Featured Product

    ECB Publishes Report on Self-Assessment of IT and Cyber Risks by Banks

    July 12, 2021

    The European Central Bank (ECB) published an annual report based on self-assessment of the information technology (IT) and cyber risks by banks. The report is a part of the Supervisory Review and Evaluation Process (SREP) and informs the ongoing supervisory work of ECB. The insights presented in this report are based on the 2019 IT Risk Questionnaire self-assessments of over 100 supervised institutions. All risk-level scores use the same scale, with “1” indicating the lowest risk level and “4” the highest risk level. The questionnaire assesses the IT risk level and risk controls of institutions, with some focus on IT internal audit and IT governance. The overall self-assessment scores for 2019 showed a slight increase, with institutions seeming to be more aware of the risk related to IT outsourcing and ~85% of the institutions reporting that they are using some form of cloud service for their operations.

    The questionnaire intended for self-assessment was structured into five IT risk categories defined by EBA—IT security risk, IT availability and continuity risk, IT change risk, IT outsourcing risk, and IT data integrity risk. The report highlights the following assessment of these risks: 

    • IT Security. The area of IT security remains a challenge for banks. The institutions reported an increase of their overall IT security risk level between 2018 and 2019. Nearly 40% reported that they were the target of at least one successful cyberattack in 2019, representing a 43% increase from 2018. The number of successful cyberattacks, however, varied greatly across the different institutions. Between 20% and 24% of the institutions that had at least one successful cyberattack reported weaknesses in at least one IT security risk control. The majority of institutions also reported that IT security is the category where they have the highest number of overdue IT findings as well as overdue critical IT findings. More than 70% of institutions reported having insurance coverage for cyber risk.
    • IT Availability and Continuity Risk. The overall IT availability and continuity risk level scores increased between 2018 and 2019, indicating either a greater awareness or presence of IT availability and continuity risks. The total number of critical IT systems reported by the institutions went up from 33,000 (2018) to more than 38,000 (2019). In 2019, global systemically important banks reported the highest overall unplanned downtime of critical IT systems; however, custodians or asset managers show the highest proportion of unplanned downtime hours per critical IT system for the second consecutive year. The analysis shows a decrease in the overall average unplanned downtime of critical IT systems when compared with previous years. The overall number of critical findings regarding IT availability and continuity risk that have not been remediated for longer than one year was reported to have decreased by nearly 15% compared with 2018.
    • IT Change Risk. Between 2018 and 2019, the institutions’ self-assessment scores for the overall risk level remained stable. The institutions’ responses, however, show that attention is needed in certain areas since some of the institutions do not have the appropriate controls in place. These include a release management team is in place, changes to IT security controls are authorized by relevant information/IT security managers after having analyzed the IT security impact, and an asset inventory is maintained and updated. The majority of institutions reported that the risk controls of their project management framework and governance are effective and consistent across their organization and considered related risks to be mitigated. However, based on the responses one-third of the institutions have not implemented independent quality assurance supporting the implementation of critical projects.
    • Outsourcing Risk. The institutions seem to be more aware of the risk related to IT outsourcing, which is shown by an increase in the highest score (4) compared with 2018. IT outsourcing continues to be a key pillar for institutions, as 98% of them outsource (at least some) critical IT activities, while more than 10% have fully outsourced critical activities in IT operations, IT development, and IT security. Inadequate outsourcing management increases the risk of disruption of these critical activities. The importance of outsourcing is also reflected in the associated budget, which continues to increase. The majority of the institutions (85%) reported that they are using some form of cloud service for their operations; this is reflected in a budget that has nearly doubled.
    • IT Data Integrity Risk. The IT risk level reported by the institutions shows a steady increase compared with 2018. IT data quality management remains the least mature risk control category when compared with the other control categories. Furthermore, the trend shows that the situation does not seem to be improving.

     

    Related LinkAnnual Report

     

    Keywords: Europe, EU, Banking, Cyber Risk, SREP, IT Risk, Governance, Outsourcing, Data Integrity, Internal Controls, Cloud Computing, ECB

    Related Articles
    News

    EBA Publishes Final Regulatory Standards on STS Securitizations

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.

    September 20, 2022 WebPage Regulatory News
    News

    ECB Further Reviews Costs and Benefits Associated with IReF

    The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.

    September 15, 2022 WebPage Regulatory News
    News

    EBA Publishes Funding Plans Report, Receives EMAS Certification

    The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).

    September 15, 2022 WebPage Regulatory News
    News

    MAS Launches SaaS Solution to Simplify Listed Entity ESG Disclosures

    The Monetary Authority of Singapore (MAS) set out the Financial Services Industry Transformation Map 2025 and, in collaboration with the SGX Group, launched ESGenome.

    September 15, 2022 WebPage Regulatory News
    News

    BCBS to Finalize Crypto Rules by End-2022; US to Propose Basel 3 Rules

    The Basel Committee on Banking Supervision met, shortly after a gathering of the Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of BCBS.

    September 15, 2022 WebPage Regulatory News
    News

    IOSCO Welcomes Work on Sustainability-Related Corporate Reporting

    The International Organization of Securities Commissions (IOSCO) welcomed the work of the international audit and assurance standard setters—the International Auditing and Assurance Standards Board (IAASB)

    September 15, 2022 WebPage Regulatory News
    News

    BoE Allows One-Day Delay in Statistical Data Submissions by Banks

    The Bank of England (BoE) published a Statistical Notice (2022/18), which informs that due to the Bank Holiday granted for Her Majesty Queen Elizabeth II’s State Funeral on Monday September 19, 2022.

    September 14, 2022 WebPage Regulatory News
    News

    ACPR Amends Reporting Module Timelines Under EBA Framework 3.2

    The French Prudential Control and Resolution Authority (ACPR) announced that the European Banking Authority (EBA) has updated its filing rules and the implementation dates for certain modules of the EBA reporting framework 3.2.

    September 14, 2022 WebPage Regulatory News
    News

    ECB Paper Discusses Disclosure of Climate Risks by Credit Agencies

    The European Central Bank (ECB) published a paper that examines how credit rating agencies accepted by the Eurosystem, as part of the Eurosystem Credit Assessment Framework (ECAF)

    September 13, 2022 WebPage Regulatory News
    News

    APRA to Modernize Prudential Architecture, Reduces Liquidity Facility

    The Australian Prudential Regulation Authority (APRA) announced reduction in the aggregate Committed Liquidity Facility (CLF) for authorized deposit-taking entities to ~USD 33 billion on September 01, 2022.

    September 12, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8514