Key Takeaways
- The European Central Bank's 2024 cyber stress test will assess how 109 of the banks it supervises respond to and recover from a cyberattack.
- Despite limited disclosure around the test's underlying methodology, we view it as a positive step toward developing supervision of this key risk for European banks.
- Like previous U.K. and Israeli cyber stress tests, there will be no "pass or fail" for individual banks, though we expect supervisors will use findings in their daily supervision. Banks that emerge as negative outliers could face elevated investment needs to address identified shortcomings, though we don't expect any immediate ratings impact.
The need for European banks to strengthen their resilience to cyber risk is non-negotiable. The risk of geopolitically driven cyberattacks remains elevated and new avenues of attack are emerging as banks make further progress toward digital banking. Banks have a strong self-interest to shield against cyber risk as the likelihood of them falling victim to an attack remains high and potential business implications can be severe. Meanwhile, regulators need to keep pace with technological progress and the increasing sophistication of cyberattacks.
S&P Global Ratings sees the ECB's 2024 cyber stress test of significant eurozone banks as an important step toward developing banking supervision on cyber risk. One of the key outcomes will be to identify negative outliers among supervised banks while also assessing the extent of systemwide vulnerabilities. The exercise aims to examine the banks' ability to recover from an acute and severely disruptive cyberattack, assuming all prevention measures have failed.
The test will not have a "pass or fail" outcome, but it will help to define industry best practices. In the medium term, we believe this will strengthen the banking sector's resilience. Banks with particularly weak stress test results could be forced to initiate immediate and potentially costly remediation plans. That said, this predominantly qualitative exercise will not directly affect banks' capital through the Pillar 2 guidance of the Basel Framework. Instead, regulators will include their findings in their regular supervisory review and evaluation process (SREP) of individual banks.
Table 1
Plugging The Gaps In Cyber Resilience Is Key
Strengthening banks' cyber resilience remains a key issue for bank supervisors globally. The European Single Supervisory Mechanism (SSM) continues to define cyber and operational resilience as one of its key priorities for 2024-2026. The ECB's choice of cyber risk as the topic for its 2024 thematic stress test therefore comes as no surprise.
An ECB report revealed shortcomings in eurozone banks' cyber resilience, flagged via on-site visits and other analysis. Of note, the ECB reports little progress in banks addressing existing gaps that point to structural deficiencies. This aligns with routine warnings from banking authorities about managing cyber risks and requests for tighter defenses. The ECB highlights in particular shortcomings relating to IT outsourcing services and partners, including large cloud service providers (see also “Cyber Risk Insights: Attack On Vulnerable Software Highlights Outsourcing Risk For Banks,” published July 21, 2023) (see chart 1). Other weak spots were the effective detection of cyber vulnerabilities, as well as banks' timely reaction to cybersecurity incidents.
Chart 1
Cyber risk is not a blind spot for European banking supervisors, though. They already consider it as part of their annual SREP exercise that helps determine specific banks' capital add-ons under Pillar 2 of the Basel Framework. It also provides a set of qualitative measures that address banks' shortcomings when looking at various risks. The latest SREP summary report highlights that operational risk (including cyber risk management) had the lowest average score compared with other risk categories. We believe that weaknesses in cyber resilience are more likely to lead to heightened scrutiny and several qualitative requirements for banks because of SREP, instead of capital add-ons, though transparency here remains low.
We don't see an additional capital buffer as an effective tool to address banks' shortcomings in cyber risk management. While it would boost a bank's capacity to absorb unexpected losses--such as in the case of a cyberattack--it would not mitigate the main risks. These include the potential and swift erosion of trust from customers and/or financial counterparties, which could result in a bank run with a significant impact on business stability and liquidity. In this event, we don't think higher capital buffers would be sufficient to reinstate trust and stabilize the bank.
The EU's Digital Operational Resilience Act (DORA), which will come into force in 2025, will help address these shortcomings through enhanced ICT (information and communication technology) risk management of both banks' own risks and those of third-party providers. It will also provide deeper testing of operational resilience more generally, moving away from pure capital charges and require stronger communication with authorities and stakeholders. This comes on top of PSD3, an updated Payment Services Directive, expected to be released later this year, which also looks to improve the protection of consumers, who are often the weakest link in cyber security defenses.
Collaboration Is An Important Lever For Improving Cyber Resilience
We think that effective collaboration between regulators, as well as private and public bodies including national cyber defense authorities and central banks, can make a difference. Alliances help participants to align on best practices, identify attack patterns early, and develop a consistent framework and comprehensive set of stress tests that could also include ethical hacking. If authorities can intervene using analytical and policy tools, they may be able to contain a cyber incident before it turns into a systemic event. And if not, they may be able to mitigate the consequences.
Collaboration in the EU already occurs in various forums. For example, the Euro Cyber Resilience Board (ECRB) brings together critical service providers, central bank overseers, and other key European authorities for strategic discussions on cyber risks. These groups also share trends in cyber threats and lessons learnt via Cyber Information and Intelligence Sharing Initiative (CIISI-EU). Over the coming years, we expect that coordination and collaboration among market participants, and even across jurisdictions, will intensify as they respond to major and global cyber incidents.
We see the ECB's cyber stress test as the next logical step toward strengthening the resilience of eurozone banks. Despite its exploratory nature and design as a primarily desktop exercise, the findings will allow regulators and management to understand a bank's relative positioning and address key vulnerabilities. We believe this will contribute to a more operationally resilient banking system in the long term.
