European Central Bank (ECB) supervision on IT and Cyber Risk has been saved
European Central Bank (ECB) supervision on IT and Cyber Risk
In light of the European Banking Authority’s (EBA) Final Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP), the European Central Bank (ECB), together with national competent authorities, has developed a dedicated SREP IT risk assessment methodology.
This includes the IT Risk Questionnaire (ITRQ), an annual self-assessment submitted by institutions to the ECB Banking Supervision. The ITRQ’s 2020 findings were published in a report in July 2021, which is summarized below.
1. ICT outsourcing
The EBA Guidelines (EBA/GL/2017/05) define the risk of outsourcing information and communications technology (ICT) as: “the risk that engaging a third party, or another Group entity (intragroup outsourcing), to provide ICT systems or related services adversely impacts the institution’s performance and risk management […].” This includes the non-availability of critical outsourced IT services, the loss or corruption of sensitive data entrusted to the service provider, and the significant degradation/failure of the outsourced services.
When the ICT outsourcing risk level scores and maturity risk control scores are taken into consideration, 37% of companies reported a risk level score of 3 (4 being the highest, 1 the lowest), whereas 45% reported a risk control maturity score of 3, a 12% increase from 2018. Overall, it is clear that the supervised entities are becoming more aware of their IT outsourcing risks and how to manage them.
IT outsourcing is still a key pillar for institutions—98% of them have outsourced at least some critical IT activities, while more than 10% have fully outsourced their critical activities in IT operations, IT development and IT security. Inadequate outsourcing management increases the risk that these critical activities are disrupted. The importance of outsourcing is also reflected in the associated budget, which continues to rise.
2. ICT security risk management framework
The percentage of controls not implemented by the surveyed institutions was analyzed over a 3-year period and grouped by ICT risk control category. Whereas all risk control categories (IT governance, IT risk management, IT reporting, etc.) were reported to be 15% or under, data quality management (mainly data classification and protection) were reported to be 29%.
While the number of institutions that have determined their information owners is rising year over year, 26% of respondents have still not done this. A substantial number of institutions (40%) said they were the target of at least one successful cyberattack in 2019, a 43% increase from 2018. At least 70% of the institutions stated they had insurance coverage for cyber risk.
3. ICT risk coverage of internal audit and risk and compliance functions—increase in the IT coverage and FTE numbers
The EBA Guidelines on ICT risk assessment require the internal audit function to provide assurance that ICT strategy implementation risks have been identified, assessed and effectively mitigated, and that the related governance framework is effective.
The IT assurance performed by the internal audit function has increased over the years. Half of the respondents have all their IT functions reviewed by their internal audit function, whereas only 20% of respondents’ internal audit functions review less than 81% of their IT functions.
Of the companies that took part, 14% reported that their internal audit does not have adequate resources both in terms of the number of staff and competency/skills for assessing the IT functions, a minor increase compared with the previous year’s 13%.
According to the EBA Guidelines on internal governance, internal governance must include “all standards and principles concerned with setting an institution’s objectives, strategies and risk management framework; how its business is organized; how responsibilities and authority are defined and clearly allocated; how reporting lines are set up and what information they share; and how the internal control framework is organized and implemented […]”. Therefore, the report assessed the companies’ second and third lines of defense.
The number of FTEs has significantly grown from 2018 to 2019. Of the companies that took part, 350 added employees to the second line of defense and 85 added employees to the third line of defense, reaching 1,837 second-line FTEs and 1,854 third-line FTEs. The functional independence between the first and second lines of defense in the IT risk area was maintained by 95% of the respondents.
4. ICT availability and ICT change management risk—more changes and fewer problems
The EBA Guidelines (EBA/GL/2017/05) defines IT availability and continuity risk as: “the risk that performance and availability of ICT systems and data are adversely impacted, including the inability to timely recover the institution’s services, due to a failure of ICT hardware or software components; weaknesses in ICT system management; or any other event […].” This assesses the institution’s resilience against disruptions and also the business impact of any IT system disruption. Risk level scores increased between 2018 and 2019, which could mean either a greater awareness or actual presence of more risks (the percentage of risks that scored 2 has been decreasing since 2017, while that of score 3 has been increasing overall).
