On August 20, Bloomberg reported on an interview with Korbinian Ibel, a director general in the supervisory arm of the European Central Bank (ECB). In the interview, Ibel warned, according to Bloomberg, “that banks embracing external data storage and other digital technology need to face an uncomfortable truth: there is a good chance they will get hacked.”
Ibel was quoted as saying that “[t]here will be accidents, especially in the cloud. It is not that clouds are more vulnerable, they are actually often better protected than in-house systems, but they are seen as juicy targets.” Ibel also commented that “[w]e see the benefits” of cloud computing,” but cautioned that “[t]he rule is that the banker is always responsible for their data and services.” At present, Ibel observed, European banks are tending “to avoid putting ‘highly confidential data’ on public clouds.”
Ibel supported banks’ efforts to respond to changes in the digital world “by hiring tech experts, sometimes even naming them to their top management bodies.’ In his view however, those steps do not go far enough. As he put it, “It is not enough to have one person as the IT expert. You need a common understanding at board level of the needs and risks of IT.”
Note: Ibel’s temperate and restrained advice consistent with the temperate and moderate approach that the ECB has taken so far on emphasizing the importance of cybersecurity for the European financial sector. So far, the ECB has essentially limited itself to providing general guidance and discreet admonitions to the financial sector about the importance of cybersecurity. Last year, for example, the ECB published the final version of its cyber resilience oversight expectations for financial market infrastructures.
There are indications, however, that the ECB will be sending stronger signals to financial institutions that they will be expected to demonstrate the strength and effectiveness of their cybersecurity programs. At the start of this year, Sabine Lautenschläger, Member of the ECB’s Executive Board and Vice-Chair of the ECB’s Supervisory Board, announced that ECB Banking supervision would “launch a number of on-site inspections on cyber risk in 2019,” and would “continue to monitor the situation” under its Single Supervisory Mechanism (SSM) cyber incident reporting process. More recently, Lautenschläger was critical of financial institutions’ financial market infrastructures for “too often lack[ing] board-approved cyber resilience strategies,” having strategies that are “often not operationalized,” and operationalization that “is often not monitored.” She also took note of “a dangerous lack of [cyber] awareness and training.”
The ECB understandably is concerned that it and other European banking supervisors, such as the European Union and the European Banking Authority, must “guard against the risk of duplication of effort.” But it also needs to remain firm in stressing the importance of cybersecurity. Having seen at firsthand the disruption that the Danske Bank scandal caused over the past year, European banks need to avoid having even one of their number suffer a data breach of the magnitude of Capital One.