The European Central Bank (ECB) Banking Supervision recently published its Annual report on the 2020 Supervisory Review and Evaluation Process (SREP) of IT and cyber risk.
The yearly assessment is conducted by over one hundred supervised credit institutions and evaluate the self-assessment of five IT risk categories:
The results show that institutions increased their overall IT security risk level between 2018 and 2019 through the implementation of procedures and controls related to security reviews, IT security awareness, IT physical security and data classification.
Availability and continuity risk
The results indicate that their risk level scores increased during the same time period as institutions took the necessary steps to carry out adequate security risk analysis, assessment and treatment; implement appropriate plans, processes and procedures; use robust and secure technical infrastructure and solutions and have in place efficient testing and disaster recovery solutions.
The report shows that the self-assessments scores for the overall risk level remained stable when it comes to their change and release management process, project management framework and governance and IT solutions lifecycle.
Although institutions are more aware of the related risks, they have implemented less controls for their IT outsourcing in comparison to previous years and the controls currently in place are considered inadequate by some of them (e.g. 32% of the institutions reported losses due to unavailability or poor quality of outsourced services; 30% of the institutions reported that they do not have contingency and exit plans in place).
Data integrity risk
The report shows a steady increase compared with 2018 relating to efficient data quality management and appropriate data architecture model. Although the report indicates that 29% of the institutions have not implemented data quality management controls as they lack the human resources to implement these controls correctly. Regarding the data architecture and data models, 27% of the institutions have not completed the implementation.
On a more positive note, 74% of the institutions indicated that they carry out data classification (i.e. assessing the risk level of data based on three criteria: Confidentiality, Integrity and Availability) and that they have appointed data owners.
In addition, the assessment also covers IT risk internal audit and governance.
In today’s context of increased remote working, rising cyber risk combined with reliance on third-party service providers, this report highlights the evolving developments in IT risk management and controls.