A host of banks across Europe still face major IT challenges and their software testing practices are not up to scratch, Europe’s main financial institution has warned.
In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the European Central Bank.
The warning comes as the implementation of the new Digital Operational Resilience Act (DORA) regulation is a mere two months away, on 17 January of 2025.
The ECB, the central bank of the European Union countries which have adopted the euro, wrote in a damning article in its latest compliance newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”
The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”
Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB stated.
“Many key areas remain insufficiently developed in certain banks.”
– ECB, November 2024
ECB Banking Supervision continuously evaluates banks’ management of IT risk, with supervisors’ findings from on-site inspections and banks’ IT risk reporting being its two main sources of information.
This week, the ECB wrote that banks still have work to do across a range of measures.
“They must ensure that their defences and their risk management framework are fit for purpose,” it said.
“IT risks and cyber threats are constantly evolving as bad actors innovate and try to find new ways of penetrating a bank’s defences,” the central bank summarised.
“It is therefore critical that banks invest in their resilience and that they can quickly respond and recover if necessary.”
Third-party service providers
The ECB singled out attacks on information and communication technology (ICT) third-party service providers.
“[They] have highlighted the risk of spillover effects: weaknesses in one provider can cascade and affect not just one but many interconnected banks,” it said.
This issue is now more relevant than ever as the ECB said the “already-substantial reliance” on third-party service providers is continuing to grow.
“Cloud expenses are increasing, although at a slower pace than last year. Banks need to understand the potential for concentration risk and keep a watchful eye out for sectoral developments.”
The ECB specifically referred to the upcoming Digital Operational Resilience Act (DORA), which will enter into force in January 2025, emphasising that the ultimate responsibility for managing such risks lies with banks’ boards.
This means that banks need to ensure they have appropriate management and oversight of outsourcing arrangements in place.
“This should encompass pre-outsourcing analysis, continuous monitoring of service levels and contract adherence, adequate exit strategies that are regularly tested and the involvement of relevant third-party service providers in crisis response plans,” the ECB highlighted.
The ECB disclosed that supervisory reviews carried out in 2023 “identified weaknesses in these areas, underscoring the need for enhanced governance and oversight.”
Regular testing
As banks’ software infrastructure evolves, the number of IT projects, and related spending, is on the rise. Many of these projects are part of broader digital transformation initiatives.
“Improving IT infrastructure is essential but IT changes, whether large or small, must be managed thoroughly,” the ECB warned.
“This is especially important because incidents related to IT changes remain the most prevalent root cause of unplanned downtime in critical IT systems,” it added.
Therefore, the bank could not stress enough that “regular testing is crucial to achieve a higher level of operational resilience.”
It urged banks so establish “mature frameworks” in which business and technology functions are fully aligned to optimise incident management, business continuity management and crisis communication.
The ECB went on to identify a range of risks in this area, such as outdated or incomplete business continuity plans, a lack of formal incident management procedures, insufficient recovery tests, poorly defined and tested recovery objectives and inadequate recovery priorities which are not based on proper risk assessment.
In addition, the absence of documented crisis communication strategies could lower the effectiveness of responses during major IT-related incidents, the bank remarked.
Weakest link
Assessing all the different threats, the ECB went on to call data quality management “the weakest risk control domain in the banking sector, having shown insufficient year-on-year improvement.”
It said that supervisory assessments identified “some deficiencies in respect of key controls for data quality management, the management of data architecture models and the implementation of ‘golden sources’.”
Moreover, in some banks there are gaps in fundamental IT risk management controls, as is the case for IT asset management and the key risk indicators reported to the management body, the ECB continued.
“Effective IT asset management is a prerequisite for effective IT risk management and IT change management. It is crucial to address gaps to enhance overall resilience,” the central bank wrote.
“Data quality management is the weakest risk control domain in the banking sector.”
– ECB, November 2024
In order to be fully prepared for DORA, the ECB urges banks to establish a strong IT governance structure.
“Banks need robust incident management and business continuity plans and must ensure strong IT governance,” it wrote in its summary.
“These are essential bulwarks for safeguarding the integrity and stability of the banking sector in 2024 and beyond.”
Finally, the ECB warned banks that supervision and oversight will not diminish next year.
In fact, “from 2025 onwards, ECB banking supervision will further increase its efforts to ensure compliance with DORA regulation,” it stressed.
Software resilience test
The ECB’s latest findings come after it concluded a major cyber resilience stress test last month, which gauged how banks would respond to and recover from “a severe but plausible cybersecurity incident”, the Frankfurt-based banking authority disclosed.
Overall, the stress test, which involved more than 100 banks across Europe, including most of the EU’s biggest finserv players, showed that banks have response and recovery frameworks in place, but areas for improvement remain.
