Taking a step back to look at ICT and cyber risks in the context of COVID-19: where are banks now as we move into the new normal?
Prior to the COVID-19 pandemic, the positioning of the ECB when it came to ICT and cyber risks was clear: they were a key priority. The 2020 SSM risk map identified cybercrime and IT deficiencies as one of the top three risks faced by the euro area banking system. The SSM cyber incident reporting framework has ensured that all directly supervised banks report significant cyber incidents to the ECB as soon as they are detected. For example, in 2019 phishing attacks were the most frequently reported type of incident, followed by distributed denial of service attacks (deliberately overwhelming systems with requests) and accidental data leakages.
So it is no surprise that many of the ECB expectations in reaction to the pandemic were closely related to IT continuity and cyber risk awareness, and we explored that in our article at the beginning of the pandemic. Since one of the main aims of the supervisory response during the outset of many lockdowns was to support banks’ focus on key operations and to alleviate operational challenges banks were facing, a number of measures were introduced to mitigate them. However, supervisors have also stepped up their monitoring of banks’ orderly operations, and called on institutions to review their business continuity plans in the context of COVID-19 with a specific focus on banks’ operational resilience and ICT infrastructure.
With these priorities and measures in mind, and at the time of a gradual reopening of European economies as well as measures aimed at easing lockdown conditions, how are supervisors assessing banks’ actions so far?
The EBA Thematic note (PDF 3.2 MB) “The EU banking sector: first insights into the COVID-19 impacts” published on 25 May 2020 notes that so far banks did in fact manage to contain the impact of the crisis on their operations, and despite the fact that many operations and business continuity were put under strain, banks’ critical functions continued to operate, meaning that past efforts to develop business continuity plans have proved to be a worthwhile undertaking. The note goes on to state that they were unaware of any major incident of business disruption attributable to the crisis.
However, the note still acknowledges that the crisis has left banks more vulnerable to cyber-attacks and ICT-related risks. Most incidences of cyber-attacks attempts and disruptions reported were mostly targeted directly at customers or ICT infrastructure providers rather than at the banks themselves.
In the eyes of the supervisor, “good student” banks that will manage to steer through the COVID-19 turbulence will come out the other end with:
However, banks who had more difficulty in meeting supervisory expectations should consider undertaking the following actions from a business perspective in order to catch up with the top of the class:
In addition to the business-related implications, the ECB further elaborated on their key areas of concerns and reminded banks that they must comply with several sets of guidelines from the EBA for which their implementation date has not been affected by the pandemic:
Furthermore, it is likely that supervisors will focus on the following actions as the pandemic develops:
Our first impression is that supervisory pressure is not likely to decrease in the area of ICT and cyber risk, and banks should be expected to at least demonstrate going forward their ability to ensure business continuity while the majority of their staff is working remotely.
It is clear from the recent ECB statements and publications that state-of-the-art technology coupled with mature control frameworks is the crucial asset that allowed “good student” banks to stay afloat.