September 22, 2014 - EU supervisory authorities are warning banks to reinforce IT controls and audits on third-party technology providers and to ringfence budgets related to operational risk.
The Joint Committee of the European Supervisory Authorities (ESAs) says that concerns over the persistence, intensity and sophistication of information technology-related operational risks and cyber risks at financial institutions have increased since its last biannual report on financial stability issues.
It suggests that IT risks in banks and other financial institutions do not yet appear to be sufficiently understood.
"Institutions should give increased priority to related risks and reinforce IT controls and audits covering all parties along the value-added chain of IT (IT-service providers, third-party providers and IT-outsourcing providers)" states the study.
The report also calls on supervisory authorities to factor the mitigation of IT-related risks into regular risk assessments, to ensure that financial services providers devote sufficient resources and due care in the proper management of their digital environment and risks.
In this respect, financial firms must safeguard budgets devoted to handling operational risk issues during times of lowered profitability.
"It is important in such an environment to ensure that IT systems and related internal controls are safeguarded against budgetary pressures and remain robust," states the report. "A strong, professional risk culture which can swiftly react to new threats and deliver appropriate levels of employee awareness about evolving risks is needed."
With a nod to the increased attention on cyber-risk, the ESA says that banks and regulatory bodies should ensure adequate financial provisions to cover any litigation-related costs that might arise in the event of successful systems breach.