“The results have helped increase banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks,” the ECB said.
The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed and a cyberattack severely affected the databases of each bank’s core software and digital infrastructure systems.
“The stress test therefore focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it,” the ECB explained.
Detecting and addressing deficiencies in supervised banks’ operational resilience frameworks, including those stemming from cyber risks, is one of the ECB’s priorities for 2024-2026.
The bank said this reflects a surge in cyber incidents in recent years that supervised banks have reported to ECB, “an increase that partly stems from rising geopolitical tensions and challenges posed by the digitalisation of the banking sector,” according to the ECB.
Testing strategies
The major software stress test involved 109 banks directly supervised by the ECB. All banks had to answer a questionnaire and submit documentation for the supervisors to analyse, while a sample of 28 banks was chosen to undergo more extensive testing and scrutinise their software testing strategies.
“The latter were asked to perform an actual IT recovery test and provide evidence that it had been successful, in addition they were also visited on site by supervisors,” the ECB revealed.
The sample covered different business models and geographical locations to reflect the wider euro area banking system and ensure sufficient coordination with other supervisory activities.
To test their response to the scenario, banks had to show their ability to activate their crisis response plans, including internal crisis management procedures and business continuity plans.
They also had to communicate with all external stakeholders such as customers, service providers and law enforcement agents and they ran an analysis to identify what services would be affected and how.
Finally, they had to implement mitigation measures, including workarounds that would help the bank to operate during the time needed to fully recover IT systems.
To test their ability to recover from the scenario, banks had to show they could activate their recovery plans, including restoring backed-up data and aligning with critical third-party service providers on how to respond to the incident.
They also had to demonstrate and ensure that affected areas were recovered and up and running.
“Banks should also be able to meet their own recovery objectives, properly assess dependencies on critical third-party ICT service providers, and adequately estimate direct and indirect losses from a cyberattack,” the ECB wrote in the report.
DORA regulation
One of the main reasons why the ECB is tightening its focus on digital resilience, as well as financial institutions across the EU generally, is because regulation and oversight are tightening.
Earlier this year, for the first time, the ECB confirmed it is using artificial intelligence in its daily operations to monitor the activities of banks across Europe.
In fact, the ECB said it is increasingly using AI capabilities to supervise banks’ activities, a senior representative of the central banking body acknowledged.
The ECB’s stress test was also seen as a major step in the runup to the EU’s new Digital Operational Resilience Act (DORA) coming into force, early next year, as the financial services industry across Europe is bracing itself for the new ICT-focused regulation.
The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.
“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” EIOPA recently explained.
“When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” the body stressed.
Two months away
While the rules entered into force in January of 2023, financial firms have been given two years to comply, which means it will take effect and become mandatory for all finance players on January 17 of next year, which is a mere two months from now.
DORA spells out detailed criteria for the classification, management, and reporting of ICT risks.
It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.
What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
Appointment
As DORA is looming and the ECB is increasingly making QA and digital infrastructure a priority, the bank appointed a new digital chief earlier this year, or director general information systems, the person in charge of the central banking authority’s online infrastructure and digital transformation.
Alain Busac has been made responsible for delivering major IT modernisation projects and ensuring hat ECB’s cybersecurity policies are implemented.
Frenchman Busac will take up his new position at the ECB at the end of this year and will be based at the bank’s headquarters in Frankfurt, Germany.
The ECB’s Directorate General Information Systems develops, delivers and supports the information and communication systems of the ECB, the Eurosystem/European System of Central Banks (ESCB) and the Single Supervisory Mechanism (SSM).
It also provides the governance structure for information systems at the ECB, including IT architecture and security policies, and for the common systems and services of the Eurosystem, ESCB and SSM.
Paris-based Busac is currently finishing up his role as director of information systems for financial markets, monetary policy and payment infrastructures at the Banque de France, where he started as head of the section responsible for innovative business projects in 1991.
He subsequently held managerial roles in IT architecture, operations and procurement, and was chief technology officer from 2012 to 2018. Busac is currently responsible for the directorate’s IT system with a focus on digitalisation and the bank’s innovation initiative.
UPCOMING EVENTS
QA FINANCIAL FORUM LONDON: RECAP
Last month, on September 11, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Cognizant drags rival Infosys to court over trade secrets
- Testaify claims tool is ‘100x faster than seasoned QA architect’
- Fast-growing Newgen sets sights on banks in Middle East
- ABN Amro hires nCino and CBA for digital upgrade
- QAFF London: Lloyds’ Richard Bishop on the rise of ‘green software’
Become a QA Financial subscriber – for FREE
* Receive our weekly newsletter * Priority invitations to our Forum events
