ECB concludes its first cyber security test, says there is room for improvement

The European Central Bank (ECB) recently conducted its first thematic stress test on cyber resilience. The goal was to determine whether individual banks are ready to handle cyber attacks, and how would they respond to them. However, after concluding the tests, the ECB reported that there is room for improvement, which suggests that the security and the general readiness to combat cyber-attacks is not up to its standard.

The tests show that the banks can do better

During the tests, around 109 supervised banks were facing a hypothetical scenario where a cyberattack managed to disrupt their critical IT infrastructure.

The ECB said that out of all of them, 28 banks underwent an enhanced assessment, for which they will submit more info at a later date, which will show how they handled the hypothetical incident.

As part of the stress test, all preventive measures currently in place had failed, and the attack severely affected the databases of every participating bank’s core systems. In other words, the focus was on how the banks would respond to a similar incident, and whether they would be able to recover from it; not on how would they go around preventing such an attack.

ECB supervisor, Anneli Tuominen, wrote a blog post commenting on the results. According to the post, the banks do have high-level response and recovery frameworks in place. However, the ECB official said that there is room for improvement.

The banks have to make sure that their recovery capabilities can handle the worst-case scenario, and that they can meet their recovery objectives. Those being the protection of customer assets and data. This is necessary to maintain confidence in the banking system and safeguard financial stability.

The banks need to continue investing in their cyber resilience

The exercise has been anticipated for some time now, as it was announced early in 2024. The ECB came up with the idea to run the test amid growing tensions with Russia.

While many were concerned about the possibility of a cyber attack on the banking sector for the purpose of disrupting the EU nations and causing financial instability, the ECB wanted to run the test to see how big of a risk such a scenario really represents.

Now that the banking sector is increasingly reliant on digital technology to maintain operations, the people, businesses, and banks themselves need to know that their money is secure and that the banks can handle major cybersecurity attacks.

Tuominen pointed out the recent Crowdstrike outage, pointing out that the interconnected nature of today’s banking networks means that an incident in one institution can have cascading effects across multiple sectors. The ECB said that moving forward, the banks should continue investigating their cyber resilience, and that it might run similar exercises in the future.