The European Central Bank (ECB) published an annual report based on self-assessment of the information technology (IT) and cyber risks by banks. The report is a part of the Supervisory Review and Evaluation Process (SREP) and informs the ongoing supervisory work of ECB. The insights presented in this report are based on the 2019 IT Risk Questionnaire self-assessments of over 100 supervised institutions. All risk-level scores use the same scale, with “1” indicating the lowest risk level and “4” the highest risk level. The questionnaire assesses the IT risk level and risk controls of institutions, with some focus on IT internal audit and IT governance. The overall self-assessment scores for 2019 showed a slight increase, with institutions seeming to be more aware of the risk related to IT outsourcing and ~85% of the institutions reporting that they are using some form of cloud service for their operations.
The questionnaire intended for self-assessment was structured into five IT risk categories defined by EBA—IT security risk, IT availability and continuity risk, IT change risk, IT outsourcing risk, and IT data integrity risk. The report highlights the following assessment of these risks:
- IT Security. The area of IT security remains a challenge for banks. The institutions reported an increase of their overall IT security risk level between 2018 and 2019. Nearly 40% reported that they were the target of at least one successful cyberattack in 2019, representing a 43% increase from 2018. The number of successful cyberattacks, however, varied greatly across the different institutions. Between 20% and 24% of the institutions that had at least one successful cyberattack reported weaknesses in at least one IT security risk control. The majority of institutions also reported that IT security is the category where they have the highest number of overdue IT findings as well as overdue critical IT findings. More than 70% of institutions reported having insurance coverage for cyber risk.
- IT Availability and Continuity Risk. The overall IT availability and continuity risk level scores increased between 2018 and 2019, indicating either a greater awareness or presence of IT availability and continuity risks. The total number of critical IT systems reported by the institutions went up from 33,000 (2018) to more than 38,000 (2019). In 2019, global systemically important banks reported the highest overall unplanned downtime of critical IT systems; however, custodians or asset managers show the highest proportion of unplanned downtime hours per critical IT system for the second consecutive year. The analysis shows a decrease in the overall average unplanned downtime of critical IT systems when compared with previous years. The overall number of critical findings regarding IT availability and continuity risk that have not been remediated for longer than one year was reported to have decreased by nearly 15% compared with 2018.
- IT Change Risk. Between 2018 and 2019, the institutions’ self-assessment scores for the overall risk level remained stable. The institutions’ responses, however, show that attention is needed in certain areas since some of the institutions do not have the appropriate controls in place. These include a release management team is in place, changes to IT security controls are authorized by relevant information/IT security managers after having analyzed the IT security impact, and an asset inventory is maintained and updated. The majority of institutions reported that the risk controls of their project management framework and governance are effective and consistent across their organization and considered related risks to be mitigated. However, based on the responses one-third of the institutions have not implemented independent quality assurance supporting the implementation of critical projects.
- Outsourcing Risk. The institutions seem to be more aware of the risk related to IT outsourcing, which is shown by an increase in the highest score (4) compared with 2018. IT outsourcing continues to be a key pillar for institutions, as 98% of them outsource (at least some) critical IT activities, while more than 10% have fully outsourced critical activities in IT operations, IT development, and IT security. Inadequate outsourcing management increases the risk of disruption of these critical activities. The importance of outsourcing is also reflected in the associated budget, which continues to increase. The majority of the institutions (85%) reported that they are using some form of cloud service for their operations; this is reflected in a budget that has nearly doubled.
- IT Data Integrity Risk. The IT risk level reported by the institutions shows a steady increase compared with 2018. IT data quality management remains the least mature risk control category when compared with the other control categories. Furthermore, the trend shows that the situation does not seem to be improving.
Related Link: Annual Report
Keywords: Europe, EU, Banking, Cyber Risk, SREP, IT Risk, Governance, Outsourcing, Data Integrity, Internal Controls, Cloud Computing, ECB
Previous ArticleACPR Issues an Update on FINREP and SURFI Reporting Requirements
The European Commission (EC) announced plans to defer the application of 13 regulatory technical standards under the Sustainable Finance Disclosure Regulation (2019/2088) by six months, from January 01, 2022 to July 01, 2022.
The Bank of England (BoE) published a consultation paper on approach to setting minimum requirement for own funds and eligible liabilities (MREL), an operational guide on executing bail-in, and a statement from the Deputy Governor Dave Ramsden.
The European Banking Authority (EBA) is seeking preliminary input on standardization of the proportionality assessment methodology for credit institutions and investment firms.
Certain regulatory authorities in the US are extending period for completion of the review of certain residential mortgage provisions and for publication of notice disclosing the determination of this review until December 20, 2021.
The Prudential Regulation Authority (PRA) published the policy statement PS18/21, which introduces an amendment in the definition of "higher paid material risk taker" in the Remuneration Part of the PRA Rulebook.
The European Banking Authority (EBA) published its annual report on asset encumbrance in banking sector.
The European Banking Authority (EBA) published a methodological guide to mystery shopping.
The Australian Prudential Regulation Authority (APRA) released a letter to authorized deposit-taking institutions to provide an update on key policy settings for the capital framework reforms, which will come into effect from January 01, 2023.
The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) published a report that assesses the business continuity planning activities of financial market infrastructures or FMIs.
The European Securities and Markets Authority (ESMA) has responded to the IFRS consultation on targeted amendments to the IFRS Foundation constitution to accommodate an International Sustainability Standards Board (ISSB) to set IFRS Sustainability Standards.