How effectively do banks and payment institutions manage cyber risk?

These three areas are basic cyber hygiene measures, cyberattack testing and preparation, and the increased cyber threat in outsourcing. Financial institutions and their service providers are increasingly the target of cyberattacks. 

Banks and payment institutions are expected to adequately manage cyber risks to minimise the potential impact on customer-facing services. For this reason, De Nederlandsche Bank (DNB) and the European Central Bank (ECB) continuously supervise cyber security at these institutions.

In our Supervisory Strategy 2021 - 2024, we have highlighted the cyber resilience of institutions as one of our priorities. Financial institutions are expected to have their security arrangements in place and to regularly test their own cyber resilience. In this news release you can read about the current status of cyber risk management in the financial sector, based on self-assessments and other supervisory examinations. In our supervision of banks and payment institutions we use, among other resources, the EBA Guideline on ICT and security risk management, which also forms the basis for the expectations in this news release.

Cybersecurity is a concern both for banks and payment institutions and for supervisors. A wide range of risks emerge from all our supervisory activities. The three main areas that currently need extra attention are highlighted below.

Basic cyber hygiene measures are often not in place

Although cyberattacks are in many cases averted, a large number of successful cyberattacks make use of systems and processes whose basic security measures are not fully in place. Examples include the use of default passwords or insecure configurations that allow systems to be accessed directly via the internet.

Based on our supervisory activities, we unfortunately see that basic cyber security measures at banks and payment institutions is notmaturing, but has remained static or even deteriorated in certain cases. We therefore call for additional emphasis on three key basic processes with corresponding measures for banks and payment institutions.

The first process in which we see that measures are often lacking is Vulnerability & Patch Management. For banks and payment institutions, timely updating and patching of systems is crucial to minimise the potential impact on IT services. By performing updates and patches in a timely manner, known security vulnerabilities can be resolved and the likelihood of exploiting them will be reduced. Many banks and payment institutions manage to implement critical updates and patches at a fast pace. However, we also see that a large number of banks and payment institutions take longer than two weeks to implement these after they are released.

The second process in which we frequently see deficiencies is Identity & Access Management (IAM). Maturity in this area is often still insufficient, and we often see that IAM controls have not yet been effectively implemented. IAM is an important process that focuses on both prevention and mitigation, for example in the case of unauthorised access to the network. In such a case, an attacker will not have instant access to all critical IT systems if IAM controls are functioning properly.

Finally, too often we see critical processes running on systems approaching – or at – their End-Of-Life (EOL). When vulnerabilities become known for systems for which support is no longer available, an institution cannot make use of the vendor's expertise. It will then take much longer to find a solution, putting an institution at increased risk. The risk becomes even greater when the EOL systems in question are connected to the internet.

Increased testing and improved preparedness for cyberattacks are necessary

To be effectively prepared for cyberattacks, banks and payment institutions should test the security of their most critical systems at least annually. In our examinations, we see that almost all banks and payment institutions perform security tests, such as red teaming, penetration tests or security scans. However, we see that these tests are often relatively limited in their frequency and do not cover all systems. We therefore see potential for improvement in this area.

With the increase in the number of cyberattacks, it is no longer a question of ‘whether’ financial institutions will be successfully attacked, but rather ‘when’ this will occur. This is why it is essential for institutions to simulate cyberattacks themselves, in order to test security measures and to assess how they respond the moment a successful cyberattack occurs. Testing is important for accumulating experience and for preventing human errors during a real attack. In addition, conducting a test helps to understand the activities needed to mitigate or deploy work-arounds during or after an attack. Examples include testing a crisis and communications plan and testing backups and fallback facilities.

Cyber threats are constantly changing, so it is important to periodically run the different types of security tests and attack scenarios. The results can be used to evaluate and improve the current strength of security measures.

Cyber threats through the outsourcing chain have increased

As a financial institution, it is important to effectively monitor risk management throughout the outsourcing chain because a cyberattack usually targets the weakest spot in that chain. As banks and payment institutions have increasingly outsourced critical processes, they have become heavily dependent on external service providers. As a result, the threat of cyberattacks is increasingly shifting to these service providers.

We have observed that the net exposure to cyber risk through the outsourcing chain has increased for banks and payment institutions. Indeed, not only is cyber threat exposure increasing, but the number of outsourcing agreements and spending on outsourcing are up as well, according to data from the institutions. However, we do not see an increase in the maturity of risk management when it comes to outsourcing. In summary, the level of risk is increasing but risk management is not maturing correspondingly.

This trend was also already visible in the DNB Information Security monitor from 2021. It showed that not all financial institutions have the right risk management processes in place for their service providers, and that in many cases there is a lack of complete insight into the control measures at these service providers in the outsourcing chain.

Pursuant to laws and regulations, banks and payment institutions must take appropriate measures to adequately manage cyber risks in the chain. After all, risks themselves cannot be outsourced, and controlling them always remains the responsibility of the institution. It is important for an institution to understand the interdependencies and to have explicit and formal agreements on information security in the chain which are periodically reviewed.

Cyber as a supervisory priority

We can conclude from the above themes that cyber risk management at banks and payment institutions remains as important as ever to be able to defend against current and future cyber threats. Previously, we indicated through our Supervision in Focus publication that cyber risks remain high on our supervisory agenda. In the coming period, we will therefore prioritise cyber resilience in our inspections of financial institutions.