Why did the ECB conduct a cyber resilience stress test?
The ECB conducts supervisory stress tests on an annual basis in line with Article 100 of the Capital Requirements Directive, and every two years participates in an EU-wide stress test coordinated by the European Banking Authority (EBA). In years when there is no EU-wide EBA stress test, the ECB conducts a targeted stress test exercise focusing on a specific type of risk. These exercises are run in cooperation with national supervisory authorities.
In recent years, cyberattacks have significantly increased and banks are highly exposed to these ever-evolving cyber threats. In the context of the supervisory priorities for 2024-2026, the ECB asks supervised banks to make further progress in their digital transformation and in building robust operational resilience frameworks, so that they are prepared to withstand cyberattacks and can recover swiftly should a major cyber incident occur.
What scenario did the stress test use?
The scenario assumed that preventive actions and protection measures were bypassed or failed and a cyberattack successfully disrupted the bank’s daily business operations. Banks then tested their response and recovery measures, including activating emergency procedures and contingency plans and restoring normal operations. Supervisors then assessed how banks were able to cope with such a scenario. The exercise therefore assessed how banks respond to and recover from a cyberattack, as opposed to looking at their ability to prevent it.
What kind of information did banks report to the ECB?
Two levels of assessment were implemented: a standard level, and an enhanced level with additional requirements. The 81 banks involved in the standard assessment were requested to answer a questionnaire and provide related evidence such as SSM cyber incident reporting notifications, predefined documents like internal policies and procedures related to ICT risk, and the results of past IT recovery tests using a similar scenario to that of the 2024 SSM cyber resilience stress test. In addition to providing these deliverables, the 28 banks involved in the enhanced assessment were also requested to perform an actual IT recovery test in line with the 2024 SSM cyber resilience stress test scenario and provide related evidence of a successful recovery. These banks were also subject to an on-site visit for further quality assurance.
How did you select banks for the enhanced assessment?
The sample of the enhanced assessment covers different business models and countries to provide a meaningful reflection of the euro area banking system. The sample selection was not driven by considerations of the cyber risk profile of the banks involved.
How will the ECB use the insights gained from the exercise?
The exercise was predominantly qualitative. Insights gained during the exercise will be used for the wider 2024 Supervisory Review and Evaluation Process. At the conclusion of the exercise, the banks received a bank-specific report with recommendations for their improvement, which will be followed up by the Joint Supervisory Teams as part of their regular supervisory activities. As this was not a stress test exercise focused on banks’ capital, its results will not have an impact on banks’ Pillar 2 Guidance.