Featured Product

    ECB Publishes Report on Self-Assessment of IT and Cyber Risks by Banks

    July 12, 2021

    The European Central Bank (ECB) published an annual report based on self-assessment of the information technology (IT) and cyber risks by banks. The report is a part of the Supervisory Review and Evaluation Process (SREP) and informs the ongoing supervisory work of ECB. The insights presented in this report are based on the 2019 IT Risk Questionnaire self-assessments of over 100 supervised institutions. All risk-level scores use the same scale, with “1” indicating the lowest risk level and “4” the highest risk level. The questionnaire assesses the IT risk level and risk controls of institutions, with some focus on IT internal audit and IT governance. The overall self-assessment scores for 2019 showed a slight increase, with institutions seeming to be more aware of the risk related to IT outsourcing and ~85% of the institutions reporting that they are using some form of cloud service for their operations.

    The questionnaire intended for self-assessment was structured into five IT risk categories defined by EBA—IT security risk, IT availability and continuity risk, IT change risk, IT outsourcing risk, and IT data integrity risk. The report highlights the following assessment of these risks: 

    • IT Security. The area of IT security remains a challenge for banks. The institutions reported an increase of their overall IT security risk level between 2018 and 2019. Nearly 40% reported that they were the target of at least one successful cyberattack in 2019, representing a 43% increase from 2018. The number of successful cyberattacks, however, varied greatly across the different institutions. Between 20% and 24% of the institutions that had at least one successful cyberattack reported weaknesses in at least one IT security risk control. The majority of institutions also reported that IT security is the category where they have the highest number of overdue IT findings as well as overdue critical IT findings. More than 70% of institutions reported having insurance coverage for cyber risk.
    • IT Availability and Continuity Risk. The overall IT availability and continuity risk level scores increased between 2018 and 2019, indicating either a greater awareness or presence of IT availability and continuity risks. The total number of critical IT systems reported by the institutions went up from 33,000 (2018) to more than 38,000 (2019). In 2019, global systemically important banks reported the highest overall unplanned downtime of critical IT systems; however, custodians or asset managers show the highest proportion of unplanned downtime hours per critical IT system for the second consecutive year. The analysis shows a decrease in the overall average unplanned downtime of critical IT systems when compared with previous years. The overall number of critical findings regarding IT availability and continuity risk that have not been remediated for longer than one year was reported to have decreased by nearly 15% compared with 2018.
    • IT Change Risk. Between 2018 and 2019, the institutions’ self-assessment scores for the overall risk level remained stable. The institutions’ responses, however, show that attention is needed in certain areas since some of the institutions do not have the appropriate controls in place. These include a release management team is in place, changes to IT security controls are authorized by relevant information/IT security managers after having analyzed the IT security impact, and an asset inventory is maintained and updated. The majority of institutions reported that the risk controls of their project management framework and governance are effective and consistent across their organization and considered related risks to be mitigated. However, based on the responses one-third of the institutions have not implemented independent quality assurance supporting the implementation of critical projects.
    • Outsourcing Risk. The institutions seem to be more aware of the risk related to IT outsourcing, which is shown by an increase in the highest score (4) compared with 2018. IT outsourcing continues to be a key pillar for institutions, as 98% of them outsource (at least some) critical IT activities, while more than 10% have fully outsourced critical activities in IT operations, IT development, and IT security. Inadequate outsourcing management increases the risk of disruption of these critical activities. The importance of outsourcing is also reflected in the associated budget, which continues to increase. The majority of the institutions (85%) reported that they are using some form of cloud service for their operations; this is reflected in a budget that has nearly doubled.
    • IT Data Integrity Risk. The IT risk level reported by the institutions shows a steady increase compared with 2018. IT data quality management remains the least mature risk control category when compared with the other control categories. Furthermore, the trend shows that the situation does not seem to be improving.

     

    Related LinkAnnual Report

     

    Keywords: Europe, EU, Banking, Cyber Risk, SREP, IT Risk, Governance, Outsourcing, Data Integrity, Internal Controls, Cloud Computing, ECB

    Related Articles
    News

    EBA Updates Filing Rules for Supervisory Reporting

    The European Banking Authority (EBA) published version 5.1 of the filing rules for supervisory reporting.

    October 19, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Procedures for Collection of AnaCredit Data

    The European Central Bank (ECB) Guideline 2021/1829 on the procedures for the collection of granular credit and credit risk data has been published in the Official Journal of European Union.

    October 19, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Procedures for Collection of AnaCredit Data

    The European Central Bank (ECB) Guideline 2021/1829 on the procedures for the collection of granular credit and credit risk data has been published in the Official Journal of European Union.

    October 19, 2021 WebPage Regulatory News
    News

    EBA Publishes Standards on Disclosure of Investment Policy Under IFR

    The European Banking Authority (EBA) published the final draft regulatory technical standards on disclosure of investment policy by investment firms, under the Investment Firms Regulation (IFR).

    October 19, 2021 WebPage Regulatory News
    News

    APRA Finalizes Guidance for New Prudential Standard on Remuneration

    The Australian Prudential Regulation Authority (APRA) published the prudential practice guide CPG 511 to assist banks, insurers, and superannuation licensees in meeting requirements of CPS 511, the new prudential standard on remuneration.

    October 18, 2021 WebPage Regulatory News
    News

    OCC Updated LIBOR Self-Assessment Tool for Banks

    The Office of the Comptroller of the Currency (OCC) published a bulletin that provides an updated self-assessment tool for banks to evaluate their preparedness for cessation of the London Interbank Offered Rate (LIBOR).

    October 18, 2021 WebPage Regulatory News
    News

    TCFD Updates Guidance for Financial Disclosures on Climate Risk

    The Financial Stability Board (FSB) published a report that examines the progress made toward disclosures aligned with recommendations of the Task Force on Climate-related Financial Disclosures (TCFD).

    October 14, 2021 WebPage Regulatory News
    News

    BCBS Report Examines Progress on Adoption of Basel III Framework

    The Basel Committee on Banking Supervision (BCBS) published the progress report on adoption of the Basel III regulatory framework in member jurisdictions.

    October 14, 2021 WebPage Regulatory News
    News

    ACPR Implements Updates Related to DPM Version 3.1

    The French Prudential Supervisory Authority (ACPR) has implemented, in its information system, updates linked to the Data Point Model (DPM) version 3.1.

    October 14, 2021 WebPage Regulatory News
    News

    EBA Note Examines Transition Risks of Benchmark Rates

    The European Banking Authority (EBA) published a thematic note that aims to identify and raise awareness of the transition risks of benchmark rates, as the London Interbank Offered Rate (LIBOR) and the Euro Overnight Index Average (EONIA) are close to being phased out.

    October 14, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7571