Regulators at the European Central Bank are concerned that old systems are putting banks at higher risk of a cyber attack.
Legacy IT systems create at least three tricky issues for firms:
- Complexity: their patchwork architecture and interactions with other systems is not always well understood
- Talent: the expertise needed to modify systems based on out-of-use technologies is dwindling fast
- Cost: old systems are sometimes very expensive to maintain, as they can require frequent patches
This creates a higher chance that a malicious attack will go unnoticed, or that a planned technology change will affect other IT assets by accident (sometimes with serious consequences, such as creating new vulnerabilities for cyber adversaries).
In the UK, financial regulators have said that a failure to address obsolescent technology contributes to weak operational resilience, meaning firms are less able to recover from significant disruptions to their most important activities. At the same time, the Financial Conduct Authority points out that change management (something that is often made much harder by obsolete IT assets) was the leading root cause of the cyber and IT disruptions they saw in 2017 and 2018.
This is piling on the pressure. Regulators want banks to initiate large IT change programs, particularly to update near end-of-life systems, but don’t always have faith in their ability to conduct them effectively. Part of the answer may lie in firms having a better understanding of what systems and processes underpin their critical business services. This knowledge should empower senior management to make better investment decisions and to understand how to react if change does not go as planned.
This will not be easily or quickly done. The pool of IT assets that large incumbents hold are legendarily complex. The process of understanding, rationalising and updating them will take years of careful effort and investment.
Regulators, however, are now getting much more serious about ensuring that banks double-down on this work sooner rather than later.
Critical processes in a high number of banks depend on systems that are nearing their end-of-life. This is especially concerning in the light of the current cyber threat landscape