The European Central Bank (ECB) published an annual report based on self-assessment of the information technology (IT) and cyber risks by banks. The report is a part of the Supervisory Review and Evaluation Process (SREP) and informs the ongoing supervisory work of ECB. The insights presented in this report are based on the 2019 IT Risk Questionnaire self-assessments of over 100 supervised institutions. All risk-level scores use the same scale, with “1” indicating the lowest risk level and “4” the highest risk level. The questionnaire assesses the IT risk level and risk controls of institutions, with some focus on IT internal audit and IT governance. The overall self-assessment scores for 2019 showed a slight increase, with institutions seeming to be more aware of the risk related to IT outsourcing and ~85% of the institutions reporting that they are using some form of cloud service for their operations.
The questionnaire intended for self-assessment was structured into five IT risk categories defined by EBA—IT security risk, IT availability and continuity risk, IT change risk, IT outsourcing risk, and IT data integrity risk. The report highlights the following assessment of these risks:
- IT Security. The area of IT security remains a challenge for banks. The institutions reported an increase of their overall IT security risk level between 2018 and 2019. Nearly 40% reported that they were the target of at least one successful cyberattack in 2019, representing a 43% increase from 2018. The number of successful cyberattacks, however, varied greatly across the different institutions. Between 20% and 24% of the institutions that had at least one successful cyberattack reported weaknesses in at least one IT security risk control. The majority of institutions also reported that IT security is the category where they have the highest number of overdue IT findings as well as overdue critical IT findings. More than 70% of institutions reported having insurance coverage for cyber risk.
- IT Availability and Continuity Risk. The overall IT availability and continuity risk level scores increased between 2018 and 2019, indicating either a greater awareness or presence of IT availability and continuity risks. The total number of critical IT systems reported by the institutions went up from 33,000 (2018) to more than 38,000 (2019). In 2019, global systemically important banks reported the highest overall unplanned downtime of critical IT systems; however, custodians or asset managers show the highest proportion of unplanned downtime hours per critical IT system for the second consecutive year. The analysis shows a decrease in the overall average unplanned downtime of critical IT systems when compared with previous years. The overall number of critical findings regarding IT availability and continuity risk that have not been remediated for longer than one year was reported to have decreased by nearly 15% compared with 2018.
- IT Change Risk. Between 2018 and 2019, the institutions’ self-assessment scores for the overall risk level remained stable. The institutions’ responses, however, show that attention is needed in certain areas since some of the institutions do not have the appropriate controls in place. These include a release management team is in place, changes to IT security controls are authorized by relevant information/IT security managers after having analyzed the IT security impact, and an asset inventory is maintained and updated. The majority of institutions reported that the risk controls of their project management framework and governance are effective and consistent across their organization and considered related risks to be mitigated. However, based on the responses one-third of the institutions have not implemented independent quality assurance supporting the implementation of critical projects.
- Outsourcing Risk. The institutions seem to be more aware of the risk related to IT outsourcing, which is shown by an increase in the highest score (4) compared with 2018. IT outsourcing continues to be a key pillar for institutions, as 98% of them outsource (at least some) critical IT activities, while more than 10% have fully outsourced critical activities in IT operations, IT development, and IT security. Inadequate outsourcing management increases the risk of disruption of these critical activities. The importance of outsourcing is also reflected in the associated budget, which continues to increase. The majority of the institutions (85%) reported that they are using some form of cloud service for their operations; this is reflected in a budget that has nearly doubled.
- IT Data Integrity Risk. The IT risk level reported by the institutions shows a steady increase compared with 2018. IT data quality management remains the least mature risk control category when compared with the other control categories. Furthermore, the trend shows that the situation does not seem to be improving.
Related Link: Annual Report
Keywords: Europe, EU, Banking, Cyber Risk, SREP, IT Risk, Governance, Outsourcing, Data Integrity, Internal Controls, Cloud Computing, ECB
The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.
The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.