Out-Law / Your Daily Need-To-Know

Supervisory bodies call on banks to address operational risks to IT infrastructure

Out-Law News | 04 Apr 2014 | 5:11 pm | 3 min. read

Banks and insurance companies should be called upon to improve and test the resilience of their systems against cyber attacks and ensure their plans to continue serving customers following such attacks are "robust", according to a group of supervisory authorities.

The Joint Committee of the European Supervisory Authorities, which comprises the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA), identified "cyber incidents and/or malicious attacks" as presenting a growing risk to IT infrastructure relied on by financial institutions.

In a new report on risks and vulnerabilities in the EU financial system (31-page / 1.34MB PDF), the Joint Committee called on financial institutions to ensure that "IT systems and related internal controls are safeguarded against adverse budgetary implications and remain robust" in light of the prevalence of cyber attacks within the industry.

It referenced figures from a recent survey by the International Organisation of Securities Commissions (IOSCO) and the World Federation of Exchange (WFE) that more than half of WFE members had experienced a cyber incident in 2012 and also highlighted growing demand for cyber insurance policies in both the US and Europe. WFE is the trade association for the world's regulated stock exchanges.

"The UK's Financial Conduct Authority (FCA) has also acted recently, identifying IT issues in bank systems as one of its key focus areas for the next 12 months – the Joint Committee has been broader ranging than this and picked up on the challenges that are also facing insurers," technology and financial services expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said.

The Joint Committee said that the level of IT security and cyber resilience that financial institutions should ensure is in place will depend on "the nature and conduct" of the individual businesses, but it said the measures should offer "adequate" security and resilience in every case. It said regulators should conduct "IT inspections" at companies.

"Supervisors should aim at attaining sufficiently deep technical insights and include IT inspections with a necessary scope and depth, while institutions should strive for improved IT controls and IT audits," the Joint Committee said in its report. "Moreover, the overall resilience of market participants to cyber attacks and the robustness of business continuity plans should be improved and tested, not least in the light of the rapid development and transformative nature of technologies."

The Joint Committee also identified risks in integrating different IT systems when financial institutions merge, and added that some companies in the financial services sector are failing to maintain their systems properly.

"While consolidation in the financial sector continues with mergers and acquisitions of institutions, interaction with legacy or heterogeneous IT systems deserves heightened attention, as particular weaknesses, such as inability to cope with volume of use, can be identified here," it said. "At the same time, there is an increasing need for IT systems to be very agile to adapt to future business and regulatory requirements. However, even the maintenance of existing infrastructures is not sufficiently addressed in some cases, and needs to rapidly adapt to new threats which are not always fully provisioned within existent budgets."

Angus McFadyen of Pinsent Masons said integrating core, legacy systems with new digital technology that many businesses want to take advantage of "is an issue that many institutions are grappling with". He said there were examples in some transformational IT projects where "systems environments have become inflexible, preventing new product launches" and where those systems are also "prohibitively expensive to maintain ‘as is’".

As financial institutions rush to keep pace with the latest innovations, IT risks can also rise, the Joint Committee said. It highlighted particular risks in a lack of testing of new products in the mobile banking space and on institutions' reliance on third party suppliers of IT services, including in the cloud, and risks to IT security risks with the products supplied by hardware and software providers.

Financial services businesses should "consider holding capital" against cyber and IT risks materialising, but should continue to ensure there is "sound IT governance and management, mature IT processes, IT quality assurance, and effective IT security management" in place, it added. The Joint Committee also backed better frameworks and protocols for sharing information within the sector on how to detect and respond to cyber incidents.

"In order to mitigate operational risks from IT infrastructures, financial institutions should reinforce internal controls related to IT systems, with particular attention to IT security and cyber resilience and focus on developing sound IT governance practices within their risk management framework," the Joint Committee said.

"As for supervisors, it is important that regular practices and risk assessments increasingly address the mitigation of cyber and IT risks, namely by testing the robustness of business continuity plans and reinforcing IT inspections, using adequate expertise. Also, cooperation among supervisors, institutions and policy-makers should be increased in order to enhance the assessment of the overall resilience of market participants," it added.