Euro zone banks have “room for improvement” in their cyber security, starting with how they would keep their business running after a hack, the European Central Bank said on Friday.
The ECB’s first ever cyber risk stress test was launched in response to a surge in attacks, some with possible geopolitical motives, and its results came a week after a global tech outage that disrupted sectors including finance.
As part of the exercise, 109 banks were told to detail how they would respond to and recover from a successful cyber-attack, such as activating emergency procedures and restoring normal operations.
The ECB then examined their submissions and made specific recommendations to each bank as part of its annual supervisory assessment. This would not affect capital requirements.
“The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement,” ECB supervisor Anneli Tuominen said in a blog post.
Specifically, banks have been told to work on how they ensure business continuity after a hack, beef up their backup measures, and take a closer look at external providers, among other recommendations.
“In some cases, banks have already improved or plan to remedy the shortcomings pinpointed during the exercise,” the ECB said in a press release.
Of the 109 banks in the stress test, 28 were selected for a deeper exercise that also involved an actual recovery exercise and an on-site inspection.
The ECB did not name the banks examined and provided very few details of the sector’s exact weaknesses, saying this was so as not to give hackers an edge.
It should decide by the end of the year whether to carry out further such tests. Financial supervisors in Britain and Denmark have also conducted similar cyber exercises.
The ECB added that “cyber incidents” at the 113 banks it supervises had surged in the second half of last year, which it said was “partly due to heightened geopolitical tensions” – a likely reference to Russia’s invasion of Ukraine.
It also repeated warnings that many banks were operating with “ageing IT systems” and increasingly relying on third-party providers.
(Reporting by Francesco Canepa; Editing by Jan Harvey)