Banking Supervision
Banking Supervision
Search
Opțiuni de căutare
Pagina inițială Media Materiale explicative Studii și publicații Statistici Politică monetară Euro Plăți și piețe Cariere
Sugestii
Sortează în funcție de
Anneli Tuominen
ECB representative to the the Supervisory Board
Nu este disponibil în limba română
  • SPEECH

Improving banks’ resilience to hybrid threats

Speech by Anneli Tuominen, Member of the Supervisory Board of the ECB, at the conference “The Current Hybrid Threat Environment and Financial Stability”, jointly organised by Commerzbank and the European Centre of Excellence for Countering Hybrid Threats

Frankfurt, 18 November 2025

It is a pleasure to be here today and I would like to thank the organisers for inviting me. While I am very happy to take part in this initiative, the fact that we have all gathered here to discuss how banks could improve their resilience to hybrid threats in a practical sense should be a cause for concern in itself. Until a few years ago the thought of holding a conference like this as anything other than a hypothetical experiment out of academic interest would have been fanciful. Alas, recent experience has taught us that risks we previously thought of as belonging to a “tail” scenario (meaning they are very unlikely to materialise) have now become part of the baseline. Thus, in my remarks I will outline how banks and their supervisors can collectively respond to the challenges brought about by the current hybrid threat environment.[1]

Understanding the risks and their transmission channels

To inform our joint policy response, we first need to understand the risks banks face and the channels through which these risks might affect their activity. A hybrid threat is defined as “an action conducted by state or non-state actors, whose goal is to undermine or harm a target by combining overt and covert military and non-military means”.[2] This includes cyberattacks, economic influence or coercion and information manipulation or disinformation, as well as other factors such as sabotage, coercive diplomacy, covert political manoeuvring and threats of military force. For the purposes of my remarks today, I will be focusing on the first set of actions. While the second set can also affect banking activity, banks and their supervisors can do little to guard against them in a practical sense, instead relying on the “protection” offered by both sovereign states and multilateral or supranational institutions (such as the EU and NATO).

Hybrid threats thus encompass a wide variety of potential actions but have at least three features in common. The first is that they are deliberate measures, planned and executed with the aim of causing harm. The second is that they are combined actions, often coordinated or synchronised. And the third is that they tend to be carried out or “sponsored” by autocratic state actors. Taken together, these features help to explain the overarching aim of such measures, which is to destabilise and undermine democratic societies, including by targeting their key institutions and exploiting their systemic vulnerabilities.[3] Democracies tend to be associated with open economic systems.[4] To the extent that banks play a critical role in such systems, especially due to their deposit-taking and credit-extension functions and their role in the payments mechanism, it follows that they are likely to rank high on the list of potential hybrid threat targets of would-be attackers. This is why, for example, banks and other entities deemed part of countries’ critical infrastructure (such as energy, transport, defence and telecommunications companies) typically account for the second-largest share of state-sponsored cyberattacks worldwide, second only to domestic political institutions (such as governments and public administrations).[5]

There is a long history of states using information manipulation, economic pressure (such as trade sanctions) and coercive diplomacy (including the implicit threat of military force) to further their political objectives. These elements are (still) very much present in the public discourse today. But while not new to banks, the magnitude of the risks posed by hybrid threats has significantly increased in recent years. This is certainly the case for cyber risks, where the number of cyberattacks reported by banks has risen sharply,[6] and I would argue that it is also true of other hybrid risks that are harder to measure. There are a number of different elements which, taken together, support this observation. These include (i) indicators gauging the incidence of hybrid threats,[7] which, while limited in scope, point to an upward trend; (ii) the measures taken in the EU[8] and the United States[9] to prevent electoral interference by foreign agents and also, in the case of the EU, to safeguard critical infrastructure;[10] (iii) the fact that the EU has recently developed a framework for the establishment of rapid response teams, citing the need to counter the growing threat posed by hybrid risks as a reason;[11] and (iv) the recent evolution of trade policy uncertainty[12] measures, as a proxy for potential shifts in economic policies (or potential economic coercion) by major global actors.

