Fortifying digital banks and battling cyber threats

The period we are going through raises serious concerns about the security of critical digital infrastructures. Among these, the most significant are those of banks, and in this direction, the supervision exercised by the ECB is clearly focused. In recent years, the digitization of banking services has become an imperative need, forcing many banks to act quickly and decisively. This resulted in some chaos as traditional systems were joined by new third-party solutions that would allow upgrading to the new era. The initial assessment by the ECB highlighted the need for more investments in technology. But above all, it highlighted the need for a change in mindset. A mindset that sees technology as a means of saving operational costs and improving the crucial expenses-to-revenue ratio.

The resilience of banks is closely linked to their ability to cope with difficult situations regarding the cyber-security of their systems and, above all, the smooth continuity of their services. The disorderly digitization of services brings to the fore the complexity of the systems as they have evolved in the new environment. Supervisory scrutiny is intense and is being prepared to become even more intense as we progress. Already, requirements have diversified as there is a need for bank boards to be strengthened with individuals who have substantial and in-depth knowledge of new technologies and cyber-security.

According to regulators, banks have a lot of work ahead to reach the minimum supervisory requirements. The simplest thing that needs to be corrected immediately is the requirement that a non-executive member on every board comes from the technology field. This is something completely new, as the practice so far has been to staff boards with professionals from the accounting and financial professions.

However, requirements do not stop at staffing. A systematic approach to the issue foresees the creation of a detailed mapping of all technological systems and their interdependencies, including solutions offered by third-party providers. Furthermore, this mapping should be tested in practice and integrated within the framework of a digital strategy. As for security, the requirement is for a highly-layered architecture that effectively addresses threats coming from both the internal and external environment. Finally, data security emerges as a matter of utmost importance as the appropriate storage and effective recovery of data need to be ensured. This latter point forms the basis for the ECB's extreme scenario exercises.

Another factor - often overlooked - has to do with communication. A well-prepared communication strategy for handling cyber-attacks or false news is a critical success factor. In both cases, the risk of a disorderly withdrawal of deposits (bank run) is visible, and thus a well-prepared response is important. After all, any careful observer saw a year ago how social media managed to shut down banks within hours. The regional banking crisis in the United States in March and May 2023 left behind three victims. These are the Silicon Valley, Signature, and First Republic banks.

[This op-ed was translated from its Greek original and edited for brevity and clarity]