ECB cyber resilience stress test reveals banks' strengths and gaps

The European Central Bank (ECB) finished its cyber resilience stress test, which gauged how banks would respond to and recover from a severe but plausible cybersecurity incident. Overall, the stress test showed that banks have response and recovery frameworks in place, but areas for improvement remain. The results will feed into the 2024 Supervisory Review and Evaluation Process (SREP) and have helped increase banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks.

How have the banks been put to the test?

The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed and a cyberattack severely affected the databases of each bank’s core systems. The stress test therefore focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it.

The stress test involved 109 banks directly supervised by the ECB. All banks had to answer a questionnaire and submit documentation for the supervisors to analyse, while a sample of 28 banks was chosen to undergo more extensive testing. The latter were asked to perform an actual IT recovery test and provide evidence that it had been successful, in addition they were also visited on site by supervisors.

To test their response to the scenario, banks had to show their ability to:

• Activate their crisis response plans, including internal crisis management procedures and business continuity plans;

• Communicate with all external stakeholders such as customers, service providers and law enforcement agents;

• Run an analysis to identify what services would be affected and how;

• Implement mitigation measures, including workarounds that would help the bank to operate during the time needed to fully recover IT systems.

To test their ability to recover from the scenario, banks had to show they could:

• Activate their recovery plans, including restoring backed-up data and aligning with critical third-party service providers on how to respond to the incident;

• Ensure that affected areas were recovered and up and running;

• Implement lessons learnt, for example by reviewing their response and recovery plans.

The ECB is dedicated to enhancing banks' cyber resilience by urging them to improve business continuity, communication, and recovery plans for various cyber risks. Banks should meet recovery goals, assess critical third-party dependencies, and estimate cyberattack losses. The 2024 SREP will incorporate these findings. The stress test doesn’t impact banks' capital but informs supervisory guidance. Feedback has been given to banks, some of which are already addressing identified shortcomings.