The ECB sanctions Abanca with 3.15 million for not notifying a cyberattack within two hours

The ECB has sanctioned Abanca with 3.15 million euros for not notifying a cyber attack suffered by the entity within two hours of detection, which is the established period. The incident occurred in February 2019: “Despite being aware of its obligation to report and the importance of the cyber incident already on February 26, 2019, the bank submitted the required report on the incident 46 hours after the date prescribed limit”, the Eurobank assured this Friday in a statement. The entity can challenge this sanction before the Court of Justice of the European Union (CJEU), which is already being analyzed, according to bank sources.

Abanca points out that the fine refers exclusively to communication times. “It has nothing to do with the way the bank managed the incident, nor with its security systems, nor with the effects on customers (who did not suffer financial or information losses),” explain sources from the entity.

However, the Eurobank criticizes in its note the delay in the notification, which did not arrive until two days later. “The bank’s omission hampered the ECB’s ability to properly assess Abanca’s prudential situation and react in time to potential threats to other banks, which could have had potential consequences for the reputation and stability of the banking sector as a whole,” points out the institution.

The bank emphasizes that the sanction is limited to the delay in the communication and that the ECB acknowledges that “it had no intention of hiding the incident.” In fact, the statement from the organization headed by Christine Lagarde adds that “the entity promptly addressed the effects of the cyberattack at the time it occurred.” According to the note, it temporarily suspended internet and mobile banking services, ATM services and SWIFT payment services, among other measures.

This fine does not imply any assessment of the robustness of existing IT systems. To determine the amount of the sanction, the ECB has set it as serious within its scale, which includes the levels of mild, moderately serious, serious, very serious and extremely serious severity. Classification is done based on specific triggers and thresholds, including reputational damage, financial impact, or activation of crisis management procedures, among others.