Original text here from Patrice Bernard (LinkedIn)
The European Central Bank (ECB) regularly expresses concern over IT risks in the institutions it oversees. Its fears have now grown to the extent that two out of the three main priorities in its medium-term strategy include specific provisions for this area, leading to new requirements.
For years, reports from the sector's regulatory body have increasingly highlighted deficiencies in the European Union banks' IT systems. These concerns stem from the surge in cybersecurity threats, the dangers of malfunctions due to outdated systems, and a lack of control over outsourcing. After a period of observation, it seems the time has come to take action.
In its annual exercise of setting goals for the next three years, the ECB has placed its major technological concerns at the heart of its plans. Alongside its continued focus on the impact of macroeconomic and geopolitical shocks, it emphasizes the need to address insufficient digital transformation and governance, with particular attention to the IT skills of board members.
This last issue appears urgent, as just two months after presenting its plans, the ECB is outlining a policy aimed at ensuring senior management collectively possesses a minimum level of knowledge and expertise to grasp and understand the materiality and evolution of various risks associated with their organization's information systems.
Subscribe to our newsletter:
At this stage, the approach seems relatively flexible, guided by the ECB's usual principles of non-interference with local legislation, proportionality (relative to the size of the institution), and case-by-case treatment (without automatism). Yet, the ECB aims to establish some formal rules, with implementation at the executive level expected to start this month.
The first of these rules may seem trivial, as it requires risk management, compliance, and audit officials to understand the scope of technology and security. However, its explicit reminder suggests that even at this level, gaps have been identified, which is concerning.
Next, there are two requirements for the top of the hierarchy. First, at least one non-executive board member must demonstrate significant experience (recommended five years) in an operational role related to IT and security. Additionally, all their colleagues must undergo regular (annual) training in the field. This requirement is also part of the DORA regulation for resilience.
For a long time, the financial sector, which has transformed into a true technological industry over half a century of "digitalization," has ignored its new reality and continued to view its IT as a support tool rather than the strategic component it has become. Thus, it takes the regulator's alarm for it to finally take its place in the governance bodies.
