A senior representative of the European Central Bank, Claudia Buch, said the digital resilience of most European banks is meeting ECB standards, although major challenges loom, such as increasingly complex software environments and a growing number of cyber attacks.
Frankfurt-based Buch, who is chair of the Supervisory Board of the European Central Bank (ECB), told members of the European Parliament that most banks across the Eurozone have “shown digital resilience” ahead of a new set of rules, DORA, coming into force early next year.
Nevertheless, she said preserving these levels are “vital” so, therefore, the ECB supervisory’s agenda will focus on digitalization, including cyber crime, in the year to come. This is partly to facilitate a smooth transition to DORA, Buch said.
Buch’s findings come only a month after the ECB concluded a major cyber resilience stress test, which gauged how banks would respond to and recover from “a severe but plausible cybersecurity incident.”
Overall, the stress test, which involved more than 100 banks across Europe, including most of the EU’s biggest finserv players, showed that banks have response and recovery frameworks in place, but areas for improvement remain.
“The results have helped increase banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks,” the ECB said.
The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed and a cyberattack severely affected the databases of each bank’s core software and digital infrastructure systems.
“The stress test therefore focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it,” the ECB explained.
Detecting and addressing deficiencies in supervised banks’ operational resilience frameworks, including those stemming from cyber risks, is one of the ECB’s priorities for 2024-2026.
The bank said this reflects a surge in cyber incidents in recent years that supervised banks have reported to ECB, “an increase that partly stems from rising geopolitical tensions and challenges posed by the digitalisation of the banking sector,” according to the ECB.
Testing strategies
The major software stress test involved 109 banks directly supervised by the ECB. All banks had to answer a questionnaire and submit documentation for the supervisors to analyse, while a sample of 28 banks was chosen to undergo more extensive testing and scrutinise their software testing strategies.
“The latter were asked to perform an actual IT recovery test and provide evidence that it had been successful, in addition they were also visited on site by supervisors,” the ECB revealed.
The sample covered different business models and geographical locations to reflect the wider euro area banking system and ensure sufficient coordination with other supervisory activities.
To test their response to the scenario, banks had to show their ability to activate their crisis response plans, including internal crisis management procedures and business continuity plans.
They also had to communicate with all external stakeholders such as customers, service providers and law enforcement agents and they ran an analysis to identify what services would be affected and how.
Finally, they had to implement mitigation measures, including workarounds that would help the bank to operate during the time needed to fully recover IT systems.
To test their ability to recover from the scenario, banks had to show they could activate their recovery plans, including restoring backed-up data and aligning with critical third-party service providers on how to respond to the incident.
They also had to demonstrate and ensure that affected areas were recovered and up and running.
“Banks should also be able to meet their own recovery objectives, properly assess dependencies on critical third-party ICT service providers, and adequately estimate direct and indirect losses from a cyberattack,” the ECB wrote in the report.
Digital efforts
As the ECB is increasingly making QA and digital infrastructure a priority, the banking authority recently appointed a new digital chief, or director general information systems, the person in charge of the central banking authority’s online infrastructure and digital transformation.
The ECB said Alain Busac will take up the role, thereby becoming responsible for delivering major IT modernisation projects and ensuring hat ECB’s cybersecurity policies are implemented.
Frenchman Busac will take up his new position at the ECB in the coming months, the bank confirmed. He will be based at the bank’s headquarters in Frankfurt, Germany.
The ECB’s Directorate General Information Systems develops, delivers and supports the information and communication systems of the ECB, the Eurosystem/European System of Central Banks (ESCB) and the Single Supervisory Mechanism (SSM).
It also provides the governance structure for information systems at the ECB, including IT architecture and security policies, and for the common systems and services of the Eurosystem, ESCB and SSM.
Paris-based Busac is currently still director of information systems for financial markets, monetary policy and payment infrastructures at the Banque de France, where he started as head of the section responsible for innovative business projects in 1991.
He subsequently held managerial roles in IT architecture, operations and procurement, and was chief technology officer from 2012 to 2018. Busac is currently responsible for the directorate’s IT system with a focus on digitalisation and the bank’s innovation initiative.
Regulation
The appointment of industry insider Busac comes as the ECB, and financial institutions across the EU generally, are increasingly looking to tech, and in particular AI, to enhance their capabilities.
At the same time, regulation and oversight are tightening.
In February, for the first time, the ECB confirmed it is using artificial intelligence in its daily operations to monitor the activities of banks across Europe.
In fact, the ECB said it is increasingly using AI capabilities to supervise banks’ activities, a senior representative of the central banking body acknowledged.
The ECB’s stress test is also seen as a major step in the runup to the EU’s new Digital Operational Resilience Act (DORA) coming into force, early next year, as the financial services industry across Europe is bracing itself for the new ICT-focused regulation.
The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.
“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” EIOPA recently explained.
“When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” the body stressed.
‘Specific and demanding’
While the rules entered into force in January of 2023, financial firms have been given two years to comply, which means it will take effect and become mandatory for all finance players on January 17 of next year.
The insurance space is no exception to the scope and reach of the new rules, as this sector is firmly on DORA’s radar.
One of the companies that will be deeply affected by the new rules is MAPFRE, the Spanish multinational insurance giant, based in Madrid but with dozens of offices across Europe and beyond.
Jacinto Muñoz Muñoz, manager of operational resilience and crisis management at MAPFRE, recently called the requirements of the regulation “very specific and demanding, which, overall, will force the insurance industry to accelerate its pace of improvement in this area.”
Madrid-based Muñoz Muñoz stressed that “this will bring them to a level similar to that of banking, which has traditionally been more mature in this area, as they were the first targets of cybercriminals.”
He added that “in terms of opportunities, the DORA regulation should help the insurance industry to improve its cybersecurity and digital operational resilience maturity, giving it better protection against cyber risk.”
DORA spells out detailed criteria for the classification, management, and reporting of ICT risks.
It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector, Muñoz Muñoz noted.
“This strengthens information security and eliminates potential gaps and conflicts that may arise within financial institutions,” he said.
Third-party risk management
What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers, Muñoz Muñoz said.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
“To adapt to the DORA framework, we analysed and provided feedback on the various drafts that have been published,” Muñoz Muñoz disclosed.
“After the final approval, we conducted an initial compliance analysis of the regulation and defined an action plan to address the gaps identified.”
He stressed that “not only are we currently implementing this plan, but we’re also modifying it to add new requirements arising from the secondary regulations associated with DORA.
Muñoz Muñoz did add, however that, from a strategic or operational standpoint, the DORA regulation won’t imply a substantial change in the way his company approaches cybersecurity.
“It will require additional formalization of certain tasks we already perform, such as registering and monitoring of ICT service providers,” he concluded.
THIS WEEK IN LONDON
READ MORE
- Exclusive: Parasoft CEO talks competition, compliance and GenAI
- More code releases will lead to outages, warns Tricentis CEO
- Pentester Horizon3.ai shoots NodeZero platform into the cloud
- Sopra Banking Software wins BTK Bank deal for digital upgrade
- LambdaTest launches new real-time debugging tool
Become a QA Financial subscriber – for FREE
News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events