The European Central Bank (ECB) has released results from its first thematic stress tests on cyber resilience, evaluating how well banks can respond to and recover from cyber-attacks.
In a blog post, Anneli Tuominen, ECB Supervisory Board Member, described the stress test results as “insightful.” She noted that while banks have robust response and recovery frameworks, there is still “room for improvement.”
Involving 109 supervised banks, the test featured a hypothetical cyberattack that disrupted critical IT systems. Out of these, 28 banks underwent a detailed assessment and will provide additional information about the response to the attack.
The stress test aimed to completely disable IT systems to assess banks’ responses, rather than testing preventative measures. While the program was introduced amid rising tensions from the war in Ukraine, a recent real-life incident did impact banking systems.
The Crowdstrike outage, impacting various sectors including banks, highlighted the critical need for institutions to respond swiftly to such disruptions.
Tuominen wrote: “Given the interconnected nature of today’s banking networks, an incident in one institution can have cascading effects across multiple sectors, as we saw with the recent global CrowdStrike outage. Therefore, the importance of cyber resilience cannot be overstated – it is the bulwark that protects our financial system from cyber threats.
“We are calling on banks to prioritise cyber resilience and integrate it into their core business strategies. This would enable them to adapt and proactively respond to the fast-paced changes in the cyber threat landscape.”
Looking forward, the ECB anticipates that supervised banks will keep enhancing their cyber resilience and plans to run similar cyber risk exercises in the future.
Additionally, with the Digital Operational Resilience Act (DORA) set to take effect on January 17, 2025, banks will face a stronger regulatory framework, prompting them to strengthen ongoing cyber risk management practices.