IT outsourcing costing Eurozone banks 'millions'

ECB says issues ‘more severe and widespread’ than expected

IT outsourcing costing Eurozone banks 'millions'

Eurozone banks are losing millions of euros due to poor tech contractor outsourcing, the European Central Bank (ECB) said on Wednesday.

The ECB ran a survey among the banks it oversees this year, and has conducted 22 inspections since 2020 to evaluate how prepared they are to deal with technical risks, including underperforming contractors.

Contractors failing to do their job cost these banks €148 million in 2022, a 360% increase from the year before. The ECB said this was due to the "unavailability or poor quality of outsourced services".

"These losses were related to a small number of high-volume events and further highlight the need to properly manage risks arising from reliance on service providers," the ECB said in a newsletter.

The ECB has flagged the losses within a few "significant" institutions as concerns. It added that this does not indicate a sectoral trend, but did find that "outsourcing arrangements often failed to sufficiently address IT security requirements."

Outsourcing has increased rapidly recently, as banks switch from storing information on-site to cloud-based services.

Their cloud expenses surged by 56% in 2022 to account for 3.1% of all money banks spent on IT, the ECB said.

The ECB has found major shortcomings that were "more severe and widespread than expected" in how banks are handling cybersecurity.

Multiple lenders failed to identify all the potential risks or did not have adequate equipment in place to identify and respond to incidents.

"We expect all banks under [our] direct supervision to take immediate and concrete steps to make sure that their IT and cybersecurity risk management is aligned with supervisory expectations," said the ECB.

Some banks have already received specific recommendations, the ECB added.

Outsourcing is a notoriously difficult area to get right, as you're putting a huge amount of trust - and critical systems - in somebody else's hands. Sometimes these deals go off without a hitch, and there are thousands of excellent, trusted MSPs around the world who are quietly competent.

Sometimes, though, it goes very wrong, as Aecom found out in its $2.3 billion deal with IBM in 2017: a story covered exclusively by Computing, speaking to insider sources.

But the contracting companies don't always make it easy, either, with the issue of IR35 - squarely under companies' control - topping the list of contractors' concerns this year.