FRANKFURT (Reuters) – Euro zone banks are losing millions of euros due to tech contractors letting them down, the European Central Bank said on Wednesday, as it warned of shortcomings in how lenders approach cyber-risks more broadly.
The ECB ran a survey among the banks it supervises this year and carried out 22 inspections since 2020 to test how prepared banks are to deal with risks including hacks, ageing systems and contractors falling short of what they promised.
This last area in particular cost banks 148 million euros ($160.59 million) in 2022, a 360% increase from the year before, as a result of the “unavailability or poor quality of outsourced services”.
“These losses were related to a small number of high-volume events and further highlight the need to properly manage risks arising from reliance on service providers,” the ECB said in a newsletter.
While the ECB cautioned these losses were “concentrated within a few significant institutions and therefore not indicating a sectoral trend”, it also found that banks’ “outsourcing arrangements often failed to sufficiently address IT security requirements”.
Banks are making ever greater use of outsourcing as they switch to cloud-based services from storing information on their own servers.
Their cloud expenses surged by 56% in 2022 to account for 3.1% of all money spent by banks on IT, the ECB said.
More broadly, the ECB found fundamental shortcomings that were “more severe and widespread than expected” in how banks tackle cybersecurity.
It said many lenders even failed to identify all potential risks or did not have adequate systems in place to detect and respond to incidents.
“The ECB expects all banks under its direct supervision to take immediate and concrete steps to make sure that their IT and cybersecurity risk management is aligned with supervisory expectations,” the ECB said.
It added banks that were targeted by inspections have already received specific recommendations.
($1 = 0.9216 euros)
(Reporting by Francesco Canepa, Editing by Angus MacSwan)
