Banks must do better on their management of critical ICT risks, according to a comprehensive survey by the European Central Bank. The results are likely to be replicated in other organisations as many sectors spend considerably less money on mitigating ICT risks.

The annual survey identifiied five main shortcomings among those taking part in the annual exercise. First, it said, IT governance was characterised by overly optimistic self-assessment by the institutions suggesting that critical weaknesses are often under-explored. Second, IT risk management scored among the weakest areas of activity, along with data quality management.

“For these risk areas, the reported control scores were the weakest,” the report said. “This is despite the experience of the global financial crisis, which showed that many institutions lacked the ability to correctly aggregate risk exposures and to identify concentration risks quickly and accurately.”

Failings in outsourcing

Third party risk was also an area of concern. Several institutions had suffered losses because of either the unavailability of services they had outsourced, or because the outsourced service provider was of poor quality. This is a particular concern because overall IT outsourcing expenditure has increased by 10% compared with previous year.

“A large number of institutions continue to show a significant dependency on a single external service provider to which they pay at least half of their reported total IT expenses,” said the report. “Cloud outsourcing is becoming noteworthy, with 3% of the overall IT outsourcing expenditure reportedly spent on cloud outsourcing.”

“In order to solve such findings it would be desirable that the outsourcing management processes (including risk management) are improved, service level agreements are constantly monitored and that institutions pursue a stricter and more comprehensive inclusion of outsourced processes into their internal control framework,” the report concluded on this issue. “This also includes regularly updating business continuity plans, as well as having adequate exit strategies in place.”

End of life

So-called end-of-life systems which are being phased out of use were another area the ECB highlighted. “IT security, where the use and management of “end-of-Life” systems (EOL) for critical processes is still particularly challenging for many institutions,” it said.

The bank found that compared to the results of the previous survey, banks were increasingly depending on end-of-life systems to deliver services, including in critical areas. This left them more vulnerable to cyber attacks because those systems tend to be less secure. 

The bank said it planned to increase its attention in this area in future.

Read the full report here.