In my view, two important factors account for the intensification of hybrid threats in recent years. The first is the rapid advancements in digitalisation, which have permeated almost every aspect of economic, financial and social activity in open societies. Banks have not been immune to this development, but as their operations have become increasingly digital, the potential avenues for them to be on the receiving end of cyberattacks have multiplied. These channels could be direct (where banks themselves are targeted) or indirect, for example through disruptions in critical infrastructure (such as power grids) or the service providers that underpin banking activity. Here, banks’ dependence on a handful of third parties offering cloud services, including outsourcing some critical functions that are difficult or impossible to replace, opens the door to cascading effects from cyber incidents in the supply chain, even if banks themselves have not been directly targeted. Moreover, as the operations of banks’ customers have also been digitalised, increased linkages between the financial and real sectors also mean that cyberattacks targeting the latter can also affect the former (for example, in the form of supply chain disruptions). Thus, the potential challenges for banks on this front have mostly to do with operational resilience, though financial and reputational losses could also arise as a result.

The second factor is geopolitical risk, which has also been on the rise in recent years.[13] The advancements in digitalisation to which I just referred have opened up new possibilities for states to advance their strategic agendas via the cyberspace domain. Seen from this perspective, it is hardly surprising that increased cyberattacks have been associated with rising geopolitical tensions, or that the frequency of cyberattacks has tended to increase during periods of heightened policy and market uncertainty, as has been the case in recent years.[14] States have thus made growing use of hybrid threats as a means to pursue their geopolitical goals, and in so doing have further contributed towards the creation of geopolitical risks. Here too, banks remain potentially vulnerable through direct and indirect channels: directly, through the risks to operational resilience posed by state-sponsored cyberattacks, and indirectly, through the geopolitical risks induced by hybrid threats. In turn, geopolitical risks can act as drivers of traditional risk categories. For example, credit risk can potentially materialise on banks’ balance sheets through increased trade protectionism, and market risks may increase as a result of disinformation campaigns during elections.

Implications arising from hybrid threats for banks

The main implication of the intensified hybrid threats in recent years is a more complex risk landscape for banks. Banks now have to expand the scope of their monitoring to include these types of risks as well as their interactions with traditional banking risks through geopolitical risks. In turn, these interactions compound the difficulties inherent in banks’ risk identification processes, and thus the resulting internal arrangements that need to be made to keep such risks in check. In my view, there are three areas to which banks must pay close attention in order to succeed in this challenging environment.

Strengthening operational resilience frameworks. The first is straightforward. If hybrid threats have put the spotlight on banks’ operational resilience frameworks to the point that they may entail significant and potentially existential risks, it follows that such frameworks should be strengthened as a matter of priority. In this regard, the cyber resilience stress test the ECB conducted last year showed that, while banks have frameworks in place to respond to and recover from severe cyber incidents, there is still room for improvement.[15] More broadly, from a supervisory point of view our main areas of concern in the information and communications technology (ICT) domain are the potential security risks stemming from rising cybersecurity incidents, the outsourcing risks associated with the growing reliance on cloud services, and the “change risk” related to the increase in the critically important projects undertaken by banks themselves.[16]

