ECB to Stress Test Banks’ Ability to Recover from Cyberattack
JANUARY 03, 2024

The European Central Bank (ECB) will conduct a cyber resilience stress test on 109 directly supervised banks in 2024. The exercise will assess how banks respond to and recover from a cyberattack, rather than their ability to prevent it.

Under the stress test scenario, the cyberattack succeeds in disrupting the bank’s daily business operations. Banks will then test their response and recovery measures, including activating emergency procedures and contingency plans and restoring normal operations. Supervisors will subsequently assess the extent to which banks can cope under such a scenario.

As part of the exercise, 28 banks will undergo an enhanced assessment for which they will submit additional information on how they coped with the cyberattack. This sample covers different business models and geographies to provide a meaningful reflection of the euro area banking system and ensure there is efficient coordination with other supervisory activities.

This predominantly qualitative exercise will not have an impact on capital through the Pillar 2 guidance, which is a bank-specific capital recommendation on top of the binding requirements. Rather, the insights gained will be used for the wider supervisory assessment in 2024. Supervisors will discuss the findings and lessons learned with each bank as part of the 2024 Supervisory Review and Evaluation Process, which assesses a bank’s individual risk profile. The exercise’s main findings will be communicated in the summer of 2024.