The European Central Bank (ECB) has indicated that there is “room for improvement” following its inaugural thematic stress tests focused on cyber resilience, aimed at evaluating banks’ responses to and recovery from cyberattacks.
In these tests, 109 supervised banks were presented with a hypothetical scenario in which a cyberattack successfully disrupted their critical IT infrastructure. Out of these, 28 banks underwent an enhanced assessment, during which they will provide additional details on their responses to the cyber incident.
The stress test assumed total failure of preventive measures, resulting in a cyberattack that severely impacted the core systems of each bank. Consequently, the emphasis was placed on the banks’ ability to respond and recover, rather than on prevention strategies.
ECB supervisor Anneli Tuominen highlighted that, despite the existence of high-level response and recovery frameworks among banks, improvements are still needed. She emphasized the importance of ensuring that recovery capabilities can effectively address worst-case scenarios, thus enabling banks to protect customer assets and data, maintain confidence in the banking system, and ultimately ensure financial stability.
This testing initiative was launched earlier this year amid rising tensions with Russia, reflecting concerns from supervisory authorities regarding the potential for major cyberattacks to disrupt the banking sector, which increasingly depends on digital technology for operations.
Tuominen referenced a recent outage at Crowdstrike, stating that the interconnectedness of modern banking networks means that issues in one institution can have far-reaching implications across various sectors.
The ECB encourages banks to continue investing in their cyber resilience, with indications that similar stress tests may be conducted in the future. Furthermore, the forthcoming implementation of the Digital Operational Resilience Act in January is expected to establish a robust framework that will compel banks to enhance their commitment to continuous cyber risk management.