In the recently published 2020 SSM priorities, the inclusion of IT and cyber risks as a key priority for the second year running has underlined once more the importance of this topic for the European Central Bank (ECB). Indeed, the growing potential for cybercrime and the increased concentration risk arising from the reliance on outsourced ICT services and third-party products, means that more than ever the focus of banking supervision will centre upon initiatives to address ICT risks and promote cyber resilience in the European financial sector.
From a cross-border perspective, the ECB has launched multiple initiatives over the last 5 years such as cooperating with national central banks and other EU institutions (the European Parliament, the European Council, the European Commission, or the CERT-EU), to encourage information exchange amongst authorities, as well as to chair meetings and working groups formed of a variety of stakeholders.
Furthermore, at a bank level, the ECB continues to monitor banks’ ICT risks via continuous off-site supervision and risk assessments, thematic and horizontal reviews and, since 2015, IT on-site inspections (OSIs). Banks are also required to report major cyber incidents under the SSM cyber incident reporting process so that the ECB can identify and monitor trends and facilitate a fast reaction in the event of a major cyber incident.
As discussed in our article last year, one of the most significant developments in the supervision of ICT risks was the launch in 2018, as well as the continuation in 2019, of a comprehensive self-assessment questionnaire based on the EBA Guidelines on ICT Risk Assessment under the SREP (EBA/GL/2017/05), the results of which were shared in the ECB’s Supervisory Newsletter of May 2019. These high-level results highlighted deficiencies in IT risk management and data quality management, as well as other findings that suggested a general increase in outsourcing and that critical processes in several banks depend on end-of-life systems.
As in 2018, the KPMG ECB Office has similarly produced a European-wide survey on ICT risks and the related supervisory expectations to help participating banks to identify risk trends and compare their situations with the industry sample.
Our preliminary results suggest that there are some key changes year on year for the banks in our sample. For example, Internal IT audit is no longer in the ‘Top 3’ strengths; the sharpening of supervisory scrutiny with respect to Internal Audit functions and the fact that many banks do not have adequate resources in terms of both a sufficient number of staff and adequate competencies to carry out IT Audit activities may explain this change. Meanwhile Patch and vulnerability management has moved out of the ‘Bottom 3’ weaknesses.
Our survey now suggests that the strongest areas in terms of control maturity for banks are:
In contrast, our survey identifies the challenging areas in terms of control maturity as:
Our survey also allows us to shed some light on the levels of staffing and spending that banks are dedicating to IT matters. For example, our survey sample showed that:
In the short term, banks should ensure they are ready to justify their questionnaire responses to their Joint Supervisory Team (JST). A structured approach, including sound documentation, is vital, since assumptions are likely to be challenged and shortcomings could lead to greater scrutiny. Perceptions of weakness by the ECB could trigger IT-focused on-site inspections and may impact the findings in their SREP letters.
Looking further ahead, and as already discussed, the fact that the recently published 2020 SSM priorities in which IT and cyber risks is again high on the ECB agenda suggests that in the new year, we could see the ECB conduct OSIs focusing on cyber security across a number of banks, which would provide greater comparability and insight. Advanced preparation and planning will be paramount to demonstrating a sound ICT control environment, and to avoid additional demands in this significant area.