Out-Law Analysis | 05 Aug 2020 | 9:30 am | 8 min. read
Eurozone banks regulated by the ECB are required to provide data on their IT risk management and control practices. The ECB's findings are based on a review of this survey data.
While institutions' IT outsourcing expenses have increased by 10% year-on-year according to the ECB's survey, it is clear from the data that banks are still on a path towards addressing significant ICT risks. As regulators continue to adjust their expectations as to what is required, banks will need to continue to review their ICT risk management practices to ensure that they align with those expectations.
There are some recurring themes in the ECB report around ensuring appropriate IT skills in the boardroom, reducing reliance on legacy end-of-life (EOL) systems and considering how to manage change. We expect that regulators will be looking for banks to take steps in all of these areas and to report on their progress.
Below, we consider some areas that the ECB has addressed in its survey report and how all banks can reduce ICT risk through their contracts with outsourcing and other third party providers in relation to these issues.
The ECB is of the view that the banks it regulates are too optimistic in their management of ICT risks and may need to introduce greater governance controls within their risk management frameworks. It has also indicated that it will look more closely at the suitability of boards with respect to their IT expertise in the future.
Head of Fintech Propositions
Banks are likely to consider even more use of cloud-based solutions, which can provide the additional flexibility and agility for which the ECB is advocating.
The ECB appears to have greater confidence in banks which have significant board level IT expertise than those that do not when it comes to their management of IT risks. It said: "These institutions report higher expenditures in terms of IT innovation and a closer monitoring of IT risks. Through their self-assessments – and when compared to banks with fewer numbers of board members with IT expertise - they report their bank's IT risk levels and controls more prudently as worse. But they also present themselves as in better control in several IT risk categories including a lower number of successful [cyberattacks] and less downtime of critical IT systems".
The ECB also highlighted findings that indicate that institutions with the highest ratio of IT innovation budgets have more board members with IT expertise and spend more time discussing IT topics in the monthly or quarterly management board.
While IT governance and board composition priorities are largely internal issues for banks to consider, there are a number of steps banks can take when dealing with suppliers to improve their overall accountability frameworks. These steps include institutions improving the management of outsourcing and monitoring service level performance. The ECB also recommends stricter inclusion of outsourced processes into internal control frameworks, as well as updating business continuity plans and having adequate exit strategies in place.
All of these issues align to the outsourcing requirements in the European Banking Authority (EBA) guidelines on outsourcing, which focus on ensuring that outsourcing contracts contain business continuity provisions and exit management obligations on the supplier. In particular, where outsourced processes are incorporated into internal control frameworks, it will be important to ensure suppliers are able to cooperate and provide the necessary information needed to address the issues required for internal risk and control frameworks.
Complexity of IT infrastructure was another factor which the ECB saw as indicative of increased ICT risk for banks. According to its report, "institutions with a complex IT landscape seem to be more exposed to operational incidents which could potentially have a systemic impact" and "the more complex systems are, the more difficult they are to protect, to control and to change".
Most banks surveyed by the ECB which have "medium to highly complex" IT systems experienced disruptions of critical systems more often, as well as a higher number of successful cyberattacks than those that had less complex systems.
Complexity is not only about the technical aspects of a bank's management of its technology. Banks can reduce some of the complexity by increasing transparency with their service providers. This can be achieved through reporting and cooperation provisions in outsourcing contracts. Banks may also consider procuring additional support around service integration and management, outsourcing management of the risk of complex systems and creating one "throat to choke".
According to the ECB, it is "desirable that institutions continue working on simplifying their IT systems and ensuring sufficient agility". We would suggest this is likely to lead banks to consider even more use of cloud-based solutions, which can provide the additional flexibility and agility for which the ECB is advocating.
In addition to complexity, other factors which the ECB found correlating with an increase in IT security risk included below-average spending on IT; dependency on legacy systems; and a lack of IT expertise.
The ECB said: "The institutions reporting the highest number of successful cyberattacks also reported themselves as having a complex and proprietary IT system architecture" and "institutions with the highest number of cyberattacks also reported a below-average ratio of budgeted IT expenses to total expenses".
Regulators have set out different approaches which banks can take to mitigate ICT security risks arising in the context of third party arrangements. The EBA's guidelines on outsourcing require institutions to comply with appropriate IT standards, define data and system requirements and ensure that they are able to carry out security penetration testing to assess the effectiveness of their supplier's cyber and internal security controls.
In the UK, in the context of cloud outsourcing, the Financial Conduct Authority (FCA) has focussed on encryption practices and identified the need to undertake robust security risk assessments and ensure that encryption keys and similar forms of authentication are kept secure.
Recent draft proposals from the UK's Prudential Regulation Authority (PRA) reminded banks that sub-outsourcing "can amplify" data security risks and highlighted the need for regulated entities to "define, document and understand their and their service providers' respective responsibilities in respect of data security". Its draft proposals provide that regulated entities should make their suppliers aware of their own relevant internal policies relating to information security and operational resilience.
