Are banks Cyber-proof in the digital world?
Speech by Pentti Hakkarainen, Member of the Supervisory Board of the ECB, at the European Banking Federation’s online conference on “Cyber security and resilience: the basis of it all in digital innovation”
Frankfurt am Main, 22 October 2020
The banking sector has already embarked on the journey towards digital transformation. In recognition of the changing tastes of consumers, banks are moving increasingly towards delivering online and mobile-friendly services in a convenient way.
Big investments to handle this shift in customer demand have already been made; both by incumbent firms and new tech-oriented challengers. These investments have so far paid off during the coronavirus (COVID-19) crisis, enabling European banks to adequately deal with the challenge posed by the pandemic to their digital operational resilience. Similarly, the ECB’s own use of advanced digital technologies means that we are well prepared to meet this challenge.
However, now is not the time for complacency. We have recently seen signs that cyber threats are on the increase, as criminals seek to take advantage of potential vulnerabilities in new working practices. To maintain market integrity and confidence, it is in everyone’s interest that these attacks are successfully repelled. Legitimate participants in the public and private sectors should therefore work together address these threats.
Just as a diver’s watch must be waterproof and not just water resistant, a bank’s digital defences must be more than just cyber-resistant. They must aim to be cyber-proof against all kinds of cyberattacks.
The new digital normal and the COVID-19 resilience test
In essence, the banking industry revolves around the customers and firms that it serves. Whenever their tastes shift, the banking sector must follow.
Before the coronavirus crisis, customer tastes were already moving swiftly in a digital direction. Internet use in Europe has increased every year in recent times, with 85% of Europeans surfing the internet at least once a week in 2019, up from 75% in 2014. Similarly, use of internet banking has increased from 61% in 2014 to 66% in 2019.
COVID-19 has turbo-charged this already widespread trend towards digital adoption. One recent study shows that digital adoption by European consumers jumped to 95% as a result of the COVID-19 crisis. Based on pre-pandemic growth rates, it would have taken most industries two to three years to see a similar increase.
The same study found that the banking sector has the highest proportion of digital users in Europe, boosted by an additional 23% of first-time digital users since the onset of the pandemic. This increased rate of digital penetration shows not only that consumers increasingly want their services delivered online, but also that banks are already in a position to meet those demands.
As I highlighted in my previous speech, despite the challenges to operational resilience posed by COVID-19, we are not aware of any major instances where supervised banks have failed to continue providing services to customers. Not only were banks’ systems ready for the upturn in digital demand triggered by the pandemic, but they also coped with the very large numbers of their own staff switching to remote working. At the peak of lockdown, 60% of staff from large euro area banks were working remotely; at the end of August, this figure was still almost 40%.
Supervisory resilience through digitalisation
It is not only the private sector that has an obligation to stay as digitally up-to-date as the rest of society. To fulfil our various mandates on behalf of Europe’s citizens, we at the ECB also need to keep as up-to-date as possible with cutting-edge technology.
One fundamental aspect of this involves maintaining our own digital operational resilience. As with the private sector, the COVID-19 crisis has exposed these capabilities to unexpected stress tests.
Building on our substantial prior experience of remote working and video-conferencing, we have managed to smoothly and safely switch from a physical workspace to one that is much more reliant on virtual platforms. This entailed scaling up our remote working technical infrastructure fivefold and our internet bandwidth connectivity tenfold. We also equipped all our staff with the necessary IT tools to work remotely. All this has been supported with web-based articles and videos to inform our staff on how to use our IT systems effectively and securely from their homes.
Our switch to remote working has been managed without compromising the ECB’s digital security stance, which ensures the devices used by frontline ECB staff have strong protective and detective security controls. In addition, ECB staff access to public networks is channelled through our corporate network. Together, these factors mean that staff working remotely enjoy the same level of protection as staff working on the ECB premises.
Cyberthreat levels and the role of banking supervision
From the digital operational resilience perspective, the COVID-19 test results read “so far so good” for both private banks and European supervisory authorities.
However, simply navigating our way through these early challenges does not warrant a big moment of self-congratulation. Maintaining digital resilience is a never-ending race to improve security, leaving no time to stop and relax. It is particularly true that the increased digitalisation of operations can increase vulnerabilities that may be exploited by cyber attackers.
Recent evidence suggests that cybercriminals are becoming more sophisticated, and attacks in certain areas are becoming more frequent.
In particular, we have noted an increasing trend in threats from distributed denial of service (DDoS) attacks. Before the coronavirus pandemic, these were already the most prevalent type of cyberattack reported by banks to the ECB, and since the outbreak of the pandemic, their frequency has clearly increased.
DDoS attacks aim to make an online service unavailable to users, often by temporarily interrupting or suspending the service of its host server. In some cases, attackers seek to extort legitimate market players by threatening to launch a disruptive DDoS attack unless a ransom is paid (ransom DDoS or RDoS). We have observed that some attackers start with minor attacks and smaller ransoms, before moving on to demand higher ransoms.
Generally speaking, banks’ defences against this type of threat have so far held up reasonably well. The attacks have caused only very limited interruptions, mostly due to the unavailability of smaller third parties. As a result, the euro area banking sector has not yet been severely harmed. Nonetheless, market participants should be aware of the increasing risk in this area, and continue to be vigilant by taking the appropriate mitigation measures.
So how exactly is European banking supervision countering cyber risks?
In 2017, European banking supervision established the Cyber Incident Reporting system, which helps us to stay aware of cyber incidents in banks that could potentially have a significant impact either individually or system-wide. Cyber incidents are reported to us on a confidential basis, but the insights we gain are shared on the ECB Banking Supervision website. This contributes to banks’ understanding of potential cyberthreats and thereby to broader overall resilience.
On 30 June 2020 the European Banking Authority (EBA) Guidelines on information and communication technology (ICT) and security risk management entered into force. The Guidelines set out expectations on how all financial institutions should manage the internal and external ICT and security risks to which they are exposed. As a banking supervisor, I can only underline the importance of complying with these Guidelines.
We are also very supportive of the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU). The objective of TIBER-EU is to put in place a programme to test and improve the resilience of financial infrastructure and institutions to sophisticated cyberattacks. European banking supervision encourages banks to participate in TIBER-EU, and in particular in threat-led penetration testing (TLPT) exercises that simulate real-world attacks.
Underlying each of the supervisory initiatives here is a common reality. Cybercrime is a common threat to the market integrity and trust that all participants require. Incentives should therefore be sufficiently aligned to allow straightforward collaboration across the public and private sectors to mitigate these risks. Of course, notwithstanding this wide scope for collaboration, each bank must ultimately take full responsibility for its own digital operational resilience.
As we move forwards, I would like to encourage the fostering of a spirit of openness and collaboration among legitimate market players in this area. It is in this pragmatic spirit that I hope we can cooperate within the potential new European framework that the Commission proposed recently.
Let me conclude by briefly reiterating my main messages.
Digital operational resilience in the banking sector has held up so far under the trying conditions created by the COVID-19 pandemic. This shows that the digital transformation processes required to keep up with societal changes are already well underway.
However, the threats from cybercrime may be increasing, as new remote working patterns have extended the potential area of attack. A vigilant approach is therefore required, involving continuous improvements to defence frameworks.
As part of those defensive efforts, interests should be fully aligned to ensure that criminals do not succeed. It is important to collaborate across authorities and banks to withstand all threats. To protect against these risks, banks’ digital systems must not only be cyber-resistant, they must also aim to be cyber-proof.