European Central Bank to ‘stress test’ cyberattack response and recovery

According to a recent ECB announcement, the regulator will test 109 banks that it directly regulates throughout the year, based across different businesses and geographies to provide a meaningful reflection of the sector. The tests will analyse the way in which banks respond to and recover following a cyberattack scenario, rather than their ability to prevent attacks.

The test scenarios will disrupt the banks’ day-to-day operations before the ECB analyses the measures that the banks take to recover from the situation. These include activating emergency procedures and contingency plans in a bid to restore normal operations. Supervisors will then discuss findings with each bank as part of their regular supervisory processes throughout the year to lay out any required improvements.

Of the 109 included banks, 28 banks will undergo an enhanced assessment requiring the submission of additional information, detailing how they have coped with the cyberattack. Supervisors will then assess the extent to which the bank would be able to cope with such a cyber threat.

The ECB will use the insights gained from this process as part of its wider supervisory assessment throughout the year. This will include discussions on the findings and lessons learned by parties included to help improve banks’ response and recovery procedures in the future. The ECB will also assess each bank’s individual risk profile as part of the annual supervisory review and evaluation process and expects to communicate its main findings this summer.

The ECB conducts supervisory stress tests on an annual basis, participating in an EU-wide stress test coordinated by the European Banking Authority every two years to help improve cybersecurity measures.

Following the announcement, Luxembourg-based technology law expert Aurélie Caillard of Pinsent Masons said: “As cybersecurity expert Bruce Schneier said, cybersecurity is a ‘process, not a product’. Banks need to constantly refine their cybersecurity procedures, train employees and test their cyber resilience robustly, as if dealing with a ‘live’ incident”.

One tool businesses can use to analyse their cybersecurity is the open source Malware Information Sharing Platform (MISP). This threat sharing intelligence platform offers utilities and documentation for more effective threat intelligence. Caillard added: “The use of cyber threat intelligence tools, such as MISP, can help raise awareness of emerging cyber risks. MISP is referenced as a useful resource that financial services firms can consult. They can request free access from the Computer Incident Response Center Luxembourg.”