The digitization of the financial sector is increasing the risk of cyberattack. In 2021, 1 in 2 cyberattacks carried out within the euro zone were successful, as revealed in a document from the European Central Bank.
Digitization and outsourcing increase cyber risk
While banks are obliged to report any cyberattacks they suffer to the authorities, they generally avoid talking about them publicly. In mid-December, the European Central Bank published a study on the cyber risk faced by these establishments, and more specifically on the cyber-attacks expected in 2021.
Last year, 1 in 2 cyberattacks could not be prevented. The proportion of successful cyberattacks was much lower before the health crisis, with 41% "successful" in 2019, but higher in 2020, with 57% of cyberattacks successfully completed.
The digitization of the traditional financial sector, essential to enable banks to compete with fintechs and GAFAs, has increased its exposure to cyber risk.
For example, as recommended by the Payment Services Directive (PSD2),open banking is leading banks to share customer data with various financial players. Banks are also using service providers to move their infrastructure into the cloud, increasing the risk of cyber-attack. Finally, the Covid-19 pandemic has led to massive use of teleworking, which is no longer as systematic as it was at the height of the health crisis, but which continues for at least 2 days a week in many companies, intensifying the cyber risk.
DDoS attacks do not spare banks
The most frequent cyber attacks are DDoS (Distributed Denial of Service) attacks. These attacks aim to damage the targeted company by blocking access to its site, which can result in considerable financial losses. Hackers use networks of bots to overload the system with too many requests or too much traffic, and sometimes demand ransoms to make the site accessible again.
Third-party attacks, i.e. those targeting banks' suppliers or service providers, are also a real threat. According to a study by the European Central Bank, this type of cyber attack is on the increase in the financial sector.
While the outsourcing of services and data increases the cyber risk to banks, there are also in-house security flaws. That's why the ECB is keeping a close eye on incidents involving IT systems that are no longer being updated due to their age. On the rise between 2019 and 2020, these incidents stabilized in 2021.
IT security is one of the ECB's priorities for 2022-2024, as there is a real risk of destabilizing the entire financial sector if cyber incidents targeting banks are poorly managed.
According to the ECB, inspections carried out in euro zone banks over the past few years have revealed a number of shortcomings: not all incidents are detected, some IT systems do not offer sufficient protection, and banks are not always sufficiently prepared to deal with cyber incidents.
To reduce cyber risk, supervisors are raising their demands on banks. Spanish bank Abanca recently paid the price: although it suffered a cyber attack in 2019, it waited 2 days instead of the prescribed 2 hours to alert the ECB. Last week, the ECB imposed a financial penalty of 3.15 million euros.