The European Central Bank (ECB) has kicked off 2024 energetically by announcing its plans to put 109 directly supervised banks through their paces on cyber resilience. The sample that the ECB has selected from the total pool of supervised entities is representative of the different business models and geographical diversity in the euro area banking system and is designed to provide accurate and actionable insight into the state of readiness of the system as a whole. The main findings from the ECB exercise will be communicated this summer, and they’ll make for very interesting and important reading.
The ECB is looking to evaluate how the banks both respond to and recover from a cyberattack and the exercise is deliberately not focused on prevention this time around. Out of the 109 banks in scope, 28 of them will be subject to an enhanced evaluation and this will require that they submit additional information about how they managed to deal with the operational disruption caused by the attack.
Since 2019, the warnings coming from organizations such as the European Systemic Risk Board (ESRB), International Monetary Fund (IMF), and the World Economic Forum (WEF) about the likelihood and impact of a major cyber incident have become increasingly stark and insistent. Insurance giant, Lloyd’s of London, has even gone as far as evaluating the risk scenario of a cyber-attack resulting in global economic losses of $3.5 trillion, based on a hypothetical but plausible cyber-attack on a major financial services payment system, leading to widespread disruption to global businesses.
It’s quite unusual to find international consensus on any topic in financial services but there seems to be a broad agreement that as far as cyber-induced disruption is concerned, it’s a question of ‘when’ and not ‘if’.
For this round of cyber resilience testing, the ECB has clarified that it will be primarily a qualitative exercise and it won’t have any impact on the banks’ capital through Pillar 2 guidance (which is a bank-specific capital recommendation on top of the binding requirements).
With that said, it’s probably safe to say that we’re looking more at a ‘not yet’ as opposed to a ‘never’ posture on that particular topic, particularly given the international precedent set by the Monetary Authority of Singapore (MAS) and its strong position in imposing additional capital requirements in response to operational outages at the banks it supervises.
2024 is shaping up to be something of a banner year for resilience in financial services in the European Union (EU) with preparations underway across the entire sector in readiness for compliance with the Digital Operational Resilience Act (DORA) in January 2025, although anecdotally there seems to be quite a wide disparity in terms of firms’ program maturity.
Against this backdrop, it would be understandable if the EU’s banks and their teams are looking forward to the coming year with a certain level of trepidation.
But at the heart of resilience is a commitment to advancing despite adversity and an openness to learning from the experience.
And that’s the mindset that we’re encouraging all our clients to embrace as we partner with them on this mission-critical topic.
Click here to learn more about operational resilience testing, and here for IBM’s approach to delivering digital business value from investments in digital resilience.
#cyber-resilience, #ECB, #financial-services, #operational-resilience
#Featured-area-1
#Featured-area-1-home