The European Central Bank (ECB) fined Spanish bank Abanca 3.145 million euros (U.S. $3.3 million) after it “knowingly failed” to report a major cyber breach within the prescribed two-hour time limit.
In February 2019, Abanca was targeted by a cyberattack that infected its IT systems with malicious software. The bank was forced to suspend payments through its internet and mobile banking services, cash machines, and SWIFT (Society for Worldwide Interbank Financial Telecommunications) payment services.
None of the bank’s customers suffered financial loss because of the breach.
Under the ECB’s cyber-incident reporting framework implemented in 2017, financial institutions are required to report significant cyber incidents within two hours of discovery. Abanca waited 48 hours before informing the regulator, “[d]espite being aware of its reporting obligation and the significance of the cyber incident.”
“The bank’s omission hindered the ECB’s ability to properly assess Abanca’s prudential situation and to react in a timely manner to potential threats to other banks, what could have had potential consequences on the reputation and the stability of the banking sector as a whole,” said the ECB in a press release Friday.
The penalty relates solely to the bank’s alleged failure to notify the regulator in a timely manner rather than any fault in its IT controls, procedures, or protocols. The ECB added Abanca dealt with the effects of the attack “promptly.”
In a statement, the bank said it is considering challenging the ECB’s decision before the Court of Justice of the European Union, the bloc’s top court.