Shaping The Regulatory Agenda
The test scenario assumes failure of all preventive cyber measures, and a severe disruption to banks' daily operations. Though a tough test, these assumptions align with cyber stress tests performed by other regulators and reflects the perception that companies cannot avoid cyberattacks and that the severity of implications will depend on how quickly an attack can be contained. The test addresses banks' ability to assess the criticality and impact of the outage, as well as the appropriateness of response and recovery measures. This is largely assessed via questionnaires, although answers must also be verified by evidence. The ECB wants to gain insight into the cyber preparedness of banks across a wide range of regions and business models; therefore a sample of 28 undisclosed banks will be subject to an enhanced assessment. This will include on-site visits to provide the ECB with detailed insight into those banks' recovery processes.
We anticipate that results of the stress test will significantly shape the future regulatory agenda for cyber resilience. The test will also help to identify best practices and uncover the extent of banks' vulnerability to industry risk and structural weaknesses. In addition, we believe it will provide deeper insight into banks' management of operational risk beyond cyber risk. The largest costs for banks typically arise from failures relating to internal processes and systems.
We expect the ECB will quickly derive a catalog of measures from its main findings. This is consistent with the outcome of similar exercises in Israel and the U.K. Systemwide cyber stress tests might also become a more standard tool in banking supervision, though this also depends on the ECB's priorities and the scale of weaknesses identified.
Table 2
The Test Will Flag Risk Management Gaps, Though Ratings Impact Is Limited
Banks have a strong self-interest in shielding against cyber risks as the likelihood of falling victim to an attack remains high (see chart 2). Cyber resilience is already a key management priority at almost all banks we rate, although we see varying levels of management involvement, financial resources, and technical infrastructure. We see the complexity created by the combination of old and new technologies as an important risk factor (see “Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk,” March 23, 2023). We believe that the stress test findings will enhance management awareness and could lead to a reprioritization of investments.
Chart 2
Our current ratings already assume that banks continuously invest in managing cyber risks and take appropriate measures to protect their businesses. We therefore don't expect the stress test results to spur positive rating actions on the banks evaluated. At the same time, we don't anticipate publication of the results to impair banks' creditworthiness. Individual results will remain anonymous, and insights gained will be used as part of the regular supervisory assessment. However, although not our base case, this could imply additional capital add-ons for individual banks, though these are unlikely to be material enough to change ratings. This also reflects the solid capital buffers that are significantly above regulatory minima at most eurozone banks.
We expect banks will have to commit to a clear remediation plan to address identified gaps, particularly if they are considered severe. Depending on the scale, adjustments are likely to require significant time and resources. They could also be both costly and complex, particularly if--in addition to changes in governance and reporting--changes in IT or management of outsourcing partners became necessary. If these factors materially or structurally affected banks' performance, the ratings on those banks might come under pressure.
Understanding how rated banks performed in the cyber stress test will be part of our discussion with banks, as well as the scale and focus of remediation plans, if any. In our assessment of a bank's cyber risk preparedness, we incorporate feedback from regulators and internal and industry benchmarking exercises, including the stress test. Evidence of poor cyber resilience would also inform our view of a bank's risk management practices and might hinder creditworthiness if material and not already reflected in the ratings. This might include severe weaknesses in the cyber risk framework, failure to clearly delegate management responsibility, lack of a proper emergency and recovery plan in the event of a cyber breach, or failure to allocate sufficient resources to cyber issues.
Weaknesses in cyber resilience have so far had limited impact on our bank ratings, but pose an ever-present threat for rated banks. The likelihood of a cyber event may even be on the rise. Given the elevated geopolitical risks, we believe an increasing number of ever more sophisticated cyberattacks could arise. The impact of a successful cyberattack on a rating will depend on how it affects a bank's credit metrics, and evidence that the target's financial position can (or cannot) absorb the direct loss and resultant damage to its business (see "Cyber Risk In A New Era: The Effect On Bank Ratings," May 24, 2021).
Related Research
- Ongoing Vigilance Is Key To Gulf Banks' Cyber Risk Resilience, Feb. 19, 2024
- Cyber Attack On ICBC Financial Services Highlights Risk Management Challenges Overseas, Nov. 14, 2023
- Australian Mutual Lenders: Path Of Least Resistance May Lead To Higher Cyber Risk, Aug. 29, 2023
- Cyber Risk Insights: Attack On Vulnerable Software Highlights Outsourcing Risk For Banks, July 21, 2023
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk, March 23, 2023
- Cyber Risk In A New Era: The Effect On Bank Ratings, May 24, 2021
- European Banks Face Risks In Race To Implement PSD2, May 16, 2019
This report does not constitute a rating action.
Primary Credit Analysts: | Benjamin Heinrich, CFA, FRM, Frankfurt + 49 693 399 9167; benjamin.heinrich@spglobal.com |
Claudio Hantzsche, Frankfurt + 49 693 399 9188; claudio.hantzsche@spglobal.com | |
Secondary Contacts: | Regina Argenio, Milan + 39 0272111208; regina.argenio@spglobal.com |
Miriam Fernandez, CFA, Madrid + 34917887232; Miriam.Fernandez@spglobal.com | |
Clement Collard, Paris +33 144207213; clement.collard@spglobal.com | |
Puneet Tuli, Dubai + 97143727157; puneet.tuli@spglobal.com | |
Joe Hudson, London +44 2071766743; joe.hudson@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.