|
|
Ms Tuominen, ECB Banking Supervision is launching its cyber stress test in January. How harsh will it be for the banks?
The test will simulate a severe cyberattack that disrupts business operations. So it gets straight to the crux of the issue from the banks’ point of view. We want to know how banks respond to and recover from a cyberattack and how they resume normal business. Our main objective is to identify the banks’ weak spots.
This is the first time the ECB has run a cyber stress test.
Yes, it’s a learning exercise for the banks and for us. Stress tests of this kind are still a rarity, but I think that will change in future. The Danish Financial Supervisory Authority has already carried out a cyber stress test, as has the Prudential Regulation Authority in the United Kingdom.
How does it all work?
Almost all banks under our direct supervision, 109 at present, will participate. Out of that group, 28 banks will take part in an enhanced test for which they will have to submit more detailed information.
Which banks will have to undergo the more extensive test? The largest and most complex ones?
We are aiming to cover a significant share of the euro area financial sector, ensuring an even geographical spread, while also covering different business models and sizes.
The exercise takes place at a time when wars are raging in Europe and the Middle East and geopolitical tensions in general are increasing. Was the war in Ukraine considered in the design of the test?
Cybersecurity has been on our agenda for several years now. We established a cyber incident reporting framework in 2017, and IT security and cyber risks are part of our supervisory priorities. This stress test is very timely in my view. There are risks emanating from attacks by state-affiliated groups. The Council on Foreign Relations estimates that since 2005, four authoritarian states have sponsored 77% of all suspected state-sponsored cyberattacks. That is rather alarming − we all need to realise that the threat has grown.
What will the ECB do with the results?
We want this to be a qualitative exercise. It’s important for the banks to understand their own risk profile. We plan to give them feedback based on the test results, for example on the need to implement industry standards for cyber hygiene across the organisation.
Will the results be taken into account in the Supervisory Review and Evaluation Process (SREP)?
They will of course feed into the SREP, but this exercise is not geared to increasing capital ratios as that would not be an effective way of preventing cyber risks. The results could only indirectly affect Pillar 2 requirements in severe cases where we find significant deficiencies in a bank’s risk management or corporate governance.
Will the test lead to tighter supervisory requirements for banks’ cyber defences?
The geopolitical risks are more serious than ever. I think insights into banks’ vulnerabilities will raise supervisory thresholds. Another issue is the banks’ dependency on third-party providers. Banks try to save costs by outsourcing some of their IT processes but that is not always compatible with sound risk management. Banks should also understand the risks attached to outsourcing.
To what extent will outsourcing to third parties, such as IT or cloud providers, be incorporated in the stress test?
I am not able to elaborate on the stress test scenario, but we certainly need to look more closely at the topic of third-party providers. I remember a cyberattack against a financial trading services group at the start of this year which also disrupted business operations at some banks. They were able to resume work, but the incident shows what dependencies exist. We need to take that seriously.
How do you assess the cyber threat in general?
The number of cyberattacks is higher than it was before the pandemic. Distributed denial of service attacks, in which perpetrators interrupt banking services by flooding and clogging bank servers with fake requests, have increased the most. We also see more attacks on third-party providers and more ransomware attacks, where a target is denied access to the data on their own devices unless a ransom is paid. But euro area banks have proven to be resilient so far. The attacks were not so severe as to destabilise individual banks or the banking system. Nonetheless, we have to be prepared: a successful attack could occur at any time....
more at SSM