The PRA included a long checklist of matters that regulated entities should consider in order to mitigate IT security risks with its proposals. These include ensuring that there is a mix of preventative and defective measures relating to configuration management; encryption and key management; identity and access management; access and activity logging; incident detection and response; loss prevention and recovery; data segregation if using a multi-tenant environment; operating system; network and firewall configuration; and staff training.
Like the PRA, the European Securities and Markets Authority (ESMA) has provided cloud outsourcing guidelines which set out requirements on clearly allocating information security roles and responsibilities between the regulated entity and the supplier; access management and strong authentication mechanisms; encryption and key management; operations and network security; and the security of application programming interfaces.
Not all of these guidelines are directly applicable to all banks. However, they highlight the growing expectations of regulators that banks will be able to demonstrate their diligence in their approaches towards reducing IT security risks.
The locations of business critical IT operations and data centres; how many times business continuity planning (BCP) or IT continuity frameworks were activated; and the amount of unplanned downtime were all issues the ECB considered in determining the level of IT availability and continuity risks across the sector.
The ECB said: "Nearly all of the institutions have had unplanned downtime occurring on critical IT systems with a visible impact on customer services. Also, in many cases, downtime happened in institutions that provide critical services to other institutions".
According to the figures, "45% of the institutions reported that they had to activate a continuity solution at least once", and there was "a 32% increase of overall downtime in critical IT systems, whilst the overall unplanned downtime of material customer services decreased by 27" compared to the previous year.
These survey results highlight how important it is for banks to understand how to minimise availability and continuity risks through testing regimes, continuous improvement arrangements with suppliers and backup, disaster recovery and incident management controls. Outsourcing contracts address all of these issues, and the fact that this has been raised by the ECB should give further weight to banks in negotiations with suppliers.
Of the surveyed banks, 15% marked their overall self-assessment of IT change risk as 'red'. Some of the concerns included findings that a number of controls had not been implemented by some banks at all - including controls relating to "project-independent quality assurance", "dependencies between projects to be managed by an overarching function", and "IT security controls to be implemented in all phases of the solutions life cycle".
On "change and release management", the ECB found that a significant number of institutions still need to set up release management teams, segregate duties applied through the different phases of the change process and put in place controls for "prioritisation, scheduling and approval of every change by a dedicated management level [or] committee". Authorisation of IT security control changes by relevant managers is another matter that needs to be given attention by a significant number of banks, as is the need to establish emergency change management procedures.
This is consistent with recent findings issued by the FCA in the UK around the root cause of IT outages. Problems have arisen when change has been treated purely as an "IT project" without broader business input.
The ECB raised concerns around the management of data quality. It said: "Most institutions mentioned in their statements that there is a lack of governance" for data quality; and "institutions with a lower risk control maturity often report that IT data quality management implementations are in progress [or] in some cases have just started".
The survey results highlight how important it is for banks to understand how to minimise availability and continuity risks through testing regimes, continuous improvement arrangements with suppliers and backup, disaster recovery and incident management controls.
A lack of human and technical resources, hampering progress, was a significant issue here. The ECB also observed that some banks "did not have defined and documented data architecture, models and dictionaries, and had not validated them with relevant business and IT stakeholders".
The ECD is concerned that "the overall presence of [EOL] systems is increasing, leaving institutions more exposed to possible vulnerabilities" and that "continued reliance on [EOL] systems for critical business processes requires a high degree of management attention".
For these reasons, the ECB plans to increase its focus on putting in place requirements for banks to report on their use of EOL systems which support critical banking activities. Its aim is to decrease dependency on legacy systems.
It is no surprise that the ECB has picked up on this issue. Legacy systems regularly come up as a risk for banks whether in relation to avoiding or managing outages; struggling to respond to the need to create more digital products and services; or being able to compete with fintechs or neo-banks for digital-savvy customers. While the latter represents a business challenge for banks in terms of maintaining and growing market share, it is instability in service performance and slow response times to outages that is clearly on the agenda of regulators.
According to the ECB, "a large number of institutions continue to show a significant dependency on a single external service provider to which they pay at least half of their reported total IT expenses. Cloud outsourcing is becoming noteworthy, with 3% of the overall IT outsourcing expenditure reportedly spent on cloud outsourcing".
The ECB also found an increase in "IT outsourcing, with a slightly higher concentration of risk at the level of individual institutions" and that this has lead to a reduction in accountability as "institutions with the greatest reliance on a single external provider reported a below-average number of IT audits and IT audit employees".
Concentration risk is an issue banks have to grapple with from their own business strategy perspective; and also because they are required to in the context of outsourcing regulations. Consideration of this risk forms part of the due diligence processes that banks engage in prior to engaging in outsourcing. In some areas it is clear that there are a small number of key suppliers for banks to engage with, for example in the context of cloud service provision, but for now banks do have a choice between the large cloud players.
16 May 2017