ECB’s cyber resilience stress tests: cybersecurity at the financial forefront
Cybersecurity seems to have remained at the top of regulatory agendas as we move into the new year. On January 3, the European Central Bank (ECB) announced that it will be conducting cyber resilience stress tests on 109 firms in 2024.
The ECB’s Supervisory Board Chair, Andrea Enria, originally declared the initiation of these stress tests in March 2023, stating that they are meant to “test how banks are able to respond to and recover from a successful cyberattack.” The latest announcement confirms the details of those tests.
This stress test will induce a cyberattack that disrupts business operations with a view to assess how firms act, utilize their defense and recovery tactics to avoid being compromised, and restore normal operations. In addition, the ECB hopes to gauge firms’ approaches and ability to cope when dealing with such occurrences.
After the round of stress tests, 28 selected firms will be expected to respond with feedback on how they handled the cyberattack. This information will be used to inform governing approaches and supervisory assessments in the coming year. Upon reviewing assessment results, the ECB will consult with each firm to deliver findings and advice as part of the 2024 Supervisory Review and Evaluation Process, which measures firms’ risk profiles.
Ready the defenses: resilience on the front line
The announcement of the ECB’s cybersecurity resilience tests follows a string of regulatory discussions around cybersecurity and its continued criticality. In the past month, financial regulators have echoed that within multiple contexts, security is an invariable risk.
Updated in December 2023, the Bank of England (BOE) has laid out best practices for maintaining cyber resilience in the financial sector, requesting that firms: “identify important business services, set impact tolerances, and ensure they can remain within impact tolerances.”
Similarly, the U.S., the Commodities Future Trading Commission (CFTC) held a meeting with the Technology Advisory Committee and additional technology experts to discuss cyber defenses and security. CFTC Commissioner Kristin Johnson stressed the pivotal role that cybersecurity plays in maintaining healthy markets:
“Governments and business rank cyberthreats among the most critical operational risks, and cybersecurity and cyber resilience as key to preventing or mitigating disruption of critical government and financial services.”
Johnson went on to express her support for the recently proposed Operation Resilience Framework rule that requires a range of financial entities to implement and oversee an Operational Resilience Framework designed to “identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations.”
Another focal point of the conference was the call for more definite guardrails around artificial intelligence (AI) as to protect against market manipulation and reinforce security, potentially hinting at impending regulatory requirements. Finding a middle ground between the benefits and threats of AI is timely as the technology quickly continues to advance.
U.K. regulators including the BOE, Prudential Regulation Authority (PRA), and Financial Conduct of Authority (FCA) also issued a joint proposal concerning resilience and frameworks to oversee critical third parties. The regulators shared their thoughts on this matter in a related discussion piece:
“UK financial services firms are increasingly relying on third-party services to support their operations. But while these bring multiple benefits, this increasing reliance also poses systemic risks to the supervisory authorities’ objectives, including UK financial stability, market integrity and consumer protection. No one firm can manage these potential systemic risks.”
The balance between harnessing the advantages of third-parties, such as through monitoring tools and archiving systems, and combatting potential security incidents, is built on the groundwork of trust and communication.
While there is not an absolute remedy for cybercrime, whether it’s against firms directly or their external partners, the potential for risk can be alleviated when firms ask crucial questions related to access, security measures, and transparency.
What does the ECB’s cyber resilience stress tests mean for me?
The concept of cybersecurity and cyber resilience is one all too familiar to our lives – whether it’s through an inevitable password update, preoccupying security questions, or detailed privacy settings options, we’re expected to be vigilant in maintaining cyber hygiene to protect ourselves.
By the same token, cyber resilience is a measure that can make or break financial institutions. Firms are trusted to protect consumer privacy diligently, especially when considering the sensitivity of personal information firms deal with on a daily basis. In the event of attack, firms are expected to have robust plans in place to mitigate damage.
While this notion is one firms are well-versed in, it’s certainly not an easy task. Bad actors and cyber criminals are constantly at work to break down cyber defenses, particularly against financial entities, meaning that it’s critical for firms to continually strengthen protections and shift to a mindset contemplating how to respond and carry out emergency procedures in the case of an actual security incident.
The ECB’s cyber resilience stress tests echo messaging from global regulators regarding the importance of cyber considerations in an increasingly digital age. In December 2023, the FCA, BOE, and PRA collaborated with the National Cyber Security Centre (NCSC) on the annual CBEST thematic study, which assesses firms’ cyber resilience through stimulated testing and highlights some goals firms can work on to maintain resilience.
The NCSC emphasized a handful of perspective areas firms can concentrate on to promote good security and resilience practices, including identity and access management, staff awareness and training, secure configuration, network security, incident response, and data security.
Indeed, the conversation around resilience continues as the financial industry, among others, consider how best to tackle unavoidable challenges. Since security is a matter that impacts finance in a multitude of ways, reinforcing and evaluating cyber resilience processes should be a priority for firms now and moving forward. After all – safety always comes first.
