Cybersecurity

European Central Bank to Put Banks Through Cyber Stress Test

Finance & Banking
,
Governance & Risk Management
,
Industry Specific

109 Banks to Participate in Simulated Cyberattacks to Assess Cyber Resiliency

European Central Bank to Put Banks Through Cyber Stress Test
Image: Shutterstock

The European Central Bank beginning this month will conduct cyber stress tests on banks to determine their resilience against cyberattacks. The agency is requiring 109 banks in Europe to perform vulnerability assessments and incident response evaluations by mid-2024.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

In each test, the banking regulator will simulate a disruptive cyberattack capable of adversely affecting business operations. The central bank will then monitor how the financial organization responds to and recovers from the attack and how quickly it resumes normal business.

“Our main objective is to identify the banks’ weak spots,” Anneli Tuominen, a member of the ECB’s supervisory board, said in November. “We also plan to give them feedback based on the test results – for example, on the need to implement industry standards for cyber hygiene across the organization.”

The regulator announced the plans for cyber stress testing in March 2023 amid concerns that new cyberthreats posed by Russia’s invasion of Ukraine could cripple European critical infrastructure. Since the invasion of Ukraine, European government and private-sector organizations have experienced a spike in denial-of-service attacks and ransomware hacks targeting third-party service providers, the ECB said (see: European Central Bank to Hold Cyber Stress Tests for Banks ).

Of the estimated 109 banks operating across Europe that will undergo cyber stress testing, 28 must participate in an enhanced test.

The tests include questionnaires requiring banks to produce documentary evidence and exercises in vulnerability detection and information-sharing practices.

In addition to banks, the ECB also will assess the cyber hygiene requirements of third-party service providers of financial organizations.

“Banks try to save costs by outsourcing some of their IT processes, but that is not always compatible with sound risk management,” Tuominen said. “Banks should also understand the risks attached to outsourcing.”

Although European financial organizations have remained largely unaffected by the increased volume of attacks tied to the Russia-Ukraine war, a recent assessment by the ECB found that banks continue to have weak asset management, making them susceptible to hacks.

The agency said banks show a decline in cyber incident reporting, weak identity and access management, and poor data management issues. It also found that poor software management had resulted in significant downtime in 2022.

Tuominen said the exercise will help banks identify potential vulnerabilities and better prepare for “a successful attack that could occur at any time.”