Cybersecurity in Focus: ECB Stress Test Exposes Banks’ Vulnerabilities
The European Central Bank (ECB) has concluded an extensive cybersecurity stress test of European banks, initiated in January 2024. The regulator assessed the readiness of financial institutions to withstand and recover from significant cyberattacks.
A total of 109 banks under direct ECB supervision participated in the testing. All institutions responded to a specialized questionnaire and provided documentation for analysis. Additionally, 28 banks underwent a more thorough examination, including practical testing of IT system recovery with proof of successful execution and supervisory visits.
The stress test scenario envisioned a severe yet plausible cybersecurity incident: all preventive security measures failed, and the cyberattack significantly damaged the databases of the banks’ key systems. The primary objective was to evaluate their ability to respond to the attack and recover afterward.
The results indicated that banks generally possess the necessary response mechanisms, but there are areas for improvement. The ECB urged banks to enhance their business continuity plans for crises, improve communication methods with all stakeholders, and develop more effective IT system recovery strategies post-cyberattack. Banks are recommended to consider a broader range of cyber-risk scenarios and better assess their reliance on critical third-party IT service providers.
The regulator notes an increase in cyber incidents in the banking sector, linked to rising geopolitical tensions and digitalization challenges.
It is worth noting that conducting such stress tests is a regular practice for the ECB. According to Article 100 of the Capital Requirements Directive, supervisory stress tests are conducted annually. Every two years, the ECB participates in the EU-wide stress test coordinated by the European Banking Authority. In the remaining years, the ECB organizes targeted stress tests on specific themes.
The ECB emphasizes that identifying and addressing deficiencies in banks’ operational resilience systems, including cyber risk protection, is a supervisory priority for 2024-2026. The stress test results will be used in the 2024 Supervisory Review and Evaluation Process (SREP). However, the test outcomes will not affect the banks’ capital requirements (Pillar 2 Guidance), as the focus was primarily on operational aspects.
Supervisory authorities have provided individual feedback to each bank and will work with them to address the identified shortcomings. Some financial institutions have already begun enhancing their cybersecurity systems or plan to do so soon.
The ECB intends to continue collaborating with supervised banks to strengthen their cyber resilience. The regulator will encourage financial institutions to comply with supervisory requirements, including the presence of adequate operational resilience measures.
