European Central Bank Concludes Banking Cyber Stress Test: “Room for Improvement,” Says ECB Supervisory Board Member
The European Central Bank (ECB) has concluded its first-ever cyber stress test for the banking sector, revealing that while banks are well-prepared for cyberattacks, there is still “room for improvement” in their recovery capabilities. Anneli Tuominen, an ECB supervisory board member, highlighted the need for banks to enhance their ability to meet recovery objectives in worst-case scenarios to protect customer assets and data, maintain confidence in the banking system, and safeguard financial stability.
The stress test, which involved 109 banks operating across different business and geographical areas in Europe, identified weaknesses in banks’ recovery capabilities, particularly in meeting recovery time deadlines. Consulting firm KPMG’s analysis of a subset of participants found that many banks struggled to simultaneously test technical and banking processes, leading to a lack of centralized inventories of business processes and IT assets.
The test did not focus on banks’ ability to prevent cyberattacks but rather on their response and recovery frameworks. It also highlighted the strong dependence of banks on service providers, raising concerns about cyber resilience in the wake of a recent global IT outage caused by a cybersecurity vendor’s faulty update.
The ECB’s decision to conduct the cyber stress test was prompted by concerns about potential cyberattacks on European critical infrastructure amid Russia’s war of conquest against Ukraine. The European Investment Bank experienced a distributed denial-of-service attack shortly after Russian-speaking hackers expressed their intention to target Western financial institutions.
Moving forward, the ECB plans to incorporate the insights gained from the cyber stress test into its annual supervisory review and evaluation process. Tuominen emphasized the importance of conducting similar exercises on cyber risk in the future to further enhance the banking sector’s cyber resilience.