Over 100 European banks will be tested on their cyber-attack response and recovery capabilities this year, the European Central Bank (ECB) has announced.
The EU’s central bank will conduct its first ever cyber resilience stress test on 109 directly supervised banks in 2024. This test will focus on the banks’ ability to respond to a successful cyber-attack, rather than their ability to prevent it.
The announcement follows an ECB evaluation of banks’ management of IT risk published in November 2023, which found there was little progress in IT risk management in the sector.
It found “serious supervisory concerns that confirm the need to continue on-site inspections in conjunction with tailored discussions between banks and supervisors.”
How Will the Cyber Resilience Stress Test Work?
In the stress test scenario, a cyber-attack will have successfully disrupted the bank’s daily business operations.
Supervisors will then observe the bank’s response and recovery measures, including their ability to activate emergency procedures and restore normal operations.
In addition, 28 banks will undergo an enhanced assessment in which they will be required to submit further details on how they coped with the cyber-attack.
This will also evaluate whether there is sufficient coordination with other supervisory activities. These 28 banks will represent different business models and geographies to provide a “meaningful reflection” of the euro banking system.
Following the stress tests, supervisors will discuss the findings and lessons learned with each bank as part of the wider 2024 Supervisory Review and Evaluation Process, which assesses a bank’s individual risk profile. The exercise’s main findings will then be published in the summer of 2024.
In October 2023, Lloyd’s of London published a systemic risk scenario, which predicted that a cyber-attack on a major financial services payment system could result in global economic losses of $3.5trn.