ECB concludes cyber resilience stress test. 109 banks tested, of which 28 underwent more extensive testing. „The rise of artificial intelligence (AI) has amplified the risk of more sophisticated AI-driven cyberattacks.”

The stress test focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it. According to the International Monetary Fund^[1], the number of cyberattacks on banks has almost doubled since before the COVID-19 pandemic. 

Increasing number of significant cyber incidents reported to the ECB over the past few years

These range from attacks forcing online services offline (distributed denial of service attacks) to entering a bank’s systems without permission (unauthorised access), holding data hostage in exchange for a ransom (ransomware), and targeting banks’ third-party providers.

According to ECB, the current landscape poses a variety of cyber threats, from cybercrime to sophisticated state-sponsored attacks. This includes hybrid warfare, which combines conventional military force with other means of warfare, such as cyberattacks, disinformation campaigns, economic pressure and political subversion. Authoritarian states, for example, have been implicated in cyber espionage and cyber warfare operations, indicating that cybersecurity is not only a matter of protecting against individual hackers, but also a matter of national and international security. The rise of artificial intelligence (AI) has also amplified the risk of more sophisticated AI-driven cyberattacks.

„While cyber incidents have not yet had systemic consequences for the overall financial system, a severe successful cyberattack could pose a significant threat. A cyberattack can interrupt essential services at a bank, seriously disrupting its business and damaging the trust of its customers and investors. Given the interconnected nature of today’s banking networks, an incident in one institution can have cascading effects across multiple sectors, as we saw with the recent global CrowdStrike outage.” – said Anneli Tuominen – Member of the Supervisory Board of the ECB.

Cyber resilience stress test

The European Central Bank (ECB) concluded its cyber resilience stress test, which gauged how banks would respond to and recover from a severe but plausible cybersecurity incident. Overall, „the stress test showed that banks have response and recovery frameworks in place, but areas for improvement remain.” – according to the press release.

The results will feed into the 2024 Supervisory Review and Evaluation Process (SREP) and have helped increase banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks.

The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed and a cyberattack severely affected the databases of each bank’s core systems. The stress test therefore focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it.

Detecting and addressing deficiencies in supervised banks’ operational resilience frameworks, including those stemming from cyber risks, is one of the ECB’s SSM supervisory priorities for 2024-2026. This reflects the recent surge in cyber incidents that supervised banks have reported to ECB – an increase that partly stems from rising geopolitical tensions and challenges posed by the digitalisation of the banking sector.

The stress test involved 109 banks directly supervised by the ECB. All banks had to answer a questionnaire and submit documentation for the supervisors to analyse, while a sample of 28 banks was chosen to undergo more extensive testing. The latter were asked to perform an actual IT recovery test and provide evidence that it had been successful, in addition they were also visited on site by supervisors. The sample covered different business models and geographical locations to reflect the wider euro area banking system and ensure sufficient coordination with other supervisory activities.

To test their response to the scenario, banks had to show their ability to:

. activate their crisis response plans, including internal crisis management procedures and business continuity plans;

. communicate with all external stakeholders such as customers, service providers and law enforcement agents;

. run an analysis to identify what services would be affected and how;

. implement mitigation measures, including workarounds that would help the bank to operate during the time needed to fully recover IT systems.

To test their ability to recover from the scenario, banks had to show they could:

. activate their recovery plans, including restoring backed-up data and aligning with critical third-party service providers on how to respond to the incident;

. ensure that affected areas were recovered and up and running;

. implement lessons learnt, for example by reviewing their response and recovery plans.

Anneli Tuominen, Member of the Supervisory Board of the ECB said: „

„An increase in cyberattacks is threatening the services provided by our banks and could pose a risk to the stability of our financial system. As these threats become more sophisticated, the banking system must further boost its resilience to such risks. This is not just a precaution, but a clear necessity.

The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement. Banks need to ensure that their recovery capabilities are sufficient to handle worst-case scenarios and that they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability.„

The ECB is committed to continuing to work with the banks it supervises to strengthen their cyber resilience framework. To this end, it will further encourage banks to keep working on meeting supervisory expectations by, among other things, ensuring they have in place adequate business continuity, communication and recovery plans, which should consider a wide enough range of cyber risk scenarios. Banks should also be able to meet their own recovery objectives, properly assess dependencies on critical third-party ICT service providers, and adequately estimate direct and indirect losses from a cyberattack.

The outcome of the exercise will feed into the 2024 SREP, which assesses banks’ individual risk profiles. The cyber resilience stress test is not focused on banks’ capital, so its results will not affect banks’ Pillar 2 Guidance. Supervisors have provided individual feedback to each bank and will follow up with them accordingly. In some cases, banks have already improved or plan to remedy the shortcomings pinpointed during the exercise.

____________

The ECB conducts supervisory stress tests on an annual basis in line with Article 100 of the Capital Requirements Directive, and every two years participates in an EU-wide stress test coordinated by the European Banking Authority. In those years where there is no EU-wide stress test, the ECB conducts a targeted stress test exercise which focuses on a specific topic of interest, such as the sensitivity analysis of interest rate risk in the banking book in 2017, the sensitivity analysis of liquidity risk in 2019, and the climate risk stress test in 2022.

The ECB currently directly supervises 113 banks. The 109 banks that participated in the cyber resilience stress test were those under direct ECB supervision at the time the exercise was launched, with a few exclusions for bank-specific reasons such as restructuring or change of significance status.

(1) International Monetary Fund (2024), Global Financial Stability Report – The Last Mile: Financial Vulnerabilities and Risks, April.