Supervising Cyber:
How The ECB Stress Test Will Shape The Agenda

Published March 6, 2024

Benjamin Heinrich
Frankfurt
benjamin.heinrich@spglobal.com

Claudio Hantzsche
Frankfurt
claudio.hantzsche@spglobal.com

Key Takeaways

The European Central Bank's 2024 cyber stress test will assess how 109 of the banks it supervises respond to and recover from a cyberattack.
Despite limited disclosure around the test's underlying methodology, we view it as a positive step toward developing supervision of this key risk for European banks.
Like previous U.K. and Israeli cyber stress tests, there will be no "pass or fail" for individual banks, though we expect supervisors will use findings in their daily supervision. Banks that emerge as negative outliers could face elevated investment needs to address identified shortcomings, though we don't expect any immediate ratings impact.

The need for European banks to strengthen their resilience to cyber risk is non-negotiable. The risk of geopolitically driven cyberattacks remains elevated and new avenues of attack are emerging as banks make further progress toward digital banking. Banks have a strong self-interest to shield against cyber risk as the likelihood of them falling victim to an attack remains high and potential business implications can be severe. Meanwhile, regulators need to keep pace with technological progress and the increasing sophistication of cyberattacks.

S&P Global Ratings sees the ECB’s 2024 cyber stress test of significant eurozone banks as an important step toward developing banking supervision on cyber risk. One of the key outcomes will be to identify negative outliers among supervised banks while also assessing the extent of systemwide vulnerabilities. The exercise aims to examine the banks’ ability to recover from an acute and severely disruptive cyberattack, assuming all prevention measures have failed.

The test will not have a “pass or fail” outcome, but it will help to define industry best practices. In the medium term, we believe this will strengthen the banking sector’s resilience. Banks with particularly weak stress test results could be forced to initiate immediate and potentially costly remediation plans. That said, this predominantly qualitative exercise will not directly affect banks’ capital through the Pillar 2 guidance of the Basel Framework. Instead, regulators will include their findings in their regular supervisory review and evaluation process (SREP) of individual banks.

Table 1 | ECB cyber stress test

What we know	What we expect
Runs from January to April 2024 with aggregated results expected in the summer.	Findings will be key to defining future supervisory priorities and identifying the level of industry risk and best practice.
Covers 109 ECB-supervised banks of which 28 face an in-depth assessment. Selection is not risk-based, but covers a variety of regions and business models.	Individual banks with severe vulnerabilities could become subject to follow-up inspections and remediation plans, which could require costly investments. No imminent rating impact expected.
Mainly questionnaire-based, but banks also need to provide evidence to answers.	Ratings could still come under pressure if: (i) poor cyber preparedness flags material and structural weaknesses in risk management not reflected in the current ratings, or (ii) the need for larger scale improvements means that banks fall behind their competitors.
Test focuses on recovery from a successful attack. Scenario concerns the integrity of data and assumes a severe disruption of daily core banking operations, operated in-house or by a third party.	Disclosure will likely remain limited to an anonymized summary of thematic findings and recommendations on an aggregated basis, in line with similar exercises conducted by authorities in Israel and the U.K.
No “pass/fail” assessment and no imminent impact on capital guidance. Individual results to be discussed in SREP.	Beyond the stress test, we assume that banks will increasingly report significant cyber events to supervisory authorities. However, we do not anticipate a change in disclosure requirements of severe cyber incidents to the public. This is in line with most jurisdictions to avoid providing attackers with information on vulnerabilities. However, this contrasts with the U.S., where public companies, including banks, have been requested to report material cybersecurity incidents within four business days of materiality determination.
We understand that banks will need to model the financial impact of the attack and recovery efforts, based on real data supplemented by expert judgements.
We understand that banks will need to simulate the reporting of a severe cyber incident to the ECB, and demonstrate the functioning of reporting lines, committees, and management involvement.

Source: S&P Global Ratings.

We see this stress test as the next logical step toward strengthening the resilience of eurozone banks.

Plugging The Gaps In Cyber Resilience Is Key

Strengthening banks’ cyber resilience remains a key issue for bank supervisors globally. The European Single Supervisory Mechanism (SSM) continues to define cyber and operational resilience as one of its key priorities for 2024-2026. The ECB’s choice of cyber risk as the topic for its 2024 thematic stress test therefore comes as no surprise.

