Spanish authorities can build on work already done at national and European level to further strengthen the cyber resilience of the country’s financial system.
The growing digitalisation of Spain’s financial sector and its increasing reliance on services provided by third parties has heightened the sector’s exposure to operational risks and cyber threats.
The Spanish authorities have placed significant focus on enhancing cyber resilience of the financial sector. Banco de España (BdE) maintains robust risk-based supervisory oversight of the institutions it supervises, including a focus on cyber resilience. Spain was an early adopter of the Threat Intelligence Based Ethical Red teaming (TIBER) framework that provides structured red-team testing for banks. More recently, there has been a substantial effort across all financial sectors to prepare the industry for the increased expectations under the European Union (EU) Digital Operational Resilience Act (DORA).
Nevertheless, the evolving cyber risk landscape warrants continuing enhancements from Spanish authorities to address rising challenges. This peer review y recommends that Spanish authorities:
- develop a comprehensive mapping of the cyber threat landscape that could provide the industry and authorities themselves with intelligence to inform decision-making;
- leverage best practices to bring enhanced consistency and maturity to cyber resilience across agencies, for example through cross-sectoral working groups and information-sharing mechanisms under the oversight of the Spanish Macroprudential Authority;
- develop a national analysis of existing registers of information to identify critical third-party providers in Spain, assess concentration risks and define a strategy to address domestically critical third parties;
- establish a single national channel for incident reporting that automatically shares data with relevant authorities, as well as intergovernmental working groups, playbooks and drills to enhance crisis preparedness.
