity risk management is in line with the Guidelines on ICT and security risk management issued by the European Banking Authority (EBA/GL/2019/04).

Regarding cybersecurity in particular, between 2020 and 2023 the ECB conducted 22 on-site inspections of banks from 11 Member States and with a variety of business models. Overall, the deficiencies were more severe and widespread than expected. Shortcomings were detected in all areas of cybersecurity and are categorised hereafter in line with the Risk Management Framework introduced by the US National Institute of Standards and Technology.

Many banks failed to identify potential cybersecurity risks to systems, data and assets. This was caused, among other things, by incomplete IT asset inventories or the lack of a security classification of systems and data. IT outsourcing arrangements often failed to sufficiently address IT security requirements. Several banks had a weak second line of defence against IT-related risks and did not use all available information to identify IT security risks.

Adequate protection of IT assets is essential to ensure the confidentiality, integrity and availability of critical data. However, many banks showed weaknesses in perimeter security systems, network segregation and security patch management, or they missed hardening baselines for key technologies in use. Banks also did not always consider security in IT projects (“security by design”) or only did so at a late stage.

Cybersecurity incidents should be detected in a timely manner to enable immediate action where necessary. According to the results of on-site inspections, banks often failed to adequately implement security incident and event monitoring (SIEM), for instance by not collecting all required logs from their perimeter security infrastructure systems and key business applications. Detection rules were only partially implemented in SIEM, which hampers the correlation and detection of potential incidents. Moreover, IT security reviews and testing did not consistently cover all necessary systems and were not performed frequently enough.

Banks must plan and test their responses to cybersecurity incidents so that they can contain the impact of incidents when they are identified. Worryingly, many banks had incomplete or outdated crisis management and communication plans. They showed weaknesses in the cyber incidents reporting process such as disregarding the ECB’s cyber incident reporting requirements or having inconsistent criteria for assessing incident severity. Forensic data were often unavailable or insufficiently detailed and computer emergency response teams were not operational 24 hours a day.

Finally, banks should be prepared to restore their services and capabilities to normal operational levels in a timely manner. However, their business continuity requirements were not always aligned with the capabilities of their IT services. Many banks did not regularly run cybersecurity recovery tests for all critical applications, and their runbooks did not cover the most common cybersecurity threats. Moreover, they did not fully test their ability to recover from back-ups and did not sufficiently involve service providers in their continuity and recovery tests.

The ECB expects all banks under its direct supervision to take immediate and concrete steps to make sure that their IT and cybersecurity risk management is aligned with supervisory expectations and to strive to implement best practices. Banks that have been subject to an on-site inspection on cybersecurity have already received specific supervisory recommendations and are expected to take appropriate follow-up measures. The management bodies of all other banks should also reflect on areas where they can take action to improve their IT and cybersecurity risk management.

Overall, the above findings raise serious supervisory concerns that confirm the need to continue on-site inspections in conjunction with tailored discussions between banks and supervisors. The ECB will also perform system-wide reviews of specific aspects of cybersecurity. The next review will be the cyber resilience stress test in 2024, which will assess banks’ ability to respond to and recover from cyberattacks.