In the recently published 2020 SSM priorities, the inclusion of IT and cyber risks as a key priority for the second year running has underlined once more the importance of this topic for the European Central Bank (ECB). Indeed, the growing potential for cybercrime and the increased concentration risk arising from the reliance on outsourced ICT services and third-party products, means that more than ever the focus of banking supervision will centre upon initiatives to address ICT risks and promote cyber resilience in the European financial sector.
From a cross-border perspective, the ECB has launched multiple initiatives over the last 5 years such as cooperating with national central banks and other EU institutions (the European Parliament, the European Council, the European Commission, or the CERT-EU), to encourage information exchange amongst authorities, as well as to chair meetings and working groups formed of a variety of stakeholders.
Furthermore, at a bank level, the ECB continues to monitor banks’ ICT risks via continuous off-site supervision and risk assessments, thematic and horizontal reviews and, since 2015, IT on-site inspections (OSIs). Banks are also required to report major cyber incidents under the SSM cyber incident reporting process so that the ECB can identify and monitor trends and facilitate a fast reaction in the event of a major cyber incident.
As discussed in our article last year, one of the most significant developments in the supervision of ICT risks was the launch in 2018, as well as the continuation in 2019, of a comprehensive self-assessment questionnaire based on the EBA Guidelines on ICT Risk Assessment under the SREP (EBA/GL/2017/05), the results of which were shared in the ECB’s Supervisory Newsletter of May 2019. These high-level results highlighted deficiencies in IT risk management and data quality management, as well as other findings that suggested a general increase in outsourcing and that critical processes in several banks depend on end-of-life systems.
As in 2018, the KPMG ECB Office has similarly produced a European-wide survey on ICT risks and the related supervisory expectations to help participating banks to identify risk trends and compare their situations with the industry sample.
Our preliminary results suggest that there are some key changes year on year for the banks in our sample. For example, Internal IT audit is no longer in the ‘Top 3’ strengths; the sharpening of supervisory scrutiny with respect to Internal Audit functions and the fact that many banks do not have adequate resources in terms of both a sufficient number of staff and adequate competencies to carry out IT Audit activities may explain this change. Meanwhile Patch and vulnerability management has moved out of the ‘Bottom 3’ weaknesses.
Senior Manager, KPMG ECB Office
KPMG in Germany
Our survey now suggests that the strongest areas in terms of control maturity for banks are:
- Physical security. Banks are able to demonstrate appropriate physical controls around IT assets and are phasing in new features for critical infrastructure, such as biometric checks.
- IT security awareness. Banks continue to foster a risk-based culture. Common approaches include mandatory annual security awareness programmes and training sessions to meet applicable requirements, to give a regular update on the cyber threat landscape and improve responsiveness in case of cyber-attacks.
- Malware prevention. As in the area of IT security, most staff receive regular training to improve awareness and responsiveness around cyber-attacks. As would be expected, banks also report having strong anti-virus and anti-malware precautions in place.
In contrast, our survey identifies the challenging areas in terms of control maturity as:
- Data architecture models. Banks are still struggling to apply data standards and methodologies consistently across multiple entities, as well as meeting documentation requirements in terms of data dictionaries, data modelling and data flows. This is particularly true for banks with fragmented IT systems and weak data oversight.
- Data quality management. Only a few banks have centralised tools to manage risks arising from data quality issues. Most still rely heavily on manual intervention, for example in the field of accounting reconciliations. Furthermore, many banks lack suitable IT controls across the data lifecycle, and some are still in the process of deploying an integrated data management framework.
- Asset inventory and configuration management. Keeping an up-to-date inventory of IT assets remains hard for banks without a Configuration Management Database (CMDB) software. As in 2018, many banks see documenting data flows and dependencies between key IT assets as challenging and time-consuming.
Our survey also allows us to shed some light on the levels of staffing and spending that banks are dedicating to IT matters. For example, our survey sample showed that:
- IT personnel account for an average of 22% of full-time equivalents (FTEs) at the legal entity level, rising to 27% among the largest banks.
- The average turnover rate for IT staff is 9.6%, significantly higher than for the total workforce (6.2%). Among the smallest banks, IT staff turnover reaches 12.2%.
- IT vacancies remain open for an average of 2.7 months – almost a quarter of a year.
- IT ‘run-the-bank’ expenses outweigh IT ‘change-the-banks’ costs by 58.1% to 41.9% on average, with the largest banks spending more on change (43.1%) than the smallest (34.6%).
So what are the implications of these results for banks?
In the short term, banks should ensure they are ready to justify their questionnaire responses to their Joint Supervisory Team (JST). A structured approach, including sound documentation, is vital, since assumptions are likely to be challenged and shortcomings could lead to greater scrutiny. Perceptions of weakness by the ECB could trigger IT-focused on-site inspections and may impact the findings in their SREP letters.
Looking further ahead, and as already discussed, the fact that the recently published 2020 SSM priorities in which IT and cyber risks is again high on the ECB agenda suggests that in the new year, we could see the ECB conduct OSIs focusing on cyber security across a number of banks, which would provide greater comparability and insight. Advanced preparation and planning will be paramount to demonstrating a sound ICT control environment, and to avoid additional demands in this significant area.