The European Central Bank (ECB) has urged financial institutions to enhance their ability to react and recover from a significant cyber breach, following its inaugural cyber stress test. The ECB’s test showed a need for increased preparedness amongst banks for situations where their defences were breached causing considerable disruption to critical systems and databases.
Anneli Tuominen, part of the ECB’s supervisory board, which monitors major banks in the Eurozone, noted that while banks have robust response and recovery plans, there are areas for further improvement. She highlighted the critical nature of cyber resilience, using the recent global IT failure triggered by an update at CrowdStrike, a cybersecurity firm, as an example of how an incident at one firm can have ripple effects across various sectors.
The ECB’s stress test was centred on understanding banks’ reaction to a significant cyber attack rather than their capability to keep hackers at bay. It collected responses and documentary evidence from all 109 banks that participated to ascertain their response to a major cyber attack breaching their security.
A more comprehensive test was conducted on 28 selected banks representing a diverse section of the industry, which involved an IT recovery test and an onsite visit by the ECB’s supervisors. The findings of the test will be included in its annual supervisory review and evaluation process, a system that assesses each bank’s risks and sets capital requirements. The central bank stated it does not anticipate these results to directly influence the capital it deems necessary for banks to hold.
Western banks have experienced an uptick in cyber attacks in the previous two years, a trend that the regulator partially attributes to Russian hackers retaliating against sanctions imposed on their country and its banks due to the full-blown invasion of Ukraine. The deployment of artificial intelligence by cybercriminals has also heightened the frequency and complexity of these attacks.
The investigation scrutinised the internal crisis management methods and business continuity strategies of banks, in addition to their communication strategies with external affiliates such as consumers, law enforcement authorities, and service providers. In order to continue operations while IT systems were being recovered, banks were required to demonstrate their competence at employing alternative strategies, restore backed-up information, and cooperate with essential third-party service providers.
The ECB announced that each bank had received bespoke feedback and would be monitored accordingly. It was noted that some banks had already taken steps to rectify, or were planning to address, the identified weaknesses that were highlighted during this examination.
In light of a marked rise in the sophistication and frequency of cyber-attacks, tackling faults in banks’ operational resilience, including cyber threats, has been listed as one of the focus areas for the ECB’s supervisory activities over the forthcoming two years.
In an alert issued in October, Lloyd’s of London cautioned that a sizable cyber onslaught targeting a universal payment system could result in a loss of $3.5tn to the global economy.
Earlier this present year, a major cyber-attack affected Santander, Spain’s biggest bank. This cyber incursion targeted a database managed by a third-party provider, which contained information pertaining to clients in Spain, Chile, and Uruguay. Shortly after, data relating to million of customers and staff – including account specifics and credit card numbers – were listed for sale on a hacking platform.
According to Sophos, a cyber security organisation, there was a 64 per cent increase in ransomware attacks on the finance sector last year, which was nearly twice the rate observed in 2021.
In a related development, the New York branch of ICBC, China’s biggest bank, was a victim of a ransomware assault last November. This cyber-attack resulted in disruption of the $25tn US Treasury bond market. – Copyright The Financial Times Limited 2024.