European Central Bank (ECB) supervision on IT and Cyber Risk has been saved
European Central Bank (ECB) supervision on IT and Cyber Risk
Final Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP)
In light of the European Banking Authority’s (EBA) Final Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP), the ECB, together with national competent authorities, developed a dedicated SREP IT risk assessment methodology.
This includes the IT Risk Questionnaire (ITRQ), a self-assessment that institutions submitted to the ECB Banking Supervision in Q1 2019. The findings are based on a horizontal analysis of the ITRQ and the observations can be split into six main areas:
1. IT security risk, defined as:
a. The risk of unauthorized access to IT systems and data from within or outside the institution (e.g., cyberattacks);
b. The risk of inadequate internal IT security, such as unauthorized access, unauthorized IT manipulations, security threats due to a lack of awareness, unauthorized storage or transfer of confidential information; and
c. The risk of inadequate physical IT security.
When performing an ICT security risk assessment, institutions must first focus on the leakage of sensitive information and then focus on the risk of future cyberattacks. The ECB found that IT security is a significant challenge for institutions, not only based on the results of the questionnaire but also due to the ECB receiving increasing reports of cyber incidents. In particular, institutions with the highest number of cyberattacks also reported a below-average ratio of budgeted IT expenses to total expenses.
2. IT availability and continuity risk, defined as the risk:
a. That performance and availability of ICT systems and data are adversely impacted, including the inability to timely recover the institution’s services, due to a failure of ICT hardware or software components;
b. Weaknesses in ICT system management; or
c. Any other event.
Downtime hinders business availability and continuity; therefore, it is used as a proxy to identify continuity risks. The findings show that institutions have become more prudent in their self-assessment in 2018 compared to 2017; in fact, nearly all institutions experienced unplanned downtime on critical IT systems that had a visible impact on customer services. The overall unplanned downtime of material customer services and critical IT systems were decreased over 25% from 2017 to 2018. There is also a correlation between institutions’ IT architecture complexity and an increase in overall and unplanned downtime.
3. IT change risk that arises from the institution’s inability to manage ICT system changes in a timely and controlled way, in particular for large and complex change programs. An important indicator of change risk is the complexity of an institution’s IT architecture. The findings show that the largest institutions reported the highest numbers of implemented changes to their critical IT systems and, as a result, increased the associated risks. Particularly relevant is the correlation between an institution’s reliance on end-of-life (EOL) systems and its IT architecture complexity , increasing the associated risks.
4. IT outsourcing risk, defined as the risk of engaging a third party or another group entity (intra-group outsourcing) to provide ICT systems or related services, which adversely impacts the institution’s performance and risk management. In particular, institutions relying on a single external service provider increases their risk significantly (as the old saying goes: do not put your eggs in one basket). With institutions’ IT outsourcing expenses increasing by 10 percent year over year and with almost 50 percent having spent at least half their total IT outsourcing contract value on just one external provider, the concentration risks regarding outsourcing to single third party are indeed increasing. Also, in 2018, the ratio of IT outsourcing expenses by category has risen from 0 to 3 percent for cloud computing, meaning that the cloud is starting to have an impact on institutions and the impact of the cloud is likely to increase dramatically in the near future.
5. IT data integrity risk, defined as a material IT risk that should be closely reviewed by competent authorities. IT data integrity risk can occur when the data stored and processed by IT systems are:
b. Inaccurate; or
c. Inconsistent across different systems.
A fundamental proxy criterion to identify data quality risks is the number of end-user computing (EUC) solutions being used by institutions. These solutions often lack proper quality assurance and testing, which can lead to inadequate data quality. Among the main findings of the year-on-year comparison, the total number of EUC solutions supporting critical activities has increased by about 24 percent, and most institutions (77 percent) reported having at least one EUC solution supporting their critical activities. Indeed, this area has the highest perception of inadequate risk controls in place, with 30 percent of institutions regarding data quality as an area with inadequate controls.
6. IT internal audits, to provide assurance that the risks associated with ICT strategy implementation have been:
a. Identified, assessed and effectively mitigated; and
b. That the governance framework in place to implement the ICT strategy is effective.
Also, as the management body needs to be adequately involved in the institution’s internal risk control framework, institutions must self-assess the management body and senior management’s level of involvement in the internal audit process, the audit quality, and the reporting to the management body. As such, while the managers who took part were very satisfied with the IT audit function, the IT audit function institutions reported that the IT function is covered in Internal audits of more than 90 percent of the institutions and they had numerous critical findings open for more than one year. Most of the critical findings reported were related to IT security risk, with IT data integrity risk coming second and IT availability risk coming third.
Based on these findings, the ECB Banking Supervision requests that institutions:
I. Align their data quality frameworks with the ECB Banking Supervision letter on Supervisory expectations on risk data aggregation capabilities and risk reporting practices;
II. Focus on decreasing their dependency on EOL systems;
III. Incorporate their IT and cyber risk functions into the banks’ general risk governance and management framework, with a broad awareness of these risks across the entire organization; and
IV. Assess their internal IT audit functions.
Lastly, the ECB strongly emphasizes the benefits of having at least three IT experts on the board of directors, as the institutions with more experts on their boards report a lower number of cyberattacks. However, this is not necessarily a guarantee of security.
How can Deloitte help?
Deloitte helps organizations establish and improve their ICT and security risk management practices by supporting companies in the following areas:
- Regulatory compliance assessment: gap assessment against the regulatory requirements outlined in the EBA Guidelines on ICT and security risk management
- ICT and security risk management capability enhancement: ICT and security risk management policies and standards, processes, tools and technologies
- ICT and security risk reporting and culture: ICT, business and board ICT and security risk reporting using key risk indicators (KRIs) to provide visibility to senior management
- ICT and security risk assessment: ICT and security risk assessment in the context of digital initiatives or major ICT changes, tailored to the organizations’ risk profile and integrated into the organizations’ risk management framework
- Readiness ICT and security assessment: simulation of competent authorities’ on-site inspections to test the readiness of companies’ processes and practices towards regulatory requirements outlined in the EBA Guidelines
- Review and support their internal IT audit functions and enhance their internal control framework
- Remediate their self-identified noncompliance issues
Our approach and methodology
Deloitte assists banks, PFS, management companies, and other organizations with a rich suite of proven accelerators and tools that are supported by market insights to address ICT risk management challenges. This includes a tested ICT risk management framework, comprehensive ICT risk and control catalogs aligned with the latest regulatory requirements and standards, and more.