Interview with Börsen-Zeitung

Interview with Anneli Tuominen, Member of the Supervisory Board of the ECB, conducted by Tobias Fischer

21 November 2023

[The second question of this interview was corrected to reflect the original meaning in German on 22 November 2023 at 19:50.]

Ms Tuominen, ECB Banking Supervision is launching its cyber stress test in January. How harsh will it be for the banks?

The test will simulate a severe cyberattack that disrupts business operations. So it gets straight to the crux of the issue from the banks’ point of view. We want to know how banks respond to and recover from a cyberattack and how they resume normal business. Our main objective is to identify the banks’ weak spots.

This is the first time the ECB will run a cyber stress test.

Yes, it’s a learning exercise for the banks and for us. Stress tests of this kind are still a rarity, but I think that will change in future. The Danish Financial Supervisory Authority has already carried out a cyber stress test, as has the Prudential Regulation Authority in the United Kingdom.

How does it all work?

Almost all banks under our direct supervision, 109 at present, will participate. Out of that group, 28 banks will take part in an enhanced test for which they will have to submit more detailed information.

Which banks will have to undergo the more extensive test? The largest and most complex ones?

We are aiming to cover a significant share of the euro area financial sector, ensuring an even geographical spread, while also covering different business models and sizes.

The exercise takes place at a time when wars are raging in Europe and the Middle East and geopolitical tensions in general are increasing. Was the war in Ukraine considered in the design of the test?

Cybersecurity has been on our agenda for several years now. We established a cyber incident reporting framework in 2017, and IT security and cyber risks are part of our supervisory priorities. This stress test is very timely in my view. There are risks emanating from attacks by state-affiliated groups. The Council on Foreign Relations estimates that since 2005, four authoritarian states have sponsored 77% of all suspected state-sponsored cyberattacks. That is rather alarming − we all need to realise that the threat has grown.

What will the ECB do with the results?

We want this to be a qualitative exercise. It’s important for the banks to understand their own risk profile. We plan to give them feedback based on the test results, for example on the need to implement industry standards for cyber hygiene across the organisation.

Will the results be taken into account in the Supervisory Review and Evaluation Process (SREP)?

They will of course feed into the SREP, but this exercise is not geared to increasing capital ratios as that would not be an effective way of preventing cyber risks. The results could only indirectly affect Pillar 2 requirements in severe cases where we find significant deficiencies in a bank’s risk management or corporate governance.

Will the test lead to tighter supervisory requirements for banks’ cyber defences?

The geopolitical risks are more serious than ever. I think insights into banks’ vulnerabilities will raise supervisory thresholds. Another issue is the banks’ dependency on third-party providers. Banks try to save costs by outsourcing some of their IT processes but that is not always compatible with sound risk management. Banks should also understand the risks attached to outsourcing.

To what extent will outsourcing to third parties, such as IT or cloud providers, be incorporated in the stress test?

I am not able to elaborate on the stress test scenario, but we certainly need to look more closely at the topic of third-party providers. I remember a cyberattack against a financial trading services group at the start of this year which also disrupted business operations at some banks. They were able to resume work, but the incident shows what dependencies exist. We need to take that seriously.

How do you assess the cyber threat in general?

The number of cyberattacks is higher than it was before the pandemic. Distributed denial of service attacks, in which perpetrators interrupt banking services by flooding and clogging bank servers with fake requests, have increased the most. We also see more attacks on third-party providers and more ransomware attacks, where a target is denied access to the data on their own devices unless a ransom is paid. But euro area banks have proven to be resilient so far. The attacks were not so severe as to destabilise individual banks or the banking system. Nonetheless, we have to be prepared: a successful attack could occur at any time.

Apart from the rise in cyberattacks, there have been reports of more disinformation – also in the context of the war in the Middle East. Has this been your impression, too?

This affects society as a whole and is extremely worrying. We are definitely seeing new types of risk – be it hybrid threats, fake news or the use of artificial intelligence.

What can be done about them?

We need to pay more attention to threats such as disinformation. I believe we’re not doing enough right now. The only way that banks can address these risks is to proactively create as active a flow of information as possible. When a disinformation attack does happen, a bank must act fast or risk grave consequences.

Do you know of any banks that have been targeted by disinformation attacks?

I don’t think that there has been such an incident since ECB Banking Supervision started. But a disinformation campaign was launched against Bulgarian banks in mid-2014, which triggered a bank run.

Will the ECB address this and assess banks in this regard?

I would like us to put more focus on this area and test this in the future. Banks must be able to respond to such events with good crisis communication, which is the main tool for responding to disinformation incidents. Awareness of these types of attacks needs to be raised.

Would you say that banks lack awareness of disinformation threats?

We all know what disinformation means in society and politics. But perhaps we have not yet sufficiently realised that disinformation can also affect the financial sector. I hope that such incidents will not affect banks, but they might, and we must be aware of that possibility.

You mentioned risks related to artificial intelligence. Attackers have more and more sophisticated tools at their disposal, including “deepfakes” – AI-generated images, voices and videos. How does the ECB deal with this threat?

Just like we deal with other risks: banks need a sound risk management framework. They must raise their awareness of their own risk profile. And, of course, they need to have enough staff and expertise. I can’t stress this enough. It is expensive, but it is necessary.

Do banks even need to report disinformation attacks to the supervisors?

There are no specific rules on this, unless such attacks fall under the crisis communication framework. But I would assume that if such an attack occurs, the affected bank would naturally inform its supervisors, because that bank has a problem and wants to solve it. That would be the appropriate thing to do.

What worries you most?

Global geopolitical developments. So much depends on them.

What impact do the geopolitical tensions have on the work of ECB Banking Supervision?

Geopolitics has become increasingly important, and we need to consider the risks it poses. This is also why we insist that banks must be resilient and have sufficient capital and liquidity buffers and sound risk management. We need to understand all the related risks, especially operational risks, including the increasing cyber threats. We are also seeing operational and reputational risks at European banks active in Russia, including the risk of money laundering. We have therefore asked these banks to prepare a roadmap for their downsizing strategies.

So should European banks leave Russia, as advocated by your colleague Andrea Enria?

When we see that there are excessive risks, we take the view that the banks should downsize.

Let me finish by changing the topic: Claudia Buch will succeed Mr Enria as Chair of the ECB’s Supervisory Board on 1 January. What do you think will change when she takes over?

Claudia is very competent, and she’s already a member of the ECB’s Supervisory Board, where supervisory decisions are made. Of course, everyone has their own style, so it’s difficult for me to say at this point if there will be changes in that respect. ECB Banking Supervision has been very successful and I do not see a need for dramatic changes, but there is always room for improvement.