ECB Banking Supervision continuously evaluates banks’ management of IT risk, with supervisors’ findings from on-site inspections and banks’ IT risk reporting providing two major sources of information. As has been emphasised in recent years, banks still have work to do across a range of measures.
They must ensure that their defences and their risk management framework are fit for purpose. IT risks and cyber threats are constantly evolving as bad actors innovate and try to find new ways of penetrating a bank’s defences. It is therefore critical that banks invest in their resilience and that they can quickly respond and recover if necessary.
Rising cybersecurity threats: ransomware and ICT third-party service providers
The banking sector has witnessed a surge in significant cyber incidents over the last year. There has been no major impact to date, but banks should not become complacent – instead, they should stay alert to threats and well prepared to deal with them.
Ransomware attacks have emerged as a particularly concerning threat with the potential to disrupt banking operations and compromise sensitive information. Attacks on information and communication technology (ICT) third-party service providers have highlighted the risk of spillover effects: weaknesses in one provider can cascade and affect not just one but many interconnected banks.
Some banks are still facing challenges in implementing basic cybersecurity controls and many key areas remain insufficiently developed in certain banks. These areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management. Moreover, IT security risk assessment frameworks require significant improvement.
IT outsourcing risk: navigating dependencies and concentration
The already-substantial reliance on third-party service providers is continuing to grow. Cloud expenses are increasing, although at a slower pace than last year. Banks need to understand the potential for concentration risk and keep a watchful eye out for sectoral developments. The Digital Operational Resilience Act, which will enter into force in January 2025, emphasises that the ultimate responsibility for managing such risks lies with banks’ boards. This means that banks need to ensure they have appropriate management and oversight of outsourcing arrangements in place. This should encompass pre-outsourcing analysis, continuous monitoring of service levels and contract adherence, adequate exit strategies (regularly tested) and the involvement of relevant third-party service providers in crisis response plans. Supervisory reviews carried out in 2023 identified weaknesses in these areas, underscoring the need for enhanced governance and oversight.
IT change risk: managing change and innovation
As banks’ IT infrastructure evolves, the number of IT projects (and related spending) is on the rise. Many of these projects are part of broader digital transformation initiatives. Improving IT infrastructure is essential but IT changes, whether large or small, must be managed thoroughly. This is especially important because incidents related to IT changes remain the most prevalent root cause of unplanned downtime in critical IT systems....
more at SSM
© ECB - European Central Bank
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article