- ECB’s Anneli Tuominen warned banks of rising non-traditional risks
- Boards must strengthen governance amid digitalization and geopolitical threats
- Cyberattacks on banks have increased sharply across Europe
- ECB urges stronger board expertise in ICT and cybersecurity
- DORA assigns new ICT oversight responsibilities to directors
- ECB to run reverse stress test on geopolitical risk next year
- Banks urged to improve crisis communication and defend reputation
- Tuominen called for balance between adaptation and innovation
- Supervisors and banks must learn together in a new risk era
European banks have been told they must prepare for a risk environment that is more complex, interconnected, and technology-driven than ever before.
Speaking at the “Board of the Future” seminar in Florence, Anneli Tuominen, a member of the European Central Bank’s Supervisory Board, said the transformation of business models through digitalization, along with rising geopolitical and hybrid threats, has dramatically increased the demands on bank boards.
“While risk-taking and risk management remain at the heart of banking, the backdrop to this activity has altered significantly,” she said.
Cyber risks in particular have grown in scale, with the number of attacks reported by banks rising sharply.
Tuominen said boards need robust governance frameworks capable of managing both traditional threats such as credit and liquidity risk and the new generation of operational and IT vulnerabilities that accompany digital transformation.
She identified three essential qualities for what she called the “board of the future.”
First, directors must develop stronger technical knowledge and risk awareness. Boards need to include members with expertise in information and communication technology and cybersecurity, she said, to meet requirements under the EU’s Digital Operational Resilience Act, which came into force earlier this year.
The ECB has created new supervisory expectations for assessing board-level knowledge in these areas, including the use of “ethical hackers” to test cyber defenses.
Tuominen cited the 2023 failure of Silicon Valley Bank as a reminder of how poor governance and inadequate oversight can expose systemic weaknesses.
“Boards must reassess their strategy as the risk landscape evolves,” she said. A survey by the Institute of International Finance showed that cybersecurity remains the top concern for 75% of global banking risk officers.
Second, Tuominen emphasized the importance of communication and reputation management. ECB stress tests have shown that many banks still lack effective crisis communication plans, even though financial institutions account for nearly half of all reported cyber incidents in Europe.
She warned that disinformation and social media could amplify reputational crises or even accelerate bank runs.
“It takes many good deeds to build a good reputation and only one bad one to lose it,” she said.
Third, Tuominen urged banks to strike a careful balance between adaptation and innovation.
Boards must weigh the efficiencies gained from outsourcing and new technologies against the potential risks they introduce.
She said this dilemma will intensify as banks expand their use of artificial intelligence and cloud-based services.
“Investment in AI can transform risk management but also introduces new risks that must be understood and controlled,” she noted.
Tuominen said the ECB will continue supporting banks through supervisory initiatives such as a reverse stress test on geopolitical risk planned for next year and new guidance on outsourcing to cloud service providers.
“The risk oversight function of banks’ boards has become more complex,” she concluded.
“To thrive, boards must combine strong awareness, clear communication, and thoughtful innovation. And as supervisors, we are learning alongside the banks we oversee. If you want to go far, you go together.”