Institutions reported a rise in the number of critical IT systems used, from 33,000 in 2018 to 38,000 in 2019. However, the overall average unplanned downtime of critical IT systems decreased from 2018 (1.2 hours) to 2019 (0.63 hours). The leading causes of unplanned downtime are technical changes, failing infrastructure components and IT application defects. The percentage of institutions triggering their business continuity plans (BCP) or IT continuity plans at least once fell from 45% in 2018 to 35% in 2019, and only 7% triggered them more than 10 times in 2019.
The EBA Guidelines (EBA/GL/2017/05) define ICT change risk as: “the risk arising from the inability of the institution to manage ICT system changes in a timely and controlled manner, in particular for large and complex change programs […].” This risk is significantly affected by major organizational changes, such as mergers, acquisitions and carve-outs, and the inadequacy of IT solutions to business needs.
The number of changes in critical environments increased in 2019 compared with 2018. Still, the number of changes that led to issues decreased to less than a third, with 51% of these issues arising from changes in universal and investment banks. More than 70% of institutions have minimum controls regarding change and release management. The number of institutions relying on end of life (EOL) systems for critical processes rose, due to the complexity of the IT architecture in place. According to the ECB, EOL systems represent 88% of the institutions’ systems deemed to have highly complicated IT architecture. This may be a concern, as suppliers no longer support EOL systems.
5. Data integration
IT data integrity risk is defined, according to the EBA Guidelines (EBA/GL/2017/05), as the risk that data stored and processed by IT systems is incomplete, inaccurate or inconsistent across different systems. This could result from weak or absent IT controls during IT data lifecycles that hinder the institution’s business. IT data integrity risk is assessed through data quality management (defining roles and responsibilities) and data architecture models (managing data models, flows and dictionaries).
Compared with 2018, the percentage of “data quality management” risks that scored 3 (with 4 being the highest) dropped from 64% to 51% in 2019. Similarly, the percentage of “data architecture model” risks that scored 3 decreased from 60% to 52%. While this marks a notable improvement, it is still the area with the fewest risk controls, with 29% of institutions not having implemented data quality management controls or covering related business areas. Institutions reported a lack of human resources to implement these controls correctly.
Based on these assessment results, the ECB Banking Supervision requests that:
- Institutions ensure continuous compliance with all regulatory requirements via their providers, and have a defined process of identifying, assessing and monitoring the possible concentration risk related to third-party providers that deliver services.
- The management body is adequately involved in the institutions’ internal risk control framework. Members need to be informed of the (critical) IT internal audit findings and any action plans and programs that address the findings.
- Roles and responsibilities are defined for managing data integrity in IT systems (e.g., data architects, data officers, data custodians and data owners/stewards) to provide guidance on what data is critical from an integrity perspective. Data quality management should be subject to specific IT controls (e.g., automated input validation controls, data transfer controls and reconciliations) in the different phases of the IT data lifecycle, to identify and resolve IT data integrity issues and properly manage end-user solutions.
How can Deloitte help?
Deloitte helps organizations establish and improve their ICT and security risk management practices by supporting companies in the following areas:
- Regulatory compliance assessment: gap assessment against the regulatory requirements outlined in the EBA Guidelines on ICT and security risk management.
- ICT and security risk management capability enhancement: ICT and security risk management policies and standards, processes, tools and technologies.
- ICT and security risk reporting and culture: ICT, business and board ICT and security risk reporting using key risk indicators (KRIs) to provide visibility to senior management.
- ICT and security risk assessment: ICT and security risk assessment in the context of digital initiatives or major ICT changes, tailored to the organizations’ risk profile and integrated into the organizations’ risk management framework.
- ICT on-site inspection simulation: simulation of competent authorities’ on-site inspections to test the readiness of companies’ processes and practices towards regulatory requirements outlined in the EBA Guidelines.
- Review and support companies’ internal IT audit functions and enhance their internal control framework.
- Remediate their self-identified noncompliance issues.
Our approach and methodology
Deloitte assists banks, PFS, management companies, and other organizations with a rich suite of proven accelerators and tools supported by market insights to address ICT risk management challenges. This includes a tested ICT risk management framework, comprehensive ICT risk and control catalogs aligned with the latest regulatory requirements and standards, and more.