European Central Bank Supervisory Board Speech on Banks' Operational Resilience

The European Central Bank has published a speech by Frank Elderson, ECB Executive Board member and Supervisory Board Vice-Chair, on banks' operational resilience. Operational resilience has become a key priority for regulators globally. Mr Elderson notes that EU's Digital Operational Resilience Act, which applies from January 17, 2025, will significantly enhance IT and cyber risk management. However, the ECB's cyber resilience stress test earlier this year illustrated that there is scope for improvement, and the ECB appeals to Eurozone banks to prioritize operational and cyber resilience.

Mr Elderson also referred to cloud outsourcing risk where, in order to gain better insight into risk controls at cloud service providers, ECB banking supervision has started conducting on-site inspections of CSPs. The ECB recently consulted on a draft guide on outsourcing cloud services to cloud service providers, with the aim of clarifying the ECB's expectations for the banks it supervises. Noting that concentration risk may arise where financial institutions outsource critical functions to a common critical service provider, the ECB encourages prudential supervisors to coordinate with other supervisory authorities, such as competition authorities, to understand the dynamic market forces at play. Coordination is crucial for ensuring that the drive towards digitalization, which may result in an increase in market concentration, does not undermine financial stability. Cloud outsourcing risk affects multiple jurisdictions; as such, the ECB has teamed up with other prudential authorities to conduct a joint review into cloud outsourcing practices. This will enable them to better understand how banks are adopting cloud technology and the risks it may pose.

Finally, Mr Elderson emphasized that banks must continue investing in building their operational resilience by, for instance, replacing legacy systems with state-of-the-art IT infrastructure, including in the areas of IT risk management and cyber hygiene, as well as ensuring that business continuity plans and third-party dependency management are implemented consistently. In addition, banks must ensure that employees at all levels of the organization have the appropriate skillset, whether they are experts or managers, including boards and management bodies.

Return to main website.