Summary: The European Central Bank (ECB) conducted its first cyber stress test for the banking sector, revealing that while banks are generally well-prepared for cyberattacks, there are significant gaps in their recovery capabilities. The test highlighted the need for improvements to ensure customer data protection and maintain confidence in the banking system.
Threat Actor: Russian-speaking hackers | Russian-speaking hackers
Victim: European banking sector | European banking sector
Key Point :
- The ECB’s cyber stress test involved 109 banks and aimed to assess their ability to recover from cyber disruptions.
- Weaknesses were identified in banks’ recovery capabilities, particularly in worst-case scenarios, necessitating improvements to protect customer assets and data.
- KPMG’s analysis indicated that many banks failed to meet recovery time objectives due to a lack of coordinated testing of technical and banking processes.
- The ECB plans to use insights from the test for future cyber risk evaluations and stress testing exercises.
Finance & Banking
,
Industry Specific
,
Security Operations
‘Room for Improvement,” Says ECB Supervisory Board Member
The European banking sector is prepared at a high level for withering cyberattacks but there is “room for improvement” in its recovery capabilities, the European Central Bank said at the conclusion of a first-ever cyber stress test for banking.
See Also: Securing the Cloud for Financial Services
The European banking supervisor in January launched the test to determine the financial sector’s ability to withstand cyber disruptions. The agency required 109 banks that operate across different business and geographical areas in Europe to participate (see: European Central Bank to Put Banks Through Cyber Stress Test).
“The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement,” Anneli Tuominen, an ECB supervisory board member, said on Friday.
Weaknesses identified by the central bank include recovery capabilities in worst-case scenarios. Banks must ensure “they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability,” Tuominen said. The test didn’t probe banks’ ability to prevent cyberattacks. Twenty-eight of the banks underwent additional testing.
Consulting firm KPMG’s analysis of a subset of participants shows that many banks couldn’t meet their recovery time deadlines. Banks typically test processes and systems regularly, but most institutions don’t simultaneously test technical and banking processes, KPMG said. It flagged a lack of centralized inventories of business processes and associated IT assets.
Banks have a “strong dependence” on service providers, KPMG said – an issue that has risen to the forefront of cyber resilience concerns in recent days following a global IT outage sparked by a bad updated pushed to Windows computers by cybersecurity vendor CrowdStrike on July 19. Switzerland-based UBS and Deutsche Bank were among the European financial institutions affected by the incident (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).
The European regulator announced plans for cyber stress testing in March 2023 amid concerns that Russia’s war of conquest against Ukraine could result in cyberattacks against European critical infrastructure. The European Investment Bank months later experienced a distributed denial-of-service attack that rendered two websites inaccessible. The EIB, headquartered in Luxembourg City, is the development bank for the European Union. The incident occurred shortly after Russian-speaking hackers expressed their intention to target Western financial institutions (see: Breach Roundup: EIB Confirms Outage Caused by Cyberattack).
The ECB will incorporate information obtained from the test in its annual 2024 supervisory review and evaluation process. “We would like to conduct similar exercises on cyber risk in the future, building on the insights gained from the cyber resilience stress test,” Tuominen said.
Source: https://www.bankinfosecurity.com/european-central-bank-concludes-banking-cyber-stress-test-a-25871