Global banks grapple with ICT risk, practices diverge

The Basel Committee's analysis, part of its 2025–26 work programme, highlights the increasing importance of robust ICT risk management for operational resilience in a digitalised landscape.

The report, based on a survey of 16 jurisdictions, describes observed practices in global and domestic systemically important banks, as well as digital-only banks.

Some jurisdictions experienced an increase in non-malicious ICT incidents between 2022 and 2024, while others saw a decline, with reporting requirements varying significantly.

The most frequently reported root causes of these incidents include gaps in change control, systems design, development and testing, system capacity and performance issues, and external dependency operational failures.

To counter these, banks most commonly employ ICT change management, third-party risk management, ICT continuity testing, ICT incident and problem management, and ICT project management and system development.

All surveyed jurisdictions have established ICT risk management regulations or guidance, with banking authorities retaining primary oversight through risk-based, tailored supervision.

This includes on-site examinations, thematic reviews, and off-site assessments.

However, banks face significant implementation challenges.

Key issues include maintaining traceability from business services to ICT assets and ensuring complete system dependency mapping, particularly for third-party services.

Talent shortages in cybersecurity, cloud, AI/ML, and legacy systems persist, intensified by competition.

Banks also struggle with limited visibility into risk management controls at their technology service providers and managing complex nth-party dependencies across the ICT supply chain.