"The geopolitical risks for European banks are more serious than ever"
Mrs. Tuominen, the ECB's banking supervision is starting its cyber stress test in January. How challenging will it be for the banks?
A severe cyber attack, disrupting business operations, will be simulated. It's a serious matter from the institutions' perspective. We want to understand how banks respond to a cyber attack, recover from it, and resume normal business operations. Our main goal is to identify the weaknesses of the banks.
This is the ECB's first cyber stress test.
Yes, it's a learning exercise for both the banks and us. Tests of this nature are not yet widespread, but I believe that will change in the future. The Danish Financial Supervisory Authority has already conducted a cyber stress test, as has the British Prudential Regulation Authority.
How does the process work?
Almost all banks directly supervised by us, currently 109, are involved. Of these, 28 are additionally participating in an enhanced test, where they must submit more detailed information.
Which banks will undergo the in-depth examination? The largest and most complex?
We aim to cover a substantial part of the Eurozone's financial sector, achieve geographical balance, and also encompass various business models and sizes.
The exercise takes place at a time when wars are raging in Europe and the Middle East, and geopolitical tensions are generally increasing. Did the Ukraine war play a role in the test's conception?
The issue of cybersecurity has been on our agenda for several years. We initiated Cyber Incident Reporting in 2017. IT security and cyber risks are among our supervisory priorities. In my view, the timing of the stress test is very opportune. There are risks associated with attacks by state-affiliated groups. The Council on Foreign Relations estimates that 77% of all presumed state-backed cyber attacks since 2005 can be attributed to four authoritarian states. That is quite alarming. We all must realize that the threat has increased.
What will the ECB do with the results?
What we want is a qualitative exercise. It's important that banks understand their own risk profile. Based on the test results, we want to provide feedback to them, such as introducing industry standards for IT hygiene across the enterprise.
Will the results be considered in the SREP?
They will certainly be factored into the SREP. Nevertheless, it is not an exercise with the purpose of accruing more equity. This alone cannot truly prevent cyber risks. It might only have an indirect impact on the Pillar 2 requirement in cases of substantial deficiencies in a bank's risk management or corporate governance.
Will the regulatory requirements for the cyber defense of banks increase in the wake of the test?
Geopolitical risks are more significant than ever. I believe that insights into the vulnerabilities of banks will mean that supervisory thresholds will increase. Another aspect concerns the dependence of banks on third-party providers. The credit institutes try to save money by outsourcing some of their IT processes to them. This doesn't necessarily go hand in hand with good risk management. Banks should also understand the risks associated with outsourcing.
To what extent will outsourcing to third parties, such as IT or cloud providers, play a role in the stress test?
I cannot go into detail about the stress test scenario. But such third-party providers are also a topic that we need to examine more closely. I recall a cyber attack earlier this year against a financial trading service provider, which resulted in an interruption of business operations of some banks. They were able to resume their work, but the incident shows the dependencies that exist. We must take this seriously.
How do you generally assess the cyber threat?
The number of cyber attacks is at a higher level than before the Covid-19 pandemic. DDoS attacks, where attackers disrupt bank services by flooding the banks' servers with false requests, have increased the most. We also see more attacks on third parties and more ransomware attacks. In the latter, victims lose access to the data on their devices until they pay a ransom. So far, banks in the Eurozone have proven to be resilient. The attacks were not severe enough to destabilize individual institutions or the banking system. Nonetheless, we must be prepared. A successful attack is possible at any time.
Not only do we hear about more cyber attacks, but there is also increasing disinformation, particularly given the war in the Middle East. Does this align with your impression?
This concerns the entire society and is extremely alarming. Whether hybrid threats, fake news, or the use of artificial intelligence, these types of risks are definitely increasing.
Anneli TuominenWe need to pay more attention to threats like disinformation.
So, what needs to be done?
We need to pay more attention to threats like disinformation. I believe that we are not doing enough at the moment. The only way for banks to address these risks is to actively manage the flow of information. If there is an attack with misleading information, a bank must act quickly, or it can have disastrous consequences.
Are you aware of any banks that have been targets of disinformation attacks?
I don't think there has been such an incident since the existence of the ECB banking supervision. However, in mid-2014, a disinformation campaign against Bulgarian banks triggered a bank run.
Will the ECB also deal with this issue and scrutinize banks in this respect?
I want us to focus more on this area and test it in the future. Banks must respond to such events with effective crisis communication because it is the most important tool against disinformation. Awareness of these types of attacks needs to be heightened.
Do you find that banks' awareness of disinformation is underdeveloped?
We all know what disinformation means in society and politics. But perhaps we have not yet fully recognized that disinformation can also affect the financial sector. I hope that banks will not be affected by such events, but we must be aware that it is a possibility.
You have mentioned risks from artificial intelligence. The tools of attackers are becoming more sophisticated and can also include deepfakes, i.e., AI-generated images, voices, or videos. How is the ECB dealing with this danger?
Just like with other risks: Banks need a sound framework for risk management. They must sharpen their awareness of their own risk profile. And, of course, they need sufficient personnel and expertise. This is something I want to emphasize repeatedly. It is costly but necessary.
Do banks have to report disinformation attacks to the regulator?
There are no specific regulations for that unless they fall under the so-called Crisis Communication Framework. But it is reasonable to expect that in the event of such an attack, the affected bank would naturally inform its supervisors, as they have a problem and seek a resolution. This would be the appropriate course of action.
What concerns you the most?
The global geopolitical developments. So much depends on them.
How do geopolitical tensions affect the work of the ECB banking supervision?
Geopolitics has gained importance, and we must take the associated risks into account. That is why we insist that banks must be resilient and have sufficient capital and liquidity buffers, as well as good risk management. We must understand all associated risks, especially operational risks, including the increasing cyber threats. We also experience operational and reputation risks at European banks operating in Russia, including the risk of money laundering. Therefore, we have asked these banks to develop a roadmap for their risk mitigation strategies.
Should European banks leave Russia, as your colleague Andrea Enria has demanded?
If we see excessive risks, then we believe that banks should reduce them.
Finally, a change of topic: Claudia Buch will, as is well known, succeed Enria as the head of ECB banking supervision on January 1. What do you think will change with her appointment?
Claudia is a very competent woman. She is already a member of the ECB's supervisory board, where decisions are made. But everyone has their own style. Thus, I cannot say yet whether there will be changes in this regard. The way ECB banking supervision has worked so far has been very successful. Therefore, I see no need for fundamental changes. However, there is always room for improvement.
