Taking a step back to look at ICT and cyber risks in the context of COVID-19: where are banks now as we move into the new normal?

Prior to the COVID-19 pandemic, the positioning of the ECB when it came to ICT and cyber risks was clear: they were a key priority. The 2020 SSM risk map identified cybercrime and IT deficiencies as one of the top three risks faced by the euro area banking system. The SSM cyber incident reporting framework has ensured that all directly supervised banks report significant cyber incidents to the ECB as soon as they are detected. For example, in 2019 phishing attacks were the most frequently reported type of incident, followed by distributed denial of service attacks (deliberately overwhelming systems with requests) and accidental data leakages.

So it is no surprise that many of the ECB expectations in reaction to the pandemic were closely related to IT continuity and cyber risk awareness, and we explored that in our article at the beginning of the pandemic. Since one of the main aims of the supervisory response during the outset of many lockdowns was to support banks’ focus on key operations and to alleviate operational challenges banks were facing, a number of measures were introduced to mitigate them. However, supervisors have also stepped up their monitoring of banks’ orderly operations, and called on institutions to review their business continuity plans in the context of COVID-19 with a specific focus on banks’ operational resilience and ICT infrastructure.

With these priorities and measures in mind, and at the time of a gradual reopening of European economies as well as measures aimed at easing lockdown conditions, how are supervisors assessing banks’ actions so far?

The EBA Thematic note (PDF 3.2 MB) “The EU banking sector: first insights into the COVID-19 impacts” published on 25 May 2020 notes that so far banks did in fact manage to contain the impact of the crisis on their operations, and despite the fact that many operations and business continuity were put under strain, banks’ critical functions continued to operate, meaning that past efforts to develop business continuity plans have proved to be a worthwhile undertaking. The note goes on to state that they were unaware of any major incident of business disruption attributable to the crisis.

However, the note still acknowledges that the crisis has left banks more vulnerable to cyber-attacks and ICT-related risks. Most incidences of cyber-attacks attempts and disruptions reported were mostly targeted directly at customers or ICT infrastructure providers rather than at the banks themselves.

In the eyes of the supervisor, “good student” banks that will manage to steer through the COVID-19 turbulence will come out the other end with:

• Designed risk management processes that will remain relevant in the face of heightened cyber and operational risks;
• Automated wealth management models tested through extreme market volatility; and
• Upgraded digital channels and their operating models to the new, digital normal.

However, banks who had more difficulty in meeting supervisory expectations should consider undertaking the following actions from a business perspective in order to catch up with the top of the class:

• Scale up digital solutions but at the same time retain the ability to provide personalised, face-to-face services to some customers;
• Address low profitability and the looming threat of an increase in NPL by cutting costs investing in innovation to ensure the sustainability of business models;
• Allocate sufficient resources to data and cyber security;
• Find methods to finding ways to increase flexibility without compromising security for access management, considering that remote working levels will become more likely in the future, including more secure video conferencing services;
• For banks that use private cloud, consider moving parts of IT operations to the public cloud due to the fact that updates to private cloud require team members to be physically on site.

In addition to the business-related implications, the ECB further elaborated on their key areas of concerns and reminded banks that they must comply with several sets of guidelines from the EBA for which their implementation date has not been affected by the pandemic:

• Banks should have tried-and-tested crisis and incident management processes in place, together with sound detection, response and recovery procedures, in accordance with the EBA Guidelines on ICT and security risk management;
• The ECB is still concerned that some banks concentrate on only one outsourcing provider. Banks should comply with the applicable regulation on outsourcing and follow the EBA revised Guidelines on outsourcing arrangements.

Furthermore, it is likely that supervisors will focus on the following actions as the pandemic develops:

• Continue to monitor banks’ capability to implement their business continuity plans in the current circumstances;
• Keep a close eye on new emerging risks (concentration risks arising from remote working, dependency on single providers etc.);
• Assess if boards and internal control functions fully understand the main risks related to innovative technologies;
• Evaluate if robust cyber incident protection procedures are in place and are adjusted to the new remote working conditions; and
• In addition, based on the 2019 ECB IT Risk Questionnaire results assessment, an expectation that banks reduce their dependency on end-of-life systems, and increase their audits of critical IT functions.

Our first impression is that supervisory pressure is not likely to decrease in the area of ICT and cyber risk, and banks should be expected to at least demonstrate going forward their ability to ensure business continuity while the majority of their staff is working remotely.

It is clear from the recent ECB statements and publications that state-of-the-art technology coupled with mature control frameworks is the crucial asset that allowed “good student” banks to stay afloat.