A person looks at a graph to assess the cyber resilience under the ECB's new stress test

ECB announces stress test on cyber resilience

The European Central Bank has expressed concern about outsourcing risks, and launched a thematic stress test on cyber resilience.

13 March 2023 5 mins read
By Jennie Clarke

On March 8, 2023, a member of the European Central Bank’s (ECB) Executive Board, Fabio Panetta, highlighted cybersecurity as “the backbone of digital finance”. In a speech delivered to the Euro Cyber Resilience Board for pan-European Financial Infrastructures, Panetta noted that cyber threats are on the rise with “an increase in remote working and digital interconnectedness” playing significant roles. Despite the increased risk, he says, financial infrastructures have proven their resilience, however “this does not mean we can become complacent”.

The following day, the Chair of the Supervisory Board of the ECB, Andrea Enria, announced that the ECB is to conduct a “thematic stress test on cyber resilience” with a view to see how banks are able to respond and recover from cyberattacks. This stress test will be the first of its kind.

Speaking to a Lithuanian journalist, Enria explored the country’s economic position and considered the broader trajectory for financial services since the start of Russia’s war against Ukraine. Since the start of the war, he notes, the ECB has seen a marked increase in cyberattacks, meaning that cybersecurity and cyber resilience have once again been thrust into the limelight.

When asked whether Lithuania’s proximity to Russia leaves it at greater risk of vulnerability, Enria noted that proximity is not an issue, but that the ECB is seeing “other types of potential risk”, including cyber.

Increased outsourcing sees heightened vulnerability

The risks posed by cyberattacks have become more prominent given the industry-wide increase in the outsourcing of services to third parties. Outsourcing, while procedurally effective, can increase firms’ vulnerabilities if not operated with adequate caution and due diligence. This is a running theme that has been recently captured by a number of resilience-focused regulatory developments. As Enria notes;

“Many banks are outsourcing critical functions, either to other companies in their group or to external providers, third-party providers of services, which are often located in other jurisdictions”.

This outsourcing can enhance risk on a number of levels. Firstly, where firms have not conducted adequate due diligence, cyber risks may have been overlooked when onboarding a third party. Secondly, where sanctions or other disruptive events occur, firms can be “cut out of a relationship with a counterpart very quickly”, as proved by swiftly implemented sanctions imposed against Russia, which left some firms reeling.

Much of the vulnerability seen by the ECB is a direct result of digital transformation and, in particular, firms moving fast to implement technology without adequate consideration. Enria said:

“When banks invest in digital and develop their digital transformation agenda, they do so with strong commercial focus, and maybe don’t pay enough attention to the risks that are associated with these commercial objectives”.

A particular area of weaknesses exists where firms are unable to ensure the “continuity of services to customers, a well-integrated IT infrastructure, and the ability to provide the board with high-quality information so that it can manage and monitor the risk and strategically steer the bank”.

Strong controls are “crucial” for cyber resilience

In conducting its stress test, the ECB wants to measure the preparedness of firms for cyberattack, and the wider implications that such attacks could have on their outsourced relationships. It will also be looking to see how well firms are able to recover from any attack.

Enria noted that the ECB’s focus is “very much on internal controls and governance” adding that banks that have a “stronger internal control framework and proper governance with good checks and balances” are overall better equipped to comply. Controls are “crucial”:

“When you have good internal controls, you are able to identify the problem, take remediation action early, and then minimize the final impact”.

The ECB has said it will be devoting “significant” time and resource to the test activity, with a view to present results by mid-2024.

How can firms ensure cyber resilience?

Cyber resilience and cybersecurity are not a tick box exercise, or something that can be finalized. Managing cyber risk is an ongoing process of development, both in keeping up with new technological risk but also in checking and testing that existing controls are working. As Enria highlighted in his conversation:

“Digital transformation is not something for the market share next year. It’s a challenge for the longer term, and banks need to invest properly, not only in terms of reaching out to customers, but also in terms of building up resilient infrastructures to ensure continuity in the provision of services and resilience to IT and cyber risk.”

In order to ensure cyber resilience, firms must take a holistic approach that touches every corner of business, and the outsourced services that extend beyond. With regard to outsourcing specifically, the services of third parties are now essential to the mechanics of functioning financial services. However, when employing a third party – especially for a critical function – firms should ensure watertight due diligence is conducted to ensure any new vendor holds unwavering commitments to cyber, security, and operational resilience.

Moreover, firms should look to minimize their net of third-party reliance, and instead find trusted firms who are able to conduct myriad processes. In the event of cyber attack or disruption, this will mitigate harm and minimize time to resolution.

Global Relay has long been the trusted provider of compliant communication solutions. We have an unwavering commitment to cybersecurity, with the credentials and reputation to show it.