The European Central Bank (ECB) published an annual report based on self-assessment of the information technology (IT) and cyber risks by banks. The report is a part of the Supervisory Review and Evaluation Process (SREP) and informs the ongoing supervisory work of ECB. The insights presented in this report are based on the 2019 IT Risk Questionnaire self-assessments of over 100 supervised institutions. All risk-level scores use the same scale, with “1” indicating the lowest risk level and “4” the highest risk level. The questionnaire assesses the IT risk level and risk controls of institutions, with some focus on IT internal audit and IT governance. The overall self-assessment scores for 2019 showed a slight increase, with institutions seeming to be more aware of the risk related to IT outsourcing and ~85% of the institutions reporting that they are using some form of cloud service for their operations.
The questionnaire intended for self-assessment was structured into five IT risk categories defined by EBA—IT security risk, IT availability and continuity risk, IT change risk, IT outsourcing risk, and IT data integrity risk. The report highlights the following assessment of these risks:
- IT Security. The area of IT security remains a challenge for banks. The institutions reported an increase of their overall IT security risk level between 2018 and 2019. Nearly 40% reported that they were the target of at least one successful cyberattack in 2019, representing a 43% increase from 2018. The number of successful cyberattacks, however, varied greatly across the different institutions. Between 20% and 24% of the institutions that had at least one successful cyberattack reported weaknesses in at least one IT security risk control. The majority of institutions also reported that IT security is the category where they have the highest number of overdue IT findings as well as overdue critical IT findings. More than 70% of institutions reported having insurance coverage for cyber risk.
- IT Availability and Continuity Risk. The overall IT availability and continuity risk level scores increased between 2018 and 2019, indicating either a greater awareness or presence of IT availability and continuity risks. The total number of critical IT systems reported by the institutions went up from 33,000 (2018) to more than 38,000 (2019). In 2019, global systemically important banks reported the highest overall unplanned downtime of critical IT systems; however, custodians or asset managers show the highest proportion of unplanned downtime hours per critical IT system for the second consecutive year. The analysis shows a decrease in the overall average unplanned downtime of critical IT systems when compared with previous years. The overall number of critical findings regarding IT availability and continuity risk that have not been remediated for longer than one year was reported to have decreased by nearly 15% compared with 2018.
- IT Change Risk. Between 2018 and 2019, the institutions’ self-assessment scores for the overall risk level remained stable. The institutions’ responses, however, show that attention is needed in certain areas since some of the institutions do not have the appropriate controls in place. These include a release management team is in place, changes to IT security controls are authorized by relevant information/IT security managers after having analyzed the IT security impact, and an asset inventory is maintained and updated. The majority of institutions reported that the risk controls of their project management framework and governance are effective and consistent across their organization and considered related risks to be mitigated. However, based on the responses one-third of the institutions have not implemented independent quality assurance supporting the implementation of critical projects.
- Outsourcing Risk. The institutions seem to be more aware of the risk related to IT outsourcing, which is shown by an increase in the highest score (4) compared with 2018. IT outsourcing continues to be a key pillar for institutions, as 98% of them outsource (at least some) critical IT activities, while more than 10% have fully outsourced critical activities in IT operations, IT development, and IT security. Inadequate outsourcing management increases the risk of disruption of these critical activities. The importance of outsourcing is also reflected in the associated budget, which continues to increase. The majority of the institutions (85%) reported that they are using some form of cloud service for their operations; this is reflected in a budget that has nearly doubled.
- IT Data Integrity Risk. The IT risk level reported by the institutions shows a steady increase compared with 2018. IT data quality management remains the least mature risk control category when compared with the other control categories. Furthermore, the trend shows that the situation does not seem to be improving.
Related Link: Annual Report
Keywords: Europe, EU, Banking, Cyber Risk, SREP, IT Risk, Governance, Outsourcing, Data Integrity, Internal Controls, Cloud Computing, ECB
The three European Supervisory Authorities (ESAs) issued a letter to inform about delay in the Sustainable Finance Disclosure Regulation (SFDR) mandate, along with a Call for Evidence on greenwashing practices.
The International Sustainability Standards Board (ISSB) of the IFRS Foundations made several announcements at COP27 and with respect to its work on the sustainability standards.
The International Organization for Securities Commissions (IOSCO), at COP27, outlined the regulatory priorities for sustainability disclosures, mitigation of greenwashing, and promotion of integrity in carbon markets.
The European Banking Authority (EBA) issued a statement in the context of COP27, clarified the operationalization of intermediate EU parent undertakings (IPUs) of third-country groups
The Office of the Superintendent of Financial Institutions (OSFI) published an annual report on its activities, a report on forward-looking work.
The Australian Prudential Regulation Authority (APRA) finalized amendments to the capital framework, announced a review of the prudential framework for groups.
The Bank for International Settlements (BIS) Innovation Hubs and several central banks are working together on various central bank digital currency (CBDC) pilots.
The European Central Bank (ECB) published the results of its thematic review, which shows that banks are still far from adequately managing climate and environmental risks.
Among its recent publications, the European Banking Authority (EBA) published the final standards and guidelines on interest rate risk arising from non-trading book activities (IRRBB)
The European Commission (EC) recently adopted regulations with respect to the calculation of own funds requirements for market risk, the prudential treatment of global systemically important institutions (G-SIIs)