- SUPERVISION NEWSLETTER
Evolving IT and cybersecurity risks
13 November 2024
ECB Banking Supervision continuously evaluates banks’ management of IT risk, with supervisors’ findings from on-site inspections and banks’ IT risk reporting providing two major sources of information. As has been emphasised in recent years, banks still have work to do across a range of measures. They must ensure that their defences and their risk management framework are fit for purpose. IT risks and cyber threats are constantly evolving as bad actors innovate and try to find new ways of penetrating a bank’s defences. It is therefore critical that banks invest in their resilience and that they can quickly respond and recover if necessary.
Rising cybersecurity threats: ransomware and ICT third-party service providers
The banking sector has witnessed a surge in significant cyber incidents over the last year. There has been no major impact to date, but banks should not become complacent – instead, they should stay alert to threats and well prepared to deal with them.
Ransomware attacks have emerged as a particularly concerning threat with the potential to disrupt banking operations and compromise sensitive information. Attacks on information and communication technology (ICT) third-party service providers have highlighted the risk of spillover effects: weaknesses in one provider can cascade and affect not just one but many interconnected banks.
Some banks are still facing challenges in implementing basic cybersecurity controls and many key areas remain insufficiently developed in certain banks. These areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management. Moreover, IT security risk assessment frameworks require significant improvement.
IT outsourcing risk: navigating dependencies and concentration
The already-substantial reliance on third-party service providers is continuing to grow. Cloud expenses are increasing, although at a slower pace than last year. Banks need to understand the potential for concentration risk and keep a watchful eye out for sectoral developments. The Digital Operational Resilience Act, which will enter into force in January 2025, emphasises that the ultimate responsibility for managing such risks lies with banks’ boards. This means that banks need to ensure they have appropriate management and oversight of outsourcing arrangements in place. This should encompass pre-outsourcing analysis, continuous monitoring of service levels and contract adherence, adequate exit strategies (regularly tested) and the involvement of relevant third-party service providers in crisis response plans. Supervisory reviews carried out in 2023 identified weaknesses in these areas, underscoring the need for enhanced governance and oversight.
IT change risk: managing change and innovation
As banks’ IT infrastructure evolves, the number of IT projects (and related spending) is on the rise. Many of these projects are part of broader digital transformation initiatives. Improving IT infrastructure is essential but IT changes, whether large or small, must be managed thoroughly. This is especially important because incidents related to IT changes remain the most prevalent root cause of unplanned downtime in critical IT systems.
IT availability risk: preparing for the inevitable
IT incidents can affect any organisation, including banks. Adequate preparation and regular testing are crucial to achieve a higher level of operational resilience. Banks must establish mature frameworks in which business and technology functions are fully aligned to optimise incident management, business continuity management and crisis communication. Several clear weaknesses were identified in these areas. Weaknesses included outdated or incomplete business continuity plans, a lack of formal incident management procedures, insufficient recovery tests, poorly defined and tested recovery objectives and inadequate recovery priorities which are not based on proper risk assessment. In addition, the absence of documented crisis communication strategies could lower the effectiveness of responses during major IT-related incidents.
Data quality management: addressing the weakest link
Data quality management remains the weakest risk control domain in the banking sector, having shown insufficient year-on-year improvement. Supervisory assessments have identified some deficiencies in respect of key controls for data quality management, the management of data architecture models and the implementation of “golden sources”.
In line with the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting, it is crucial to prioritise risk data aggregation and risk reporting projects to enhance data quality, ensure accurate risk assessment and support informed decision-making.
IT governance, risk management and IT audits: strengthening oversight
Effective IT governance, risk management and IT audits are essential for robust cybersecurity and IT risk management. In some banks there are gaps in fundamental IT risk management controls, as is the case for IT asset management and the key risk indicators reported to the management body. Effective IT asset management is a prerequisite for effective IT risk management and IT change management. It is crucial to address gaps to enhance overall resilience.
Conclusion
The evolving IT landscape and cybersecurity risks present significant challenges for the banking sector. The increasing frequency and sophistication of cyber incidents, in particular ransomware attacks and breaches involving ICT third-party service providers, underscore the critical need for robust cybersecurity measures and effective IT and cyber risk management. This is crucial both within banks and across third-party service providers. By addressing the identified weaknesses and enhancing their risk management frameworks, banks can improve their resilience. Banks should focus on continuously improving cybersecurity controls and managing IT outsourcing and IT change risks effectively. They also need robust incident management and business continuity plans and must ensure strong IT governance. These are essential bulwarks for safeguarding the integrity and stability of the banking sector in 2024 and beyond.
Over the past five years, ECB Banking Supervision has consistently identified operational resilience and in particular IT outsourcing and IT security/cyber risks as a supervisory priority, and it will continue assessing those risks via on-site inspections and targeted reviews of outsourcing arrangements and cyber resilience. From 2025 onwards, ECB banking supervision will further increase its efforts to ensure compliance with DORA regulation.
European Central Bank
Directorate General Communications
- Sonnemannstrasse 20
- 60314 Frankfurt am Main, Germany
- +49 69 1344 7455
- media@ecb.europa.eu
Reproduction is permitted provided that the source is acknowledged.
Media contacts- 13 November 2024