Banks must tighten outsourcing arrangements to address IT risks, say regulators

Out-Law News | 23 Sep 2014 | 12:42 pm | 1 min. read

Banks must strengthen their governance over arrangements with IT suppliers to address rising concerns about IT outages and cyber security breaches, European financial regulators have said.

The Joint Committee of the European Supervisory Authorities (JCESA), which represents the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority, said banks and other financial institutions "do not yet appear" to sufficiently understand the IT risks they face (16-page / 520KB PDF).

"In practice, firms need professional and operational IT risk and security management, which plans, implements, checks and adapts the IT security controls and informs operational risk management about specific IT risks," the report by JCESA said. "Moreover, subdued profitability across sectors and pressures to reduce costs persist and risk compromising efforts to attain increased resilience against IT-related operational risks."

"It is important in such an environment to ensure that IT systems and related internal controls are safeguarded against budgetary pressures and remain robust. A strong, professional risk culture which can swiftly react to new threats and deliver appropriate levels of employee awareness about evolving risks is needed… Institutions should … reinforce IT controls and audits covering all parties along the value-added chain of IT (e.g. IT-service providers, third-party providers and IT-outsourcing providers)," it said.

The report highlighted research which found that most of the world's biggest banks have experienced "security incidents" related to their websites in the past eight years and that the financial services sector as a whole is a target for more cyber crime than other industries.

It said companies operating in the sector have, though, taken some action to address the IT risks they face, such as increasing their spending on IT security and resilience, strengthening governance arrangements and putting in place business continuity plans. However, JCESA said national regulators must "caution whether this general perspective captures relevant risks adequately".

The report said that regulators must improve their own knowledge and understanding of IT risks facing industry and "should factor the mitigation of IT-related risks into regular risk assessments, including IT inspections with the necessary scope and depth".

"Supervisors are encouraged to ensure that banks, insurers, investors and other market participants devote sufficient resources and due care in the proper management of their digital environment and risks," JCESA said. "There is also a need for improved cross-border cooperation within the EU, especially since the scale of the IT problems often exceeds the domestic scene and coordinated efforts are often necessary to mitigate or treat IT risks. At the same time attention must be paid to the fact that redress and litigation costs as the consequences of materialised cyber-related threats can be high. These potential costs should be adequately provisioned or covered by financial institutions."

Earlier this year, the UK's Financial Conduct Authority (FCA) issued a regulatory checklist for banks to consider before entering into IT outsourcing contracts.