The ECB sanctions Abanca for not reporting a cyberattack in less than two hours

The ECB has sanctioned Abanca for failing to report a cyberattack within the deadlines stipulated by the institution, which are two hours after the incident occurred.

Thomas Osborne
Thomas Osborne
16 December 2022 Friday 11:37
13 Reads
The ECB sanctions Abanca for not reporting a cyberattack in less than two hours

The ECB has sanctioned Abanca for failing to report a cyberattack within the deadlines stipulated by the institution, which are two hours after the incident occurred. This requirement is established for attacks considered relevant.

The sanction is administrative in nature and amounts to 3.14 million euros, in accordance with the regulations that were put in place in 2017 to respond to this type of situation. It is not usual for the ECB to resort to these decisions, at least with regard to Spanish banks.

According to the ECB, Abanca was the target of a cyberattack in 2019 in which its information technology systems were infected by malicious software. The Spanish bank's response was to temporarily suspend internet and mobile banking services, in addition to ATMs and the Swift payment system.

"Despite being aware of the reporting obligation and the importance of the cyber incident on February 26, the bank filed the required report 46 hours after the prescribed period," the ECB states. This is an omission that deprived the ECB of its ability to deal with the situation and warn other entities about potential threats.

What happened, he says, could have consequences for the reputation and stability of the banking sector as a whole. The sanction only focuses on the delay in informing the European authorities, but it is part of the "severe" infringements, which is the central point of a scale of five categories from least to most serious.

Abanca can appeal the decision before the Court of Justice of the European Union.