Bank’s cyber resilience to be stress tested and intersection with DORA

Following on from its evaluation of credit institutions’ management of IT and cyber risks in 2023, the European Central Bank (ECB) announced, on 3 January 2024, that it will be conducting a cyber resilience stress test on 109 directly supervised credit institutions in 2024.

The 2023 evaluation was based on credit institutions’ annual self-assessment of IT and cyber resilience and on-site inspections by the ECB to determine whether credit institutions’ IT and cybersecurity risk management is in line with the EBA Guidelines on ICT and security risk management. The cyber resilience stress test in 2024 will assess how credit institutions respond to and recover from a cyberattack. The findings of the stress test will be particularly important as credit institutions align their ICT and cybersecurity frameworks with DORA in advance of its implementation date on 17 January 2025.

Approach of ECB to cyber resilience stress test

The ECB will be conducting its first cyber resilience stress test this year. The stress test scenario centres around a cyberattack surpassing the credit institutions’ cybersecurity defences and succeeding in disrupting daily business operations, rather than assessing the credit institutions’ preventive measures. Credit institutions will then test their response and recovery measures, including “activating emergency procedures and contingency plans and restoring normal operations”.

Following the test, supervisors will assess the extent to which credit institutions can respond under the scenario and subsequently discuss the findings with each institution. The main findings will be communicated in summer 2024 as part of the Supervisory Review and Evaluation Process, which assesses an institution’s individual risk profile. The test, a principally qualitative exercise, will not impact a credit institution’s Pillar 2 guidance.

A further enhanced assessment will require 28 credit institutions to submit additional information on how they responded and recovered following the cyberattack. The sample of 28 institutions includes different business models and geographies that will provide a “meaningful reflection” of the euro area banking system.

DORA and digital operational resilience testing

The DORA regulatory framework requires credit institutions (and other financial entities) to ensure that they can withstand, respond to and recover from ICT-related disruptions and cyber threats, including cyber-attacks. Credit institutions therefore need to enhance their existing technology and cyber risk management and resilience. The ECB’s introduction of the stress tests will assist institutions with determining their readiness for DORA implementation and the extent to which further progress is needed to further align with DORA requirements relating to cybersecurity and cyber threats.

The following are some of the key cybersecurity requirements under DORA which credit institutions and other in-scope financial entities will need to build into their operations.

ICT risk management framework

Financial entities must have in place a robust ICT risk management framework that includes strategies (including a digital operational resilience strategy), policies, procedures, ICT systems, protocols and tools that are necessary to adequately protect all ICT assets. In respect to cybersecurity, the framework must address:

• the identification of all sources of ICT risk, cyber threats and ICT vulnerabilities
• the establishment of a sound and comprehensive digital operational testing programme
• the gathering of information on cyber threats and cyber-attacks and analysing the impact they are likely to have on digital operational resilience, in order for financial entities to learn and adapt their framework appropriately.

Incident reporting

Classification of cyber threats: Financial entities must record all significant cyber threats. They must follow the requirements in DORA for classifying cyber threats as significant by determining their impact based on specific criteria such as the number and/or relevance of clients or financial counterparties affected, duration and economic impact.

Voluntary notification of significant cyber threats: Where financial entities deem the threat to be of relevance to the financial system, service users or clients, they may notify the relevant competent authority on a voluntary basis.

Notification to clients of significant cyber threats: Financial entities must, where applicable, inform their clients that are potentially affected by a significant cyber threat of any appropriate protection measures which the clients may consider taking.

Information and intelligence sharing

Financial entities may exchange cyber threat information amongst themselves, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.

Further in-depth publications relating to DORA can be found on our ALG DORA webpage, including our publication ‘A closer look at the EU’s DORA’ .

For further information in relation to this topic, please contact Patrick Brandt, Partner, Caoimhe Crowley, Solicitor, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.

Date published: 25 January 2024