The issue of change risk in the ICT domain links in turn to the question of whether banks should invest more in artificial intelligence (AI) and related technologies to help counter the growing risk the use of such technologies by external parties poses to their operations in the first place. Recent figures from the ECB’s annual data on the use of innovative technologies show that as many as 88% of the banks directly supervised by the ECB are making use of AI technology in some way, mostly in areas such as fraud and cybercrime detection, marketing, customer support and credit scoring.[17] As the use of AI by banks becomes more expansive over time to reap the benefits this technology might bring to other processes and business lines, the related operational challenges for banks will also increase. From a cybersecurity perspective, it is likely that AI tools will bolster the capacity of threat actors to launch cyberattacks, deepfakes and phishing attempts. For example, the use of this technology could improve the efficiency and credibility of the underlying techniques used by hackers or help them to detect and exploit “loopholes” in banks’ infrastructures. However, AI technology should also help improve banks’ cybersecurity, for example by helping to detect unusual patterns in customer behaviour or analysing large volumes of security signals, allowing for “automated” responses to keep such risks in check. Innovations in quantum computing could offer a similar risk and reward payoff matrix. Taken together, these trade-offs underline the need for banks to keep abreast of technological innovations in the cyber threat landscape in order to enhance their cyber resilience.[18]

Reinforcing governance arrangements. The second area relates to governance. The changed risk landscape which banks face means that the demands placed on their management bodies to effectively understand and oversee a bank’s business have also changed.[19] As for hybrid threats, the good news is that banks seem to be very much aware of the perils these risks could pose to their franchise. For example, a recent risk management survey conducted by the Institute of International Finance revealed that cybersecurity remained the top concern for 75% of chief risk officers in global banking, primarily on account of geopolitical tensions.[20] However, for banks directly supervised by the ECB, we see that there is still room for improvement in the collective expertise of their management bodies in the area of ICT and security risks stemming from the digitalisation of banking services. This is why last year we published a dedicated set of supervisory expectations to help banks bridge the remaining gaps in this area.[21] These expectations will also be useful for banks in managing the requirements stemming from the EU’s Digital Operational Resilience Act.[22]

Developing contingency plans and communication to match. The third area relates to contingency planning and communication. As I have just outlined, the growing intensity of hybrid threats in recent years requires banks’ management bodies to have a greater “breadth of awareness” concerning the risks that banks actually face. Therefore, banks need to devise “what if” scenarios and draw up corresponding contingency plans. To help with this task, we will be conducting a reverse stress test on geopolitical risk next year.[23] Unlike an ordinary stress test, we will be providing an outcome rather than a scenario. It will then be up to each bank to determine what kind of scenario would lead to that particular outcome. Our guide on the effective management of outsourcing risk for banks that use third-party cloud services, which we finalised earlier this year,[24] is another example of how we are trying to encourage banks to proactively think about potential “hidden” or interrelated risks.

Contingency plans are also needed to deal with disinformation threats. In my view, this is an issue that is not receiving sufficient attention from banks or their supervisors. That is why I welcome initiatives like this conference, where this topic is explicitly up for debate. Back in 2022 the European Banking Authority warned that European banks could be victims of ”fake news” and thus see sudden deposit withdrawals as part of the fallout from Russia’s invasion of Ukraine.[25] That risk has not materialised – but just last April, the EU Agency for Cybersecurity warned about disinformation circulating via social media regarding an alleged cyberattack on European banks in the context of the power outage in parts of southern Europe.[26] The market turmoil of spring 2023 in the United States showed how the influence of social media can make bank runs move faster in the digital age.[27]

The Financial Stability Board has also warned that advances in AI could exacerbate these risks, with “malicious actors”[28] generating and spreading disinformation that could lead to flash crashes and bank runs. And some recent studies suggest that the traction of AI-induced disinformation campaigns in the banking sector could be significant among the public at large.[29] Taken together, this implies that banks need to pay close attention to any mentions in (social) media, as they may impinge on customer behaviour. For this reason, I would also see merit in including disinformation risks as one of the contingencies that banks need to address in their recovery plans.

Banks’ contingency planning thus needs to include communication aspects, including to counter disinformation. However, during the cyber resilience stress test we conducted last year,[30] we found that many banks didn’t have sufficiently well-developed communication plans to reach out to their customers in crisis situations, including cyber incidents. Our supervisors are therefore following up on the findings with the affected banks to ensure that effective communication contingency plans are in place.

Impact on supervisory practices and processes

The changed risk landscape that banks have faced in recent years, including on account of greater hybrid threats, has also had consequences for how supervisors work. I have already outlined some of the ECB’s initiatives to help banks meet the challenges stemming from hybrid threats, such as the cyber resilience stress test, the supervisory expectations concerning outsourcing cloud services and the planned reverse stress test on geopolitical risk. In tailoring our supervisory initiatives to help banks manage risks in these areas, we have also had to reassess some of our own processes and practices to be able to deliver on our goals. So there has been a learning curve on both sides.

As I said at the beginning of my remarks, the increase in hybrid threats in recent years has also led EU authorities to embark on new initiatives to keep these risks in check. Examples of efforts to preserve the integrity of the information space include the AI Act,[31] which establishes transparency obligations for providers and deployers of certain AI systems, and the Digital Services Act,[32] which requires online platforms and online search engine providers to mitigate systemic risks to society and democracy[33] stemming from their services. For the banking sector, the main regulatory innovation in this regard has been the Digital Operational Resilience Act, or DORA, which entered into force at the beginning of the year. Looking ahead, DORA will entail changes to supervisory processes and practices in three concrete areas of information technology (IT) and cyber risk. Taken together, these should allow supervisors to have a better handle on the (cyber-related) hybrid threats that banks face.

The first is the development of threat-led penetration testing, or TLPT, as a supervisory tool. The new regulation requires several types of banks to perform advanced security testing using external “ethical hackers” who will try to break into their IT systems. Banks will be able to learn from this threat-led penetration testing and enhance their cyber resilience strategy as a result. Similarly, supervisors will have a new tool at their disposal and will be able to use the TLPT findings when conducting supervisory processes. The ECB will be responsible for managing TLPT and certifying that banks are meeting the requirements. This will therefore have a significant impact on our supervisory activities in the future, including capacity building on IT risk management.

The second is the oversight of critical ICT third-party service providers, which will now be subject to oversight at EU level, in recognition of their systemic importance for the financial sector as a whole. One of the three European Supervisory Authorities will lead this oversight: the European Banking Authority, the European Insurance and Occupational Pensions Authority or the European Securities and Markets Authority. The ECB will participate in these oversight activities by contributing resources to the joint examination teams that will be established for each critical ICT third-party service provider.

The third is the establishment of an EU-wide systemic cyber incident coordination framework. This stems from a recommendation[34] made by the European Systemic Risk Board in the context of the responsibilities to be attributed to the three European Supervisory Authorities under DORA. The framework covers major cross-border ICT-related incidents or related cyber threats having a systemic impact on the EU financial sector, bringing together relevant national and European authorities in the macroprudential, resolution and supervisory domains, including the ECB. The establishment of the framework was announced in mid-2024[35] and work to make it fully operational is ongoing.

As with other policy areas in the EU, cyber security is a responsibility shared between several national and pan-European stakeholders. This set-up puts a great onus on effective coordination between the different actors to ensure that the crisis management framework runs smoothly, especially across borders and when there are systemic cyber events.[36]

Conclusion

Let me conclude. I have argued that hybrid threats have been rising in recent years and that banks need to take these seriously – not only for their own sake, but also for that of the open societies which they are very much a part of. I have outlined that to deal with the challenges posed by hybrid threats, banks need to strengthen their operational resilience frameworks, reinforce their governance arrangements and develop contingency plans, including for communication. I have highlighted how supervisors have tailored their supervisory initiatives to help banks deal with these risks and the extent to which new responsibilities in IT and cyber risk supervision will continue to require adaptation of supervisory processes and practices going forward.

Within this broad picture, I have also argued that both banks and their supervisors should do more to deal with potential risks related to disinformation. The bank runs in the early 1930s showed the pernicious effects that popular rumours can have on banks when combined with economic uncertainty.[37] Fortunately, these days our financial safety nets (like deposit insurance for bank customers) are better, our institutions are stronger and our banks remain robustly capitalised. However, we also know that more capital is not always the best response to challenges in the operational domain. Like in the 1930s, uncertainty is high and, in addition, the digital information age has “turbocharged” potential reputational and other disinformation-related risks to banks.

At the same time, I have also noted that there are limits to what banks can meaningfully do to guard against certain forms of hybrid threats. Banks do not live in a societal vacuum and partly depend on the protection offered by European states and institutions to remain operationally resilient – not only to maintain critical physical infrastructure, but sometimes also to substitute for some critical services which they routinely provide (such as payment services), if these become unavailable in serious emergency situations.[38] A collaborative effort across society as a whole is therefore required to improve our collective resilience against hybrid threats because, as the quote frequently attributed to Benjamin Franklin goes, “by failing to prepare, you are preparing to fail”.

  1. I am grateful to Francisco Ramon-Ballester for preparing a first draft of this speech, and to Alberto Partida and Peter Orthmayr for their comments. I am solely responsible for the views expressed here and for any errors.

  2. See the definition provided by the European Centre of Excellence for Countering Hybrid Threats.

  3. See the dedicated section on hybrid threats on the Council of the European Union’s website.

  4. See, for example, Acemoglu, D. et al (2019), “Democracy Does Cause Growth” Journal of Political Economy, Vol. 127, No 1, January; and Persson, T. and G. Tabellini (2006), “Democracy and Development: the Devil in the Details”, CESifo Working Paper, No 1672, CESifo, February.

  5. Klaus, B. and J. Wendelborn (2025), “Cyber threats to financial stability in a complex geopolitical landscape”, Financial Stability Review, ECB, May. At a global level, finance and insurance companies rank approximately fourth among the top ten industries affected by cyberattacks in volume terms, jointly with the educational services industry, and below the public administration, healthcare and technology industries; see the University of Maryland’s CISSM Cyber Events Database. In Europe, banks are by far the entities most affected in terms of the number of cyberattacks in the European financial sector as a whole. See European Union Agency for Cybersecurity (2025), ENISA threat landscape: finance sector, February.

  6. Tuominen, A. (2025), “Operational resilience in the digital age”, The Supervision Blog, ECB, 17 January. The number of cyber incidents reported by banks to the ECB rose sharply up to the end of 2024. The data for 2025 is not directly comparable because the incident reporting thresholds have changed following the entry into force of the EU’s Digital Operational Resilience Act (DORA). As a result of DORA, the ECB now receives ICT (non-cyber but operational) incident reports as well as ICT cyber incident reports. However, the latter are smaller in number than was previously the case because the reporting thresholds are different from those under the ECB’s earlier cyber incident reporting framework.

  7. See the Heidelberger Hybrid Threat Indicator.

  8. Council of the European Union (2024), “Democratic resilience: Council approves conclusions on safeguarding electoral processes from foreign interference”, press release, 21 May.

  9. Kovalčíková, N. and Spatafora, G. (2024), “The future of democracy: lessons from the US fight against foreign electoral interference in 2024”, Briefs, No 22, European Union Institute for Security Studies, December.

  10. Council of the European Union (2022), “EU resilience: Council adopts a directive to strengthen the resilience of critical entities”, press release, 8 December.

  11. Council of the European Union (2024), “Hybrid threats: Council paves the way for deploying Hybrid Rapid Response Teams”, press release, 21 May.

  12. See the data for the Trade Policy Uncertainty Index using the methodology originally developed in Caldara, D. et al. (2020), “The Economic Effects of Trade Policy Uncertainty”, Journal of Monetary Economics, Vol. 109, pp. 38-59.

  13. See, for example, the recent evolution of the geopolitical risk index developed by Caldara and Iacoviello (2022), as reported in Behn, M. et al. (2025), “Geopolitical risk and its implications for macroprudential policy”, Macroprudential Bulletin, No 29, ECB, April, or the global BlackRock Geopolitical Risk Indicator.

  14. Fell, J. et al. (2022), “Towards a framework for assessing systemic cyber risk”, Financial Stability Review, ECB, November. For standard indicators to gauge market uncertainty, please refer to the Chicago Board Options Exchange Volatility Index (VIX) and the ECB’s Composite Indicator of Systemic Stress (CISS).

  15. ECB (2024), “ECB concludes cyber resilience stress test”, press release, 26 July.

  16. International Monetary Fund (2025), “Euro Area: Publication of Financial Sector Assessment Program Documentation-Technical Note on Cyber Risk and Financial Stability-Selected Issues in Regulation and Supervision”, IMF Staff Country Reports, Vol. 2025, No 13, July.

  17. This is in line with the analysis detailed in European Banking Authority (2025), Rising application of AI in EU banking and payments sector, September. See also the forthcoming November 2025 edition of the ECB’s Supervision Newsletter and the forthcoming report on “Artificial Intelligence and Systemic Risk” by the European Systemic Risk Board’s Advisory Scientific Committee.

  18. See Box A in Leitner, G. et al. (2024), “The rise of artificial intelligence: benefits and risks for financial stability”, Financial Stability Review, ECB, May.

  19. Tuominen, A. (2025), “Bank governance in a changing risk landscape”, speech at the “Board of the Future” seminar, jointly organised by the European University Institute and the ECB, 27 October.

  20. EY (2025), “Latest EY and IIF survey reveals cybersecurity as top risk for global CROs amid geopolitical tensions”, press release, 18 February.

  21. ECB (2024), “New policy for more bank board expertise on ICT and security risks”, Supervision Newsletter, ECB, February.

  22. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).

  23. Buch, C. (2025), “Stress tests in uncertain times: assessing banks’ resilience to external shocks”, The Supervision Blog, ECB, 5 September.

  24. ECB (2025), “ECB finalises Guide on outsourcing cloud services”, press release, July.

  25. European Banking Authority (2022), Risk Dashboard (Data as of Q4 2021).

  26. European Union Agency for Cybersecurity (2025), “ENISA Disinformation Alert”, news item, 30 April.

  27. Financial Stability Board (2024), Depositor Behaviour and Interest Rate and Liquidity Risks in the Financial System – Lessons from the March 2023 banking turmoil, October.

  28. Financial Stability Board (2024), The Financial Stability Implications of Artificial Intelligence, November.

  29. Fenimore Harper Communications and Say No to Disinfo (2025), Can A.I. Cause a Bank Run?, February.

  30. ECB (2024), “ECB concludes cyber resilience stress test”, press release, 26 July.

  31. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024).

  32. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).

  33. A host of other measures to preserve the integrity of the information space have been put forward recently by the European Commission under its European Democracy Shield proposal.

  34. Recommendation of the European Systemic Risk Board of 2 December 2021 on a pan-European systemic cyber incident coordination framework for relevant authorities (ESRB/2021/17) (OJ C 134, 25.3.2022, p. 1).

  35. European Insurance and Occupational Pensions Authority (2024), “ESAs establish framework to strengthen coordination in case of systemic cyber incidents”, news article, 17 July.

  36. European Systemic Risk Board (2024), Advancing macroprudential tools for cyber resilience – Operational policy tools – A review of national and pan-European frameworks, April.

  37. Richardson, G. (2013), Banking Panics of 1930-31, Federal Reserve History, November.

  38. For example, Finland has established a backup system for safeguarding daily payments in situations where normal European payment systems or systems of specific banks would be unavailable due to a severe disruption or an emergency in society. This has been jointly set-up by Suomen Pankki – Finlands Bank, Finanssivalvonta (the Financial Supervisory Authority), the Financial Stability Authority and the Ministry of Finance, among others.

Related topics

Disclaimer
Please note that related topic tags are currently available for selected content only.

CONTACT

Banca Centrală Europeană

Direcția generală comunicare

Reproducerea informațiilor este permisă numai cu indicarea sursei.

Contacte media
Avertizările de integritate