Background to the stress test
It is a novelty, but one that was foreseeable in view of the increasing dangers: in 2024, the European Central Bank (ECB) will put the resilience of the institutions it supervises in Europe to the test for the first time. In view of the threat situation, the first cyber stress test has been scheduled. The official name: "Cyber Resilience Stress Test 2024". This is being carried out because the significance of cyber and ICT (information and communication technology) risks for operational risk management and the ability of banks to provide services for their customers is constantly growing.
The cyber stress test will assess the operational resilience of core banking systems to severe but plausible cyber security events. To this end, the stress test requires banks to identify the impact and consequences of such a scenario on their organisation and report on this to the supervisory authority. The banks also report on existing response and recovery measures that would be activated in the event of an emergency in order to survive a critical cyber security incident and restore the provision of services to customers and partners.
A key challenge that the stress test poses to the banks is the overarching cooperation required to manage the scenario, but the banks also face additional difficulties in determining the economic impact.
Methodology, elements and procedure
The ECB will not announce the exact methodology of the test until 22 November 2023. However, the key points have already been finalised. The almost 110 banks affected will have to answer an extensive questionnaire on the potential impact of a hypothetical cyber attack scenario. The banks will have to substantiate their statements with corresponding evidence.
Peter Hertlein
Partner, Financial Services, IT Compliance & Cyber Security
KPMG AG Wirtschaftsprüfungsgesellschaft
With regard to the scenario, it is already known that it will be an incident in connection with the core banking system and the associated databases. The core banking system enables the banks' core business lines and critical functions to generate results. It is the primary source of financial information. If several systems come into question, the system with the highest business criticality is selected.
The test has a two-stage structure and distinguishes between a simplified and an extended approach: in the simplified approach, all institutions must complete the questionnaire within two months, provide corresponding evidence and submit a cyber incident report to the ECB.
Simplified approach
The questionnaire serves as the main channel of communication with the supervisory authority and comprises a total of 478 questions, which are divided into open and closed questions from six subject areas:
- General data
- Impact analysis
- response
- Recovery
- Economic impact
- Evidence
Responses to the questionnaire must be supported by appropriate evidence. These consist of Institute policies and procedures governing relevant parts of the response and recovery processes.
The institutions are requested to submit the first report via the STAR portal within two hours of the discovery of the incident in accordance with the scenario presented, the interim report within ten working days of the first report and the final report within 20 working days of the interim report.
The extended approach concerns 20 selected credit institutions and stipulates that the banks actually carry out recovery tests tailored to the designed scenario. Detailed logs of the activities and results must be provided to prove that the tests have been carried out. The evidence provided is then analysed by the supervisory authority in an on-site validation.
Extended approach
The extended approach takes up the scenario and also includes an IT recovery test at the audited banks. This follows the banks' internal procedures in addition to the questionnaire and is monitored by Internal Audit or the 2nd line of defence (IT or cyber risk).
The evidence from the recovery test demonstrates sufficient coverage of critical systems and infrastructures and confirms that the banks have the necessary capabilities to rebuild in the event of an emergency.
The on-site validation includes the examination of the completed questionnaire and the IT recovery test by the supervisor.
The simplified approach to the stress test will begin on 2 January 2024, after which the banks will be given two months to complete the questionnaire and submit the necessary evidence. Following the completion of the simplified approach on 29 February, the extended approach and on-site investigation will begin. The end date is 30 April. The stress test concludes with a contribution to the SREP and a lessons learned on 30 June.
Fields of action and roadmap for preparation and implementation
Chart (in German only)
The key to successfully mastering the stress test lies in adequate preparation. The following areas of action should be taken into account:
- In preparation, a project should be set up with the relevant 1st and 2nd line representatives as early as possible
- Identify central contact persons and technical experts in the areas of IT SCM, BCM, ISMS, IT, risk management, financial controlling and other 1st, 2nd and 3rd lines of defence. LoD (Lines of Defence) and setting up awareness-raising measures
- In the event of outsourcing, contact and coordination with internal and external (IT) service providers should be established at an early stage
- Status quo analysis of the required evidence with regard to end-to-end coverage of possible cyber scenarios
- Identification of plausible and serious test scenarios for critical core banking systems
- Execution of dry runs, e.g. tests of the cyber reporting procedure
How KPMG supports you
KPMG has extensive technical expertise in all relevant disciplines relating to cyber stress testing. Our wide-ranging project experience from previous stress tests has also provided us with valuable insights and findings that help us to better understand the challenges and requirements of our clients. With our process model for the cyber stress test, we use these insights in a targeted manner and develop customised solutions to prepare for the stress test:
Analysis of the requirements based on the information provided by the ECB (methodology and questionnaire) and categorisation of the requirements into subject areas. Based on this, identification of functions and areas involved (e.g. IT-SCM, BCM, ISMS, risk management, financial controlling) and their assignment to stakeholders as well as initial sensitisation.
Creation of a detailed description of the probable emergency scenario based on the existing emergency scenarios in the bank. The approach for calculating the economic impact and the derivation of the core banking system are developed and harmonised.
To ensure the best possible preparation, KPMG offers a review of your governance structures and subsequent workshops with the responsible stakeholders in order to identify deviations from the supervisory authority's expectations at an early stage. The gaps identified in this way are analysed and prioritized according to their criticality in a heat map. The action areas are presented to management in order to obtain approval for prioritization and to enable the gaps to be addressed in a targeted manner,
Based on the identified and prioritised gaps, short-term measures are implemented and the stakeholders and departments are supported.
To ensure that the stress test runs smoothly, KPMG supports the parties involved in advance by creating awareness in the departments involved and planning the test schedule in the form of a script.
In addition to preparing for the test, the support services offered by KPMG also include assistance with aspects relating to stress test implementation:
We support with document analyses in the selection of suitable evidence and advise on supervisory expectations in order to achieve an appropriate level of detail in the submitted results.
In cooperation with your employees, we also organise workshops to bring together the necessary experts from the strategic and operational levels and process the contents of the questionnaire in a target group-oriented manner.
Depending on the supervisory scenario, we also contribute our experience and in-depth understanding of the systems and areas involved and support you in identifying measures.
We provide benchmark information during the test. This enables a comparison with other participating banks, both nationally and internationally, and thus allows conclusions to be drawn regarding any anomalies.