Hacking the 2024 ECB cyber stress test: Key challenges and 6 steps for bank preparedness

December 2023

In January 2024 the ECB will conduct a Cyber Resilience Stress Test (CRST) of banks under its supervision. The CRST is an entirely new test, combining IT, business and risk management in a way that differs from previous EU stress tests. It reflects the environment of growing cyber threats, and supervisors’ increasing focus on operational resilience. It is a two-stage test, comprising:

• For the 100+ significant banks under the ECB’s direct supervision, a questionnaire with 395 questions on cyber resilience, which needs to be backed up by evidence and reporting requirements
• For a selected sample of 28 banks, an additional IT test of their ability to recover from a cyber-attack, including on-site validation

The CRST will be based on a hypothetical cyber-attack that compromises the data integrity of the institutions’ core banking systems. The precise scenario will be announced at the beginning of the stress test on 2 January 2024 . This falls precisely at the end of the holiday season, making advanced preparations crucial.

The timeline is extremely tight. The final methodology was published on 22 November, and banks could start asking questions in December. As a very first step, banks had to report their core banking system to the ECB by the end of November, which posed challenges for some participants due to unclear system interdependencies. The exercise begins on 2 January 2024, with submissions of the completed questionnaire and supporting evidence required by 29 February 2024. The results will be incorporated into banks’ 2024 SREP scores.

The CRST aims to simulate a severe but plausible cyber-attack, and to assess banks’ resilience in terms of the effectiveness of their response and their ability to recover. More specifically:

• The highly detailed questionnaire will cover six key themes. One of the most notable is economic impact (see below); banks must demonstrate not only adequate response and recovery measures, but also the ability to assess the impact on financial and core activities.
• Banks will need to provide extensive evidence to support their answers to the questionnaire, including policies, procedures, continuity plans, test results and communication strategies. Gathering that evidence will call for extensive cross-functional coordination.
• The ECB’s requirements for reporting major cyber incidents must also be fulfilled- such as ensuring that the first notification to the supervisor is made within two hours of detection
• The selected sample of 28 banks will also need to conduct an IT recovery test, report their results in detail, and provide supervisors with on-site validation of the evidence they submit.

The CRST will require banks to draw on a combination of IT, risk management, compliance and finance capabilities. Some of the operational challenges are likely to include:

• As a very first step, banks need to identify core banking systems that are subject to the cyber attack.
• The scenario. This is still undefined, but KPMG professionals expect it could involve threats to the integrity of the core banking system, including ransomware, payment system disruption or the failure of (IT) service providers.
• Determining economic impact. Banks will not only need to estimate immediate operational losses, but also indirect costs arising from the loss of customers, new business and reputation. Quantifying the commercial impact of technology failures will require a combination of cyber resilience, economic modelling and risk management skills.
• Complexity of involved parties. The CRST will require contributions from across the organisation. Those involved will range from board directors to technical specialists, covering all three lines of defence and multiple functions including IT, risk, finance and compliance. External service providers may also play a role in the case of (IT) outsourcing, especially for banks undergoing the IT recovery test.
  

Given the CRST’s complexity, and short timeframes, it’s no surprise that many EU banks are seeking external support as they seek to prepare for, and conduct, the new stress test.

The good news is that, while the CRST is new, banks can learn valuable lessons from other ECB questionnaire-driven activities – such as the annual IT Risk questionnaire exercise. That experience can help banks to prepare for the CRST by identifying the right people, planning how they can work together, and sourcing the evidence that is likely to be required.

KPMG professionals’ conversations with banks typically recommend taking action in the following six areas:

1. Get ready. Set up a project as early as possible in preparation for the CRST, with representatives from the relevant 1st and 2nd line disciplines.
2. Cooperate. Work across functions to identify key contacts, access the required skills and evidence, and build awareness.
3. Contact service providers. In the case of outsourcing, early engagement with internal and external providers of IT services will aid effective preparation.
4. Plan scenarios. Identify plausible and severe test scenarios, and assess their potential impact on the data integrity of the main core banking systems.
5. Gather evidence. Conduct a status-quo analysis of the evidence that might be required in response to a range of potential cyber incident scenarios.
6. Test yourself. Carry out dry runs, such as tabletop tests or tests of cyber reporting procedures.

As onerous as the CRST is likely to be, it’s important for banks to understand that it’s not a one-off. Rather, it marks the start of a new supervisory approach to probing a range of external threats. Banks therefore not only need to prepare for the immediate challenges of the CRST, but to begin readying themselves for other unfamiliar types of tests in future.