A stress test for European banks to test their cyber resilience will be launched in 2024, a European Central Bank official has said. The test comes amid a growing number of cyberattacks targeting financial institutions, particularly since the beginning of the war in Ukraine. Researchers say such tests should be implemented sooner if they are to be effective in protecting the sector.
Andrea Enria, who is chair of the bank’s supervisory board, highlighted growing “third party risk” to financial institutions, as banks increase the number of IT services they are using, making them vulnerable to supply chain attacks.
Details of European Central Bank’s new cyber resilience exercise
Enria outlined the various risks currently facing the European banking sector in an interview yesterday. Banks need to shore up their cyber resilience to protect themselves against imminent attack, he explained, particularly considering growing aggression in cyberspace since the start of the Ukraine war.
“We need banks to be prepared,” Enria said. “That’s why for next year we are launching a thematic stress test on cyber resilience, which will try to test how banks are able to respond to and recover from a successful cyberattack.”
The bank will “devote quite a significant amount of time and resources” to the new exercise, he said. He hopes it will give his organisation “a better understanding of where banks strengths and weaknesses are,” adding: “We plan to have the results by around the middle of next year.”
Threats facing banks are on the rise. Data from BlackFog security shows that, in 2022, web application and API attacks against financial services firms grew by 257% compared with the previous year.
This sector also suffers some of the highest cost for cybercrime, with IBM noting that in 2022, the typical cost of a data breach for this sector stood at $5.97m – more than a million dollars above the average across all industries.
In October the Bank of England released a report which highlighted that 74% of respondents to a survey of bank executives believed the greatest threat facing the industry was a cyberattack. Globally, 56% of the central banks or supervisory authorities across the globe do not have a national cyber strategy for the financial sector, according to research from the International Monetary Fund.
The IMF went on to explain that 42% of financial institutions lack a dedicated cybersecurity or technology risk-management regulation, and 68% lack a specialized risk unit as part of their supervision department.
New legislation could boost cyber resilience for European banks
Due to this risk, the EU has announced new legislation, called the digital operational resilience act (DORA), which seeks to establish a harmonised digital operational resilience standard for the EU financial sector and requires “financial entities”, including EU investment firms and fund managers to have a comprehensive IT risk management framework, concentrating particularly on supply chain hygiene management.
This is also an area that the Enria highlighted, using the interview to outline the dangers of third party risk, where a financial institution will outsource technological projects without vetting them properly. “Many banks are outsourcing critical functions, either to other companies in their group or to external providers or third-party providers of services, which are often located in other jurisdictions – sometimes in Russia itself, sometimes in India or other jurisdictions across the globe,” he explained.
Most financial institutions rely on third-party service providers to fulfill their digital operations. Even if the institution’s own security systems are very resilient against cyberattacks, third-party service providers may represent a weak link in the chain of cybersecurity. Cybercriminals are increasingly targeting software vendors and then delivering malicious code to customers in the supply chain via product downloads or updates that seem to be legitimate.
This was the case with the now infamous SolarWinds attack, where attackers gained access to SolarWinds’ network and infected its management software with malware to target thousands of companies, including banks and government agencies.
Heightened attention to supply chain hygiene is a key aspect of shoring up cyber resilience in the European financial sector says Michael White, technical director and principal architect at the Synopsys Software Integrity Group. “I’d highlight that any assessment of resilience should always consider the growing threat posed by the extensive software supply chain. Gartner expects 45% of organisations will have experienced a software supply chain attack by 2025,” he told Tech Monitor.
The European Central Bank’s intervention should’ve come sooner, says Brian Higgins, security specialist at Comparitech. “The ECB are alarmingly late to the cybersecurity resilience party if this is genuinely its first attempt at war-gaming practitioners to improve the estate,” he says. “The UK have been running a programme of exercises for the banking community called Waking Shark and publishing the findings since 2013.”
Indeed, the ECB needs to accelerate its efforts, says Brad Freeman, director of technology at SenseOn. “Change in banking organisations is tectonically slow,” he says. “With the significant current geopolitical risk and the medium term horizon potentially worse, the ECB need to planning for the future worst case cyber adversarial environment.
“With the results from the test not available until the middle of 2024, improvements will be years away. With an explosion of geopolitical cyber risk hopefully it won’t be too little too late.”