ECB Calls on Banks to Improve Cyber Resilience: Room for Improvement Found

The European Central Bank calls on banks to intensify their preparation and recovery from major cyber-attacks. In its first test to assess the financial sector's vulnerability to the growing threat of hackers, the ECB found significant opportunities for improvement in the ability of banks to respond to such scenarios. The ECB's stress test revealed that although advanced response and recovery frameworks are already in place, there is still room for improvement. This was emphasized by Anneli Tuominen, a member of the ECB's Supervisory Board, which oversees the leading financial institutions in the Eurozone. In the past two years, Western banks in particular have experienced an increase in cyber-attacks. This is partly due to Russian hackers acting in response to sanctions imposed during the Ukraine war. The use of artificial intelligence has also increased the number and complexity of attacks. Tuominen highlighted the importance of cyber resilience and referred to a global IT outage at CrowdStrike, which showed how incidents in one institution can impact multiple sectors. The ECB stressed that its test examined banks' response to a successful hacker attack rather than their ability to prevent one. 109 banks participated in the test, in which their ability to respond to severe cyber-attacks was assessed through questionnaires and documentation requirements. Further tests, including IT recovery tests and on-site visits by ECB supervisory officials, were conducted on 28 banks, representing a cross-section of the sector. The test results are expected to feed into the ECB's annual supervisory review and evaluation process, which assesses risks and determines capital requirements for each bank. However, a direct impact on the required capital amount is not anticipated. In addition to crisis management and business continuity planning within the banks, their communication ability with external parties such as customers, law enforcement agencies, and service providers was also examined. They had to demonstrate the capability to implement contingency measures, restore critical data, and collaborate with key third-party providers. The ECB noted that supervisors provided individual feedback to each institution and will continue to monitor them accordingly. Some banks have already initiated measures to address the deficiencies identified in the test. The detection and remediation of vulnerabilities in the operational resilience of banks, especially concerning cyber risks, remains a top priority for the ECB's bank supervision over the next two years, following a marked increase in the number and sophistication of hacker attacks. In October, Lloyd's of London warned that a significant cyber-attack on a global payment system could cost the global economy $3.5 trillion. Earlier in the year, Spain's largest bank, Santander, was hit by a cyber-attack affecting customer data in Spain, Chile, and Uruguay. A few weeks later, data from millions of customers and employees, including account details and credit card numbers, was offered for sale on a hacker forum. According to the cybersecurity firm Sophos, the number of ransomware attacks in the financial sector rose by 64 percent last year compared to the previous year. In November, the New York branch of China's largest bank, ICBC, was targeted by a ransomware attack that disrupted the $25 trillion US Treasury bond market.