(Repeats Sunday's story with no change to text)
* Data security huge concern in landmark ECB bank tests
* Hackers could make billions from obtaining test results
* ECB may soon upgrade project from 'confidential' to
* Centralised data stored in Frankfurt, all work done on ECB
* Every consultant must get individual ECB security
* Financial penalties for consultants who breach
By Laura Noonan and Eva Taylor
LONDON/FRANKFURT, June 1 It would be an insider
trader's dream to know ahead of time which of Europe's banks
will fail or need more capital, and all that data will be stored
somewhere in cyberspace as the European Central Bank assesses
the euro zone's top banks.
The chances of a leak are multiplied by the thousands of
consultants who will work on data for the ECB's Comprehensive
Assessment of the currency bloc's most important 128 banks,
which include household names like Deutsche Bank and
Santander along with national champions Bank of Cyprus
and Bank of Valletta.
"It (data security) is of enormous concern," said Dan
Keeble, a London-based partner at Deloitte, which is working on
part of the ECB's assessment, an Asset Quality Review (AQR) for
the euro zone's 13 largest banks and some smaller ones.
"Aside from the fact that much of the information required
to conduct the AQR is commercially sensitive to individual
banks, details of the conclusions regarding the AQR have the
potential to be market influencing, and could damage financial
That is why the consultants working on the centralised data
- U.S. firm Oliver Wyman - cannot cut and paste, take
screenshots or print out the data they are working on. And they
will only have access to their part of the project, and only for
as long as it takes to complete their task.
Thousands of other consultants working on individual banks
face similar restrictions. Anyone caught leaking the information
risks a hefty jail sentence, and the ECB said all access to the
data is monitored, so users can be traced.
The ECB, long used to holding sensitive data about its
market operations and keeping secret its plans for interest rate
changes, told Reuters data security was the "highest priority"
in the review it is undertaking before it becomes the euro
zone's financial supervisor in November.
All data communicated to, from and within the ECB is stored
on 'Darwin', the ECB's document and records management system.
Anyone who wants access must file a request through a designated
security manager at a national financial supervisor, and the
central project management office must approve.
"All Comprehensive Assessment data is classified as
ECB-Confidential, and access is limited to those who require it
for project purposes," the ECB told Reuters in a statement,
adding that the project "may be uprated soon to ECB-Secret".
Data about individual banks is stored on isolated servers
within Darwin, and elevating it to Secret means access to the
database, which is encrypted, is controlled by more senior
As well as staff at the ECB's newly created supervisory arm,
much of the heavy lifting in the review is being done by private
consultancy Oliver Wyman, which is acting as project manager.
"Oliver Wyman maintains strict processes to manage the
confidentiality of proprietary client information as standard
policy," the ECB said. "Each person working on the Comprehensive
Assessment has signed additional confidentiality documents."
Oliver Wyman, whose staff work out of the ECB's Frankfurt
premises and use ECB computers and must get security clearance
from the ECB, declined to comment.
BEYOND THE FRANKFURT BUBBLE
The data worked on by the ECB and Oliver Wyman in Frankfurt
is the final link in a project that spans the euro zone and
beyond into countries where the banks have operations.
Almost all of the national supervisors producing information
for the ECB have hired auditors to help them with the job, while
many of the banks have also hired third parties.
They face a similarly strict list of requirements. Documents
are typically reviewed on bank PCs, and any transfer of
information to auditors' computers is severely restricted,
people familiar with the process told Reuters.
Auditors that do store information in their own environments
must prove that access controls are good enough to protect the
information, the people added.
A source familiar with the process said data on individual
banks is sent to national supervisors using encrypted emails
through a specially secured channel. Both sides need keys to
code and decode the data. Auditors send their work in the same
Deloitte's Keeble said there were also financial penalties
built into the audit contracts to deal with data security
But even the most advanced technology protocols are only as
strong as the weakest link in the chain.
"There's a massive concern about somebody leaving a laptop
in a pub," as one source familiar with the tests put it.
(Editing by Will Waterman)