SSM: IT and Cyber risk

12 July 2021

Credit institutions operate in a dynamic digital environment, within the context of constantly rising customer expectations and evolving information technology (IT) landscapes, banking regulations and technical innovation.

In 2020 banks managed to navigate through additional challenges caused by the coronavirus (COVID-19) pandemic, i.e. a significant increase in remote working, an increase in cyber risk, and even greater overall reliance on the continued proper functioning of IT infrastructures, not only their own but also those of third-party IT service providers. Although the observations presented in this report are based on data from the end of 2019 (i.e. before the pandemic), the insights gained are nonetheless useful and can highlight the developments in the management of the IT risk aspects. ECB Banking Supervision is therefore making this report available to the public as in previous year. It continues to collect these data to inform the yearly assessment of IT and cyber risk as part of the Supervisory Review and Evaluation Process (SREP)[1].


1 High-level observations

ECB Banking Supervision addresses IT and cyber risks at credit institutions by assessing their risk controls from various angles: through ongoing supervision, the regular assessment of IT-related risks and targeted on-site inspections.

Direct supervision is performed by Joint Supervisory Teams (JSTs) and complies with the European Banking Authority’s (EBA) Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP)[2]. As part of the annual SREP[3], JSTs perform their assessment of IT and cyber risk following a common and standardised methodology which includes the Information Technology Risk Questionnaire (ITRQ)[4]. These assessments are complemented by thematic reviews, horizontal analyses on IT risk topics and a reporting framework[5] to inform the JSTs of any significant cyber incident at the supervised credit institutions.

Frequent and targeted on-site inspections also allow ECB Banking Supervision to assess the IT and cyber risk management capabilities at individual institutions, thus contributing to a broader picture for the JSTs.

As in 2017 and 2018, for the reference year 2019[6] ITRQ self-assessments were provided by over 100 supervised institutions. The answers were used to perform a horizontal analysis at the group level of the significant supervised institutions. Chart 1 shows the percentage of institutions per business model participating in the 2019 data collection...


more at SSM


© ECB - European Central Bank