European banks gain insight from first-ever cyber stress test


The European Central Bank (ECB) on Friday released the results from its first-ever cyber resilience stress test on over 100 European banks – declaring there was “room for improvement.”

The “predominantly qualitative exercise,” which was carried out in January, was designed to assess how banks respond to and recover from a cyberattack, as opposed to simply looking at their ability to prevent it, the ECB said.

ECB officials had set ‘improving cyber resilience’ as one of its key focus areas over the next two years.

ADVERTISEMENT

“The importance of cyber resilience in protecting our banking sector cannot be overstated,” Supervisory Board member Anneli Tuominen said Friday in a blog post referencing the test.

The ECB supervisory division, tasked with conducting the test, examined 109 commercial banking institutions to measure their ability to cope with the “economic and financial shock” of an active cyberattack, the ECB said.

Within the test sample, another 28 of those banks underwent an enhanced assessment to account for different business models and geographies.

The industries overall score was good, but also showed “some room for improvement,” it found.

“How would a bank recover from a successful cyberattack?” the ECB asked, posting on its X account.

“Our first cyber stress test shows that banks have response and recovery frameworks in place, but areas for improvement remain,” it said, adding that the test results will “inform banks’ annual health check for 2024.”

ADVERTISEMENT

Stress test parameters

The idea was to test out a “worst-case scenario” cyber incident to gauge whether the banks would be able to protect their customer assets and data.

As part of the simulated “cyberattack” scenario, the banks critical IT structure was disrupted.

Daily business operations were the first to go down, triggering the banks' incident response plans, such as activating emergency procedures and contingency logistics, and finally entering the recovery phase of restoring normal operations.

The ECB then examined the banks self-submitted results and made specific recommendations to each bank as part of its annual supervisory assessment.

Tuominen said that the results were “insightful” and showed that banks do have “high-level response and recovery frameworks in place,” noting that more could be done to improve resiliency.

Improvement in areas such as business continuity, increased backup measures, and a closer examination of external providers, were some of the specific recommendations.

The test results ultimately help ECB supervisors identify vulnerabilities and address them early on with the banks, and already, some of the “banks have already improved or plan to remedy the shortcomings pinpointed during the exercise," the ECB said.

The test was created in collaboration with national supervisors and cybersecurity experts, as well as with input from the banking sector “to ensure the exercise was as realistic and useful as possible.”

ADVERTISEMENT

Banking industry attacks have doubled

The ECB said it would likely conduct similar cyber resilience stress tests in the future, building on the 2024 findings, “to continuously improve and adapt to the evolving cyber threat landscape.”

Tuominen said the emphasis on cyber hygiene has only become more important as the financial sector continues to digitalize and geopolitical tensions continue to grow, while threat actors evolve.

The challenges of upgrading "aging IT systems," the emergence of AI, and the overreliance on third party providers were also mentioned.

The number of cyberattacks on banks almost doubling since before the COVID-19 pandemic, the ECB pointed out, surging even more in the second half of 2023.

Those attacks ranged from distributed denial-of-service attacks (DDoS) to unauthorized access to ransomware attacks, and breaches of the banks’ third-party providers.

“We want banks to mitigate the risk of cyberattacks, be prepared to withstand such attacks and recover swiftly from them when they do occur,” the ECB said.

The regulators did not reveal which banks were involved in the test and said it was keeping the results in-house to protect the financial institutions from threat actors taking advantage of their weaknesses.

ADVERTISEMENT