The EBA said that cyber risk and data security were identified as the "main drivers for increasing operational risk" at EU banks in a new risk assessment report (76-page / 1.86MB PDF) that it compiled information from a variety of sources, including its own supervisory reporting data and results from a questionnaire issued to banks and market analysts.
According to the regulator, 55% of banks "foresee an increase in operational risk in their bank". This is up from 43% of banks and 35% of banks who anticipated such an increase in 2016 and 2015, respectively.
"Most EU banks are still taking steps to address the weaknesses stemming from technology-driven evolution," the EBA said in its report.
"A high and growing reliance of banking operations on IT platforms, digitalised product channels for banking services, outsourcing to third-party providers of IT-related tasks and functions, and communication networks renders banks vulnerable to operational risks. Accordingly, 42 % of respondents identify cyber risk and data security as the main drivers for increasing operational risk, while 16 % of respondents mention IT failures as an additional driver," it said.
In its report, the EBA identified cyber risk as "one of the key risks threatening data integrity and business continuity in today’s interconnected financial system". It said banks are facing increasing complex cyber attacks from "intruders trying to gain unauthorised access to critical systems and data", and that there are a range of risks to banks that could arise should such attacks be successful which could all impact on the bank's finances.
"Institutions face potential operational, legal and reputational risks related to cyber incidents including business interruptions, data and software loss, cyber extortion, fraud, breach of privacy, network failure liabilities and damages to physical assets, which can result in financial losses," the EBA said. "On top of the direct costs related to cyber incidents such as the cost of forensic investigation, there are also a number of indirect costs including negative effects on brand name and customer relationships."
The regulator also warned that cyber incidents pose a potential risk to "the entire financial system" and that it had noted "rising interest from banks in operational risk insurance products covering cyber risk" as a result of major cyber attacks, such as the so-called ‘WannaCry’ attack.
In its report, the EBA also highlighted the growing use of third party services by financial services. It said outsourcing "may impact on the ability of institutions to manage their risks such as strategic, reputational, compliance and operational risk" and that "increased systemic risk" could arise where there is a "concentration of outsourcing providers and underlying technical infrastructures" relied on by banks.
"All these underlying risks should be mitigated adequately by banks and embedded in a sound and efficient risk management policy," the EBA said.
The regulator produced draft guidance designed to support the adoption of cloud-based solutions by banks earlier this year. It is still to publish its finalised guidance. The EBA said it plans to update the existing Committee of European Banking Supervisors (CEBS) guidelines on outsourcing "as a broader piece of work" too. The CEBS outsourcing guidelines in place at the moment date back to December 2006.
The EBA further advised banks and national regulators to "encourage the update of out-dated IT systems and address concerns about connectivity and outsourcing to third-party providers".
It also called on the regulators to "explore with banks the risks the institutions will undertake" if they adopt financial technology (fintech) solutions. Those risks might include "IT interdependencies between market players and market infrastructure", the EBA said.