Credit institutions operate in a dynamic digital environment, within the context of constantly rising customer expectations and evolving information technology (IT) landscapes, banking regulations and technical innovation.
In 2020 banks managed to navigate through
additional challenges caused by the coronavirus (COVID-19) pandemic,
i.e. a significant increase in remote working, an increase in cyber
risk, and even greater overall reliance on the continued proper
functioning of IT infrastructures, not only their own but also those of
third-party IT service providers. Although the observations presented in
this report are based on data from the end of 2019 (i.e. before the
pandemic), the insights gained are nonetheless useful and can highlight
the developments in the management of the IT risk aspects. ECB Banking
Supervision is therefore making this report available to the public as
in previous year. It continues to collect these data to inform the
yearly assessment of IT and cyber risk as part of the Supervisory Review
and Evaluation Process (SREP).
1 High-level observations
ECB
Banking Supervision addresses IT and cyber risks at credit institutions
by assessing their risk controls from various angles: through ongoing
supervision, the regular assessment of IT-related risks and targeted
on-site inspections.
Direct supervision is performed by Joint
Supervisory Teams (JSTs) and complies with the European Banking
Authority’s (EBA) Guidelines on ICT Risk Assessment under the
Supervisory Review and Evaluation Process (SREP). As part of the annual SREP,
JSTs perform their assessment of IT and cyber risk following a common
and standardised methodology which includes the Information Technology
Risk Questionnaire (ITRQ). These assessments are complemented by thematic reviews, horizontal analyses on IT risk topics and a reporting framework to inform the JSTs of any significant cyber incident at the supervised credit institutions.
Frequent
and targeted on-site inspections also allow ECB Banking Supervision to
assess the IT and cyber risk management capabilities at individual
institutions, thus contributing to a broader picture for the JSTs.
As in 2017 and 2018, for the reference year 2019
ITRQ self-assessments were provided by over 100 supervised
institutions. The answers were used to perform a horizontal analysis at
the group level of the significant supervised institutions. Chart 1
shows the percentage of institutions per business model participating in
the 2019 data collection...
more at SSM
© ECB - European Central Bank
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article