New regulation is set to improve European banks' resilience to cyber security failures at software, services, or systems supplied by external companies, known as third-party providers (TPP). The EU's Digital Operational Resilience Act (DORA) will impose a new risk management framework that demands increased monitoring and reporting of TPP cyber risk. That could necessitate changes to relationships (and contracts) to facilitate greater banking oversight of TPP, which are often core to banks operations and central to open banking initiatives.
What's Happening
Recent incidents have highlighted banks' vulnerability to TPP's cyber risk:
- In May 2024, Santander said that the breach of a TPP-hosted database resulted in a data theft, which was reported to have affected about 30 million customers, employees, and former employees.
- Also in May 2024, ABN Amro said that a ransomware attack on a TPP communication group had resulted in unauthorized access to client data.
- Attacks on TPP have also, though more rarely, affected business operations. An attack on a financial trading services group, called ION, left some banks and brokers temporarily unable to process transactions in 2023.
The TPP incidents are part of a broader increase in cyber attacks on banks that are resulting in breaches. The European Banking Associations' July risk assessment report noted that 27% of banks in its survey had suffered at least one attack resulting in a major information and communication technology (ICT) incident in first half of 2024, up from 11% in the first half of 2023. The report also noted that, for the first time, at least one bank was subject to more than twenty major ICT incidents stemming from cyber attacks.
Why It Matters
Regulators increasingly expect banks to take an active role in managing ICT third-party risk, even when banks' own systems are not directly involved. In Europe, DORA is likely to be the main regulatory vehicle for that shift, though the Basel Committee on Banking Supervision (BCBS) recently published a consultative document on bank third party risk management, suggesting it is also focusing on TPP risk.
Risks to banks stemming from a cyber breach at a TPP already include reputational damage, operational interruption, and regulatory sanctions. The changes to the rules are likely to increase regulatory risks for banks, including due to the increased potential for significant financial sanctions. Monitoring of TPP systems is currently difficult given the often arms-length relationships between banks and TPP, meaning contract revisions may be necessary to facilitate compliance with the new rules.
What Comes Next
DORA will be applied across the EU from early 2025, when the European Supervisory Authorities (ESAs) will also assume oversight responsibilities for TPPs designated as critical to the financial system. EU banks will be required to have frameworks for managing and monitoring TPP-related risk, including identification of critical or important functions carried out by TPP and plans for managing the associated risk.
Increased scrutiny of TPP cyber security and cyber resilience (particularly where TPP manage banks' sensitive information or critical functions) could lead to various actions, including:
- Demands for greater information on TPP cyber security, and potentially access to conduct penetration testing.
- Modification of TPP products to reduce vulnerabilities and comply with banks' standards.
- Banks shifting development of IT solutions inhouse.
- Equity investment by banks in TPP to secure knowledge.
- Banks reducing TPP providers to minimize the attack surface.
- Increased certification of TPPs by cyber security experts.
- Further development of cyber insurance for third-party data breach risk.
Related Research
- Cyber Risk Insights: Fortifying Digital Defense Key For Asia-Pacific Banks, July 3, 2024.
- Your Three Minutes In Digital Assets: Digital Bond Innovations Could Accelerate Adoption, June 6, 2024.
- Cyber Risk Insights: Attack On Vulnerable Software Highlights Outsourcing Risk For Banks, July 21, 2023.
This report does not constitute a rating action.
| Primary Credit Analyst: | Clement Collard, Paris +33 144207213; clement.collard@spglobal.com |
| Secondary Contacts: | Regina Argenio, Milan + 39 0272111208; regina.argenio@spglobal.com |
| Benjamin Heinrich, CFA, FRM, Frankfurt + 49 693 399 9167; benjamin.heinrich@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.