The European Central Bank says EU financial institutions have an over-optimistic view of their IT resilience and resistance to cyber threats owing to an undue reliance on outsourcing and legacy wiring.
An analysis of self-assessment reports provided by banks to supervisory authorites found that for some IT risk areas banks remain "too optimistic", particularly in the filed of data quality management and IT risk management.
The probe found that data integrity risk continues to be of concern, with deficiencies identified in IT data quality management and data architecture models.
IT security is also considered a significant challenge for institutions, says the ECB, noting that the number of reported cyber incidents through its cyber incident reporting framework has increased from year to year.
In broad brush terms, IT outsourcing and legacy technology were seen to represent the main areas of concern.
"The continued reliance on end-of-life (EOL) systems for critical business processes requires a high degree of management attention," says the ECB. "Therefore, it is desirable that institutions continue working on simplifying their IT systems and ensuring sufficient agility."
The results also showed an increase in IT outsourcing, with a slightly higher concentration of risk at the level of individual institutions, with several reporting losses due to unavailability and/or poor quality of outsourced services.
"In order to solve such findings it would be desirable that the outsourcing management processes (including risk management) are improved, service level agreements are constantly monitored and that institutions pursue a stricter and more comprehensive inclusion of outsourced processes into their internal control framework. This also includes regularly updating business continuity plans, as well as having adequate exit strategies in place."
Institutions with board members drawn from IT disciplines were found to be more prudent in their assessments and prepared to spend more budget on innovation.
The ECB says it will in future focus its supervisory attention on the "collective suitability of the boards with respect to their IT expertise and whether banks comply with regulation on outsourcing."
On legacy tech issues, it adds: "ECB Banking Supervision plans to increase its focus on institutions that report having EOL systems supporting critical banking activities, with the aim of decreasing their dependency on EOL systems."