The European Central Bank (ECB) has completed cyber resilience testing that examined the ability of 109 banks to respond to a serious and potential cybersecurity-related incident and to recover from it, reported the Croatian National Bank (HNB).
The stress testing began in January 2024 and involved a hypothetical scenario in which all preventive measures failed and a cyber attack significantly impacted the databases of the core systems of all banks. Thus, the testing did not assess the banks’ ability to prevent a cyber attack, but rather their ability to respond to a cyber attack and recover from it, emphasized the HNB.
Identifying and addressing deficiencies in the operational resilience frameworks of supervised banks, including those arising from cyber risks, is one of the supervisory priorities of the ECB’s Single Supervisory Mechanism for the period from 2024 to 2026. This is due to the recent strong increase in the number of cyber incidents reported by supervised banks to the ECB, which is partly a result of rising geopolitical tensions and challenges in the digitalization of the banking sector, the central bank noted.
The stress testing covered 109 banks directly supervised by the ECB. All banks were required to complete a questionnaire and submit documentation for analysis to the supervisory authorities. More extensive testing was conducted on a sample of 28 banks, which had to conduct a real IT system recovery test and demonstrate its successful outcome. Their testing also included verification by supervisory authorities on the premises of the banks. The sample included various business models and different geographical areas to encompass the broader banking system of the euro area and ensure adequate coordination with other supervisory activities.
Specifically, in the assessment of response capabilities to a cyber attack scenario, banks had to demonstrate that they were capable of: activating crisis response plans, including internal crisis management procedures and business continuity plans; communicating with all external stakeholders, such as clients, service providers, and law enforcement agencies; conducting analyses to determine which services would be affected and in what way; implementing measures to mitigate consequences, including workaround solutions that would facilitate their operations until the full recovery of the IT systems.
In the assessment of recovery capabilities from the scenario, banks had to show that they were capable of: activating recovery plans, including restoring data from backups and aligning incident response methods with key third-party service providers; ensuring the restoration and functioning of affected areas; applying acquired experiences, such as reviewing response and recovery plans.
As stated in the announcement, the stress testing showed that banks have established response and recovery frameworks, but there are areas where improvements are needed. The results of the testing contributed to increasing banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks and will be taken into account in the supervisory review and assessment process in 2024.