An ECB report revealed shortcomings in eurozone banks’ cyber resilience, flagged via on-site visits and other analysis. Of note, the ECB reports little progress in banks addressing existing gaps that point to structural deficiencies. This aligns with routine warnings from banking authorities about managing cyber risks and requests for tighter defenses. The ECB highlights in particular shortcomings relating to IT outsourcing services and partners, including large cloud service providers (see also published July 21, 2023) (see chart 1). Other weak spots were the effective detection of cyber vulnerabilities, as well as banks’ timely reaction to cybersecurity incidents.

Cyber risk is not a blind spot for European banking supervisors, though. They already consider it as part of their annual SREP exercise that helps determine specific banks’ capital add-ons under Pillar 2 of the Basel Framework. It also provides a set of qualitative measures that address banks’ shortcomings when looking at various risks. The latest SREP summary report highlights that operational risk (including cyber risk management) had the lowest average score compared with other risk categories. We believe that weaknesses in cyber resilience are more likely to lead to heightened scrutiny and several qualitative requirements for banks because of SREP, instead of capital add-ons, though transparency here remains low.

We don’t see an additional capital buffer as an effective tool to address banks’ shortcomings in cyber risk management. While it would boost a bank’s capacity to absorb unexpected losses--such as in the case of a cyberattack--it would not mitigate the main risks. These include the potential and swift erosion of trust from customers and/or financial counterparties, which could result in a bank run with a significant impact on business stability and liquidity. In this event, we don’t think higher capital buffers would be sufficient to reinstate trust and stabilize the bank.

The EU's Digital Operational Resilience Act (DORA), which will come into force in 2025, will help address these shortcomings through enhanced ICT (information and communication technology) risk management of both banks’ own risks and those of third-party providers. It will also provide deeper testing of operational resilience more generally, moving away from pure capital charges and require stronger communication with authorities and stakeholders. This comes on top of PSD3, an updated Payment Services Directive, expected to be released later this year, which also looks to improve the protection of consumers, who are often the weakest link in cyber security defenses.

Collaboration Is An Important Lever For Improving Cyber Resilience

We think that effective collaboration between regulators, as well as private and public bodies including national cyber defense authorities and central banks, can make a difference. Alliances help participants to align on best practices, identify attack patterns early, and develop a consistent framework and comprehensive set of stress tests that could also include ethical hacking. If authorities can intervene using analytical and policy tools, they may be able to contain a cyber incident before it turns into a systemic event. And if not, they may be able to mitigate the consequences.

Collaboration in the EU already occurs in various forums. For example, the Euro Cyber Resilience Board (ECRB) brings together critical service providers, central bank overseers, and other key European authorities for strategic discussions on cyber risks. These groups also share trends in cyber threats and lessons learnt via Cyber Information and Intelligence Sharing Initiative (CIISI-EU). Over the coming years, we expect that coordination and collaboration among market participants, and even across jurisdictions, will intensify as they respond to major and global cyber incidents.

We see the ECB’s cyber stress test as the next logical step toward strengthening the resilience of eurozone banks. Despite its exploratory nature and design as a primarily desktop exercise, the findings will allow regulators and management to understand a bank’s relative positioning and address key vulnerabilities. We believe this will contribute to a more operationally resilient banking system in the long term.

Shaping The Regulatory Agenda

The test scenario assumes failure of all preventive cyber measures, and a severe disruption to banks’ daily operations. Though a tough test, these assumptions align with cyber stress tests performed by other regulators and reflects the perception that companies cannot avoid cyberattacks and that the severity of implications will depend on how quickly an attack can be contained. The test addresses banks’ ability to assess the criticality and impact of the outage, as well as the appropriateness of response and recovery measures. This is largely assessed via questionnaires, although answers must also be verified by evidence. The ECB wants to gain insight into the cyber preparedness of banks across a wide range of regions and business models; therefore a sample of 28 undisclosed banks will be subject to an enhanced assessment. This will include on-site visits to provide the ECB with detailed insight into those banks’ recovery processes.

We anticipate that results of the stress test will significantly shape the future regulatory agenda for cyber resilience. The test will also help to identify best practices and uncover the extent of banks’ vulnerability to industry risk and structural weaknesses. In addition, we believe it will provide deeper insight into banks’ management of operational risk beyond cyber risk. The largest costs for banks typically arise from failures relating to internal processes and systems.

