European supervisors have warned financial services firms and their national regulators that rising cyber risk demands a “swift” EU-wide common framework for digital operational resilience.
In a joint risk assessment for the sector – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – said financial services companies are “increasingly exposed” to cyber risk, with the industry hit by cyberattacks more often than others.
At the same time, the report says the pandemic has “acted as a catalyst for digital transformation” and forced financial institutions to rapidly adapt technical infrastructure, which has further increased cyber risk.
The supervisors back a new European framework to set a high common level of resilience to cyber risks, in particular to tackle ICT outsourcing risk. The European Commission has already published legislative proposals on digital operational resilience (DORA), which are expected to upgrade ICT risk management requirements across various financial services legislation and harmonise incident reporting across the EU financial sector.
DORA is set to introduce an EU oversight framework for critical ICT third-party service providers to monitor the risks of European financial services firms’ dependency on such companies, including concentration and contagion issues.
“A successful attack on a major financial institution, or on a core system or service used by many, could spread to the entire financial system due to interconnectedness, with potential consequences in terms of business continuity, reputation and, under extreme scenarios, liquidity and financial stability,” the report warns.
It also identifies other key areas of risk facing the European financial sector. These include the impact of phasing out pandemic crisis measures, as well as the threat of event-driven risks, such as Greensill and Archegos, and cryptoassets.
EBA, EIOPA and ESMA said the financial services sector and its regulators should conduct a full assessment of the pandemic’s impact on banks’ lending books, as the economic environment moves to recovery phase.
“Policymakers, regulators, financial institutions and supervisors can start reflecting on lessons learnt from the Covid-19 crisis,” the report says.