FRANKFURT, GERMANY — Eurozone banks incurred substantial losses in 2022 due to underperformance and service failures by IT outsourcing providers, according to a review by the European Central Bank (ECB).
ECB uncovered €148 million (US$160 million) in losses last year from poor service quality and unavailability of outsourced services, representing a 360% year-on-year increase. The losses were attributed to a few high-impact events highlighting the risks of over-reliance on third-party vendors.
The investigation also found banks’ outsourcing contracts frequently failed to adequately address IT security requirements, coinciding with a 56% surge in cloud computing expenses in 2022 to 3.1% of total IT spending.
Additionally, the ECB identified severe cybersecurity gaps at many institutions, including the inability to recognize potential threats and ineffective systems to detect and respond to incidents.
The ECB has demanded immediate action from all supervised banks to align their IT and cyber risk management strategies with regulatory expectations to mitigate growing risks from reliance on external providers.
While the financial impacts were isolated, the review exposed systemic deficiencies in the governance of outsourcing relationships and cyber resilience.
The losses underscore the importance of continuous monitoring and due diligence of third-party vendors. Banks must take urgent steps to improve governance, continuity planning, and compliance to manage outsourcing risks.
Just recently, the Swiss Financial Market Supervisory Authority (FINMA) flagged outsourcing as a new principal risk for the financial sector.
As banks increasingly transition to cloud services, robust oversight, and risk management will be critical to avoid disruptions and ensure security.