By Anneli Tuominen, Member of the Supervisory Board of the ECB
The importance of cyber resilience in protecting our banking sector cannot be overstated: the current landscape poses a variety of cyber threats, from cybercrime to sophisticated state-sponsored attacks. The results of our recent stress test will help us strengthen the way supervised banks manage cyber risk, to set the stage for a resilient banking future.
Geopolitical tensions and digitalisation highlight the importance of cyber resilience
Our financial sector has become ever more digitalised over the past few years. At the same time, growing geopolitical tensions have left our societies – and our banks – more exposed to unpredictable and ever-evolving hybrid threats. An increase in cyberattacks is threatening the services provided by our banks and could pose a risk to the stability of our financial system. As these threats become more sophisticated, the banking system must further boost its resilience to such risks. This is not just a precaution, but a clear necessity.
According to the International Monetary Fund[1], the number of cyberattacks on banks has almost doubled since before the COVID-19 pandemic. We also see this reflected in the increasing number of significant cyber incidents reported to the ECB over the past few years. These range from attacks forcing online services offline (distributed denial of service attacks) to entering a bank’s systems without permission (unauthorised access), holding data hostage in exchange for a ransom (ransomware), and targeting banks’ third-party providers. The current landscape poses a variety of cyber threats, from cybercrime to sophisticated state-sponsored attacks. This includes hybrid warfare, which combines conventional military force with other means of warfare, such as cyberattacks, disinformation campaigns, economic pressure and political subversion. Authoritarian states, for example, have been implicated in cyber espionage and cyber warfare operations, indicating that cybersecurity is not only a matter of protecting against individual hackers, but also a matter of national and international security. The rise of artificial intelligence (AI) has also amplified the risk of more sophisticated AI-driven cyberattacks.
While cyber incidents have not yet had systemic consequences for the overall financial system, a severe successful cyberattack could pose a significant threat. A cyberattack can interrupt essential services at a bank, seriously disrupting its business and damaging the trust of its customers and investors. Given the interconnected nature of today’s banking networks, an incident in one institution can have cascading effects across multiple sectors, as we saw with the recent global CrowdStrike outage. Therefore, the importance of cyber resilience cannot be overstated – it is the bulwark that protects our financial system from cyber threats.
Given this importance, banks need to prioritise investment in cybersecurity and treat it as a vital strategic component that underpins their operational resilience. They should be able to maintain critical banking operations to ensure business continuity and maintain their customers’ trust, even under adverse conditions. We are calling on banks to prioritise cyber resilience and integrate it into their core business strategies. This would enable them to adapt and proactively respond to the fast-paced changes in the cyber threat landscape.
That’s why we identified improving cyber resilience as a key focus area in our supervisory priorities for 2024-26. We want banks to mitigate the risk of cyberattacks, be prepared to withstand such attacks and recover swiftly from them when they do occur. With this goal in mind, we launched our supervisory cyber resilience stress test in January of this year, with a view to testing and strengthening the cyber resilience of the banks we supervise.
Stress testing banks’ preparedness
We developed the cyber resilience stress test in collaboration with national supervisors and cybersecurity experts and sought input from the banking industry itself to ensure the exercise was as realistic and useful as possible. It complements our other supervisory tools that are designed to help ensure that banks are operationally resilient, such as dedicated on-site inspections, targeted reviews and the IT risk questionnaire. The results will also feed into our yearly assessment of banks’ individual risk profiles.
The stress test featured a hypothetical scenario in which a cyberattack succeeded in disrupting banks’ critical IT infrastructure. As it is extremely difficult to prevent all cyberattacks, we did not test the banks’ prevention capabilities, but rather their ability to respond to and recover from such an incident while maintaining their critical functions and services. The exercise was an opportunity for banks to enhance their cyber resilience strategies by identifying gaps and making improvements in their response and recovery procedures.
The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement. Banks need to ensure that their recovery capabilities are sufficient to handle worst-case scenarios and that they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability.
I am confident that the results of the stress test will also help banks’ IT experts raise awareness internally about existing cyber risks and the need for investment to further enhance cyber resilience.
Looking ahead: further improving cyber resilience
The ECB expects supervised banks to continue improving their cyber resilience. We would like to conduct similar exercises on cyber risk in the future, building on the insights gained from the cyber resilience stress test and our broader supervisory work in this area and making use of cyber threat intelligence. This will help us to continuously improve and adapt to the evolving cyber threat landscape.
The forthcoming application of the Digital Operational Resilience Act (DORA) on 17 January 2025 will provide a robust framework that will require banks to step up their efforts to foster a culture of continuous cyber risk management. This new EU regulation aims to strengthen the IT security of financial entities and make sure that the EU’s financial sector can remain resilient in the event of severe operational disruption.
Addressing the multifaceted nature of emerging cyber threats is a joint effort that requires the ECB, the banking sector and other relevant stakeholders to work closely together. It is only through collaboration that we can succeed in our fight against external threats. By making supervised banks more resilient to cyber threats, we are setting the stage for a resilient banking future.
Check out The Supervision Blog for future posts.
For topics relating to central banking, why not have a look at The ECB Blog?
