ECB fined Abanka 3.15 million for not reporting cyber attack within two hours

The ECB has sanctioned Abanka with 3.15 million euros for not notifying the cyberattack carried out by the entity within two hours of detection, which is the established period. The incident took place in February 2019: “Despite being aware of its obligation to report and the importance of the cyber incident already on February 26, 2019, the bank submitted the required report on the incident 46 hours after the stipulated deadline” , Eurobank assured in a statement this Friday. According to bank sources, the entity may challenge this approval before the Court of Justice of the European Union (CJEU), which is already being analysed.

Abanka explains that the penalty specifically refers to communication time. “Nothing to do with the way the bank managed the incident, nor with its security systems, nor with the effects on customers (who did not suffer financial or information loss) is,” sources in the unit explained.

However, Eurobank in its note criticized the delay in the notification, which did not come until two days later. “The bank’s default hindered the ECB’s ability to properly assess the prudential position of Abanka and to react in a timely manner to potential threats to other banks, which could have had potential consequences for the reputation and stability of the banking sector.” ,” explains the institute.

The bank emphasizes that the sanction is limited to the delay in communication and that the ECB acknowledges that “it had no intention to conceal the incident.” In fact, the statement from the organization, headed by Christine Lagarde, said that “the unit immediately addressed the effects of the cyberattack.” According to the note, it temporarily suspended internet and mobile banking services, ATM services and SWIFT payment services, among other measures.

This fine does not make any assessment of the robustness of the existing IT systems. To determine the amount of the sanction, the ECB has determined it as serious within its own scale, which includes severity levels of mild, moderate severe, severe, very severe and extremely severe. Classification is done based on specific triggers and thresholds, including reputational damage, financial impact, or activation of crisis management processes, among others.