Featured Product

    ECB Presents Outcomes from Analysis of IT Risks at Supervised Banks

    July 24, 2020

    ECB published a report on the outcome of the Supervisory Review and Evaluation Process (SREP) IT risk questionnaire. The report presents the key observations and conclusions based on an analysis of the IT risk questionnaire, for which self-assessments were submitted to ECB Banking Supervision in the first quarter of 2019 by the significant supervised institutions. The key observations are in the areas of IT governance, data quality management and IT risk management, data integrity risk, IT security, IT outsourcing, and IT audit and examinations. Overall, the institutions reported an improvement in addressing critical findings, though the majority of critical findings not addressed for more than a year are related to IT security risk. Considering the increasing use of IT outsourcing, including cloud computing, ECB Banking Supervision emphasized that it expects full compliance with the applicable regulation regarding outsourcing within the respective timeline.

    In the light of the EBA guidelines on Information and Communication Technology (ICT) risk assessment under SREP, ECB Banking Supervision together with the national competent authorities developed a dedicated SREP IT risk assessment methodology. This includes the IT risk questionnaire as a form of standardized information collection from supervised institutions for the comprehensive assessment of all IT risk areas. Throughout 2019, ECB Banking Supervision has continued to treat IT and cyber risks as a supervisory priority. The recent horizontal analysis reveals a number of observations:

    • The supervised institutions are seen to have shifted to more prudent self-assessments, but for some IT risk areas they remain too optimistic in their self-assessments. IT governance has been characterized by overly optimistic self-assessment by the institutions while data quality management and IT risk management were reported as the weakest among all areas.
    • The analysis shows that data integrity risk continues to be of concern. It is desirable that institutions align their data quality frameworks with the ECB Banking Supervision letter that had set out supervisory expectations on risk data aggregation capabilities and risk reporting practices.
    • With respect to IT security, the analysis confirmed that IT security continues to be a significant challenge for institutions. It also highlights the need for institutions to further improve their IT security control measures. From a general point of view, IT and cyber risk should form part of the banks’ general risk governance and management framework, and there should be broad awareness of these risks across the entire organisation.
    • The continued reliance on end-of-life (EOL) systems for critical business processes requires a high degree of management attention. Therefore, it is desirable that institutions continue working on simplifying their IT systems and ensuring sufficient agility. ECB Banking Supervision plans to increase its focus on institutions that report having EOL systems supporting critical banking activities, with the aim of decreasing their dependency on EOL systems.
    • The analysis showed an increase in IT outsourcing, with a slightly higher concentration of risk at the level of individual institutions. Several institutions have reported losses due to unavailability and/or poor quality of outsourced services. ECB Banking Supervision is placing greater emphasis on outsourcing activities, including cloud outsourcing, and their monitoring by the institutions. In line with the EBA guidelines on outsourcing arrangements, ECB Banking Supervision expects full compliance with the applicable regulation regarding outsourcing within the respective timeline.
    • The institutions reported an improvement in addressing critical findings. The majority of critical findings not addressed for more than a year are related to IT security risk. It would be desirable that all of the institutions’ critical IT functions to be assessed by their internal IT audit functions.

    This publication is designed to share insights from the analysis and increase awareness on the overall IT risk management within the supervised institutions. The desired outcome would be for institutions to further improve their resilience, which is seen as a critical factor for financial stability.

     

    Related Link: Report (PDF)

     

    Keywords: Europe, EU, Banking, SREP, Technology Risk, Governance, Outsourcing, Cyber Risk, Cloud Computing, EBA, ECB

    Related Articles
    News

    EBA Issues Erratum for Phase 2 Package of Reporting Framework 3.0

    EBA published an erratum for the technical package on phase 2 of the reporting framework 3.0.

    April 08, 2021 WebPage Regulatory News
    News

    EBA Updates Lists of Entities for Use in Capital Calculations under SA

    EBA published an erratum for the technical package on phase 2 of the reporting framework 3.0.

    April 08, 2021 WebPage Regulatory News
    News

    MAS Amends Notice on Related Party Transactions of Banks

    MAS amended Notice 643A that addresses requirements for banks to prepare statements of exposures and credit facilities to related concerns or parties.

    April 08, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Euro Short-Term Rate

    ECB has published, in the Official Journal of the European Union, the Guideline 2021/565 on the euro short-term rate (€STR) and this guideline amends the previous ECB Guideline 2019/1265.

    April 07, 2021 WebPage Regulatory News
    News

    EBA Consults on Standards Related to FRTB-SA

    EBA launched a consultation on the draft regulatory technical standards on the list of countries with an advanced economy for calculating the equity risk under the alternative standardized approach (FRTB-SA).

    April 07, 2021 WebPage Regulatory News
    News

    PRA Proposes Rules Related to IRB Approach for Credit Risk

    PRA is proposing, via CP7/21, the approach to implementing new requirements related to the specification of the nature, severity, and duration of an economic downturn in the internal ratings-based (IRB) approach to credit risk.

    April 07, 2021 WebPage Regulatory News
    News

    BoE Outlines Regulatory Treatment of Recovery Loan Scheme of UK

    The UK government launched the Recovery Loan Scheme (RLS) as part of its continued COVID-19 support for UK businesses, as announced by HM Treasury on March 03, 2021.

    April 06, 2021 WebPage Regulatory News
    News

    FSB Addresses G20 on COVID Measures, TBTF Reforms, and Climate Risks

    FSB published a letter, from its Chair Randal K. Quarles, to the G20 Finance Ministers and Central Bank Governors, ahead of their virtual meeting on April 07, 2021.

    April 06, 2021 WebPage Regulatory News
    News

    OSFI Unwinds Temporary Increase to Covered Bond Limit for Banks

    OSFI issued a letter to the deposit-taking institutions issuing covered bonds and announced the unwinding of the temporary increase to the covered bond limit for deposit-taking institutions, effective immediately.

    April 06, 2021 WebPage Regulatory News
    News

    EU Amends CRR and Securitization Regulation in Response to Pandemic

    To support recovery from the COVID-19 crisis, EU has published two regulations to amend the securitization framework, as set out in the Securitization Regulation (2017/2402) and the Capital Requirements Regulation or CRR (575/2013).

    April 06, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 6826