Finance & Banking , Industry Specific , Security Operations

European Central Bank Concludes Banking Cyber Stress Test

'Room for Improvement," Says ECB Supervisory Board Member
European Central Bank Concludes Banking Cyber Stress Test
The Euro-Skulptur in Frankfurt am Main, Germany, in January 2019 (Image: Shutterstock)

The European banking sector is prepared at a high level for withering cyberattacks but there is "room for improvement" in its recovery capabilities, the European Central Bank said at the conclusion of a first-ever cyber stress test for banking.

See Also: 2024 State Of Identity Security in Financial Services

The European banking supervisor in January launched the test to determine the financial sector's ability to withstand cyber disruptions. The agency required 109 banks that operate across different business and geographical areas in Europe to participate (see: European Central Bank to Put Banks Through Cyber Stress Test).

"The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement," Anneli Tuominen, an ECB supervisory board member, said on Friday.

Weaknesses identified by the central bank include recovery capabilities in worst-case scenarios. Banks must ensure "they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability," Tuominen said. The test didn't probe banks' ability to prevent cyberattacks. Twenty-eight of the banks underwent additional testing.

Consulting firm KPMG's analysis of a subset of participants shows that many banks couldn't meet their recovery time deadlines. Banks typically test processes and systems regularly, but most institutions don't simultaneously test technical and banking processes, KPMG said. It flagged a lack of centralized inventories of business processes and associated IT assets.

Banks have a "strong dependence" on service providers, KPMG said - an issue that has risen to the forefront of cyber resilience concerns in recent days following a global IT outage sparked by a bad updated pushed to Windows computers by cybersecurity vendor CrowdStrike on July 19. Switzerland-based UBS and Deutsche Bank were among the European financial institutions affected by the incident (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).

The European regulator announced plans for cyber stress testing in March 2023 amid concerns that Russia's war of conquest against Ukraine could result in cyberattacks against European critical infrastructure. The European Investment Bank months later experienced a distributed denial-of-service attack that rendered two websites inaccessible. The EIB, headquartered in Luxembourg City, is the development bank for the European Union. The incident occurred shortly after Russian-speaking hackers expressed their intention to target Western financial institutions (see: Breach Roundup: EIB Confirms Outage Caused by Cyberattack).

The ECB will incorporate information obtained from the test in its annual 2024 supervisory review and evaluation process. "We would like to conduct similar exercises on cyber risk in the future, building on the insights gained from the cyber resilience stress test," Tuominen said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.