We expect the ECB will quickly derive a catalog of measures from its main findings. This is consistent with the outcome of similar exercises in Israel and the U.K. Systemwide cyber stress tests might also become a more standard tool in banking supervision, though this also depends on the ECB’s priorities and the scale of weaknesses identified.

Table 2 | Key characteristics of past stress tests

	Israel	U.K
Status/year	Completed/2019	Completed/2022
Authority	Bank of Israel, Banking Supervision Department	Prudential Regulation Authority (PRA), Bank of England (BoE)
Covered institutions	The entire banking sector	Considered voluntary but most larger banks participated.
Scenario	Successful attack of a corporation that belongs to the bank’s supply chain. This caused random corruption of current-account balance data (credit and debit) and deposit balances of retail customers for five months in all backup systems of the bank’s databases.	Various scenarios set out and proposed to regulator by third-party consultants (including issuer specific). This included a data integrity scenario in a retail payment system. Here, prevention failed, aided by a malicious insider redirecting payments, detected and confirmed outside business hours.
Approach	Mapping exercise	Desktop exercise
Disclosure	Brief summary of thematic findings and recommendations	Brief summary of thematic findings and recommendations
Result	Exploratory, no pass-fail assessment. Identification of potential vulnerability and adequacy of risk management process. Integrated into the Supervisory Review and Evaluation Process (SREP).	Exploratory, no pass-fail assessment. Banks to incorporate the test’s key findings based on a remediation plan that requires sign-off and continuous oversight by regulator.

Source: S&P Global Ratings.

The Test Will Flag Risk Management Gaps, Though Ratings Impact Is Limited

Banks have a strong self-interest in shielding against cyber risks as the likelihood of falling victim to an attack remains high (see chart 2). Cyber resilience is already a key management priority at almost all banks we rate, although we see varying levels of management involvement, financial resources, and technical infrastructure. We see the complexity created by the combination of old and new technologies as an important risk factor (see March 23, 2023). We believe that the stress test findings will enhance management awareness and could lead to a reprioritization of investments.

Our current ratings already assume that banks continuously invest in managing cyber risks and take appropriate measures to protect their businesses. We therefore don’t expect the stress test results to spur positive rating actions on the banks evaluated. At the same time, we don’t anticipate publication of the results to impair banks’ creditworthiness. Individual results will remain anonymous, and insights gained will be used as part of the regular supervisory assessment. However, although not our base case, this could imply additional capital add-ons for individual banks, though these are unlikely to be material enough to change ratings. This also reflects the solid capital buffers that are significantly above regulatory minima at most eurozone banks.

We expect banks will have to commit to a clear remediation plan to address identified gaps, particularly if they are considered severe. Depending on the scale, adjustments are likely to require significant time and resources. They could also be both costly and complex, particularly if--in addition to changes in governance and reporting--changes in IT or management of outsourcing partners became necessary. If these factors materially or structurally affected banks’ performance, the ratings on those banks might come under pressure.

Understanding how rated banks performed in the cyber stress test will be part of our discussion with banks, as well as the scale and focus of remediation plans, if any. In our assessment of a bank's cyber risk preparedness, we incorporate feedback from regulators and internal and industry benchmarking exercises, including the stress test. Evidence of poor cyber resilience would also inform our view of a bank’s risk management practices and might hinder creditworthiness if material and not already reflected in the ratings. This might include severe weaknesses in the cyber risk framework, failure to clearly delegate management responsibility, lack of a proper emergency and recovery plan in the event of a cyber breach, or failure to allocate sufficient resources to cyber issues.

Weaknesses in cyber resilience have so far had limited impact on our bank ratings, but pose an ever-present threat for rated banks. The likelihood of a cyber event may even be on the rise. Given the elevated geopolitical risks, we believe an increasing number of ever more sophisticated cyberattacks could arise. The impact of a successful cyberattack on a rating will depend on how it affects a bank's credit metrics, and evidence that the target's financial position can (or cannot) absorb the direct loss and resultant damage to its business (see "Cyber Risk In A New Era: The Effect On Bank Ratings," May 24, 2021).

We believe negative outliers could face elevated investment needs to address identified shortcomings.

This report does not constitute a rating action.