ECB finds ‘shortcomings’ in banks’ ability to cope with cyber attacks

0 1

Unlock the Editor’s Digest for free

The European Central Bank has called on lenders to improve their capacity to respond and recover from a major cyber attack, in its first test of the financial sector’s vulnerability to the rising threat from hackers.

The ECB said its debut cyber stress test found “room for improvement” in the readiness of banks to cope with a scenario in which hackers penetrated their defences and caused serious disruption to core databases and systems. 

“The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement,” said Anneli Tuominen, a member of the ECB’s supervisory board, which oversees the top Eurozone lenders, on Friday.

Western banks have suffered a surge in cyber attacks in the past two years, which the regulator has partly blamed on Russian hackers acting in response to sanctions placed on the country and its banks following Moscow’s full-scale invasion of Ukraine. The use of artificial intelligence by cyber criminals has also increased the number and sophistication of attacks. 

Tuominen said “the importance of cyber resilience cannot be overstated”, adding that the recent global IT outage caused by an update at CrowdStrike, the cyber security company, showed how “an incident in one institution can have cascading effects across multiple sectors”.

The ECB said its stress test was designed to examine banks’ responses to a major cyber attack and not their ability to prevent hackers from successfully penetrating their systems.

It sent a questionnaire and requested documentary evidence from all 109 banks involved in the exercise to check how they would respond to a serious cyber attack that had breached their defences. 

More extensive testing was carried out at 28 of the banks chosen to represent a cross-section of the sector, which had to do an IT recovery test and an onsite visit by ECB supervisors.

The central bank said the results of the test would feed into its annual supervisory review and evaluation process, which assesses risks at each bank and sets their capital requirements. It did not expect any direct impact on the amount of capital it wants banks to have.

The test examined banks’ internal crisis management procedures and business continuity plans, as well as how they would communicate with external parties including customers, law enforcement agencies and service providers. 

Banks had to show their ability to implement workarounds to continue operating while they worked on recovering IT systems and to restore backed-up data and work with critical third-party service providers. 

“Supervisors have provided individual feedback to each bank and will follow up with them accordingly,” the ECB said. “In some cases, banks have already improved or plan to remedy the shortcomings pinpointed during the exercise.”

Detecting and addressing deficiencies in banks’ operational resilience, including cyber risk, was set as one of the ECB’s supervisory priorities for the next two years after it detected a sharp increase in the number and sophistication of hacking attacks.

In October, Lloyd’s of London warned that a significant cyber attack on a global payments system could cost the world economy $3.5tn.

Earlier this year, Spain’s largest bank Santander was hit by a cyber attack on a database hosted by a third-party provider that held information on customers in Spain, Chile and Uruguay. A few weeks later, data on millions of clients and staff — including account details and credit card numbers — were offered for sale on a hacking forum.

Last year, the number of ransomware attacks in the finance industry rose by 64 per cent, and was nearly double the 2021 levels, according to cyber security company Sophos. 

In November, the New York arm of China’s largest bank ICBC was hit by a ransomware attack, disrupting the $25tn US Treasury bond market.

Read the full article here

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy