“Room for improvement” concludes ECB cyber stress test
Financial institutions in Europe could do better when it comes to cyber security, according to the results of a stress test run by the European Central Bank (ECB).
The test found that there was “room for improvement” among the 109 supervised institutions who were faced with a hypothetical scenario in which their IT systems were penetrated and their core systems were disrupted.
Twenty-eight banks were subjected to an enhanced assessment and will now have to submit additional information on how they were impacted by the simulated cyberattack.
“The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement,” stated Anneli Tuominen, a member of the ECB’s supervisory board, in a blog post.
“Banks need to ensure that their recovery capabilities are sufficient to handle worst-case scenarios and that they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability.”
Consequently, the ECB has called on lenders in the Eurozone to enhance their systems and their cyber-related business continuity plans.
The tests were set up in reaction to the growing threat of cyberattacks from Russian hackers in the wake of Russia’s invasion of Ukraine.
The results also come very shortly after global IT systems were disrupted by an outage from cyber security company CrowdStrike. While this was due to a failed update rather than an external hack or computer virus, it demonstrated a company’s reliance on globally connected systems.
As Tuominen stated: “An incident in one institution can have cascading effects across multiple sectors”.
In the tests, banks were asked to show their ability to recover their IT systems and develop workarounds in the face of an attack as well as their ability to communicate with external counterparties such as clients, law enforcement and service providers.
“Supervisors have provided individual feedback to each bank and will follow up with them accordingly,” stated the central bank. “In some cases, banks have already improved or plan to remedy the shortcomings pinpointed during the exercise.”
In addition to regulatory scrutiny, there is also concern from insurers about the rise in cyber-attacks within financial services.
Lloyd’s of London, back in October 2023, warned that an attack on a global payment system could cause $3.5trn of damage on a worldwide scale.