Skip to main content
Contact
Submit RFP

      It is a novelty, but one that was foreseeable in view of the increasing risks: in 2024, the European Central Bank (ECB) will put the resilience of the institutions it supervises in Europe to the test for the first time. In view of the threat situation, the first cyber stress test has been scheduled. The official name: "Cyber Resilience Stress Test 2024". This is being carried out because the significance of cyber and ICT (information and communication technology) risks for operational risk management and the ability of banks to provide services for their customers is constantly growing.

      The cyber stress test will assess the operational resilience of core banking systems to severe but plausible cyber security events. To this end, the stress test requires banks to identify the impact and consequences of such a scenario on their organisation and report on this to the supervisory authority. In addition, the banks report on existing response and recovery measures that would be activated in the event of an emergency in order to survive a critical cyber security incident and restore service provision for customers and partners.

      A key challenge that the stress test poses for banks lies in the overarching cooperation required to overcome the scenario, but the banks also face additional difficulties in determining the economic impact.

      The results of the stress test will be incorporated into the SREP 2024 supervisory review process, particularly in the form of assessments of operational risks and qualitative requirements.

      Methodology, elements and procedure

      The ECB will not announce the exact methodology of the test until 22 November 2023. However, the key points have already been finalised. The almost 110 banks affected will have to answer an extensive questionnaire on the potential impact of a hypothetical cyber attack scenario. The banks will have to substantiate their statements with corresponding evidence.

      With regard to the scenario, it is already known that it will be an incident in connection with the core banking system and the associated databases. The core banking system enables the core business lines and critical functions of the banks to generate results. It is the primary source of financial information. If several systems are possible, the system with the highest business criticality is selected.

      The test has a two-stage structure and distinguishes between a simplified and an extended approach: In the simplified approach, all institutions must complete the questionnaire within two months, provide the relevant evidence and submit a cyber incident report to the ECB.

      Ready to talk? Contact us
      cast

      In the webcast, we explain the methodology, process and fields of action to be considered. We will provide you with a roadmap of recommended activities and show you how we can support you in implementing them.

      Watch the webcast now

      Simplified approach

      The questionnaire serves as the main channel of communication with the supervisory authority and comprises a total of 478 questions, which are divided into open and closed questions from six subject areas:

      • General data
      • Impact analysis
      • Response
      • Recovery
      • Economic impact
      • Evidence

      Responses to the questionnaire must be supported by appropriate evidence. These consist of Institute policies and procedures governing relevant parts of the response and recovery processes.

      The institutions are requested to submit the first report via the STAR portal within two hours of the discovery of the incident in accordance with the scenario presented, the interim report within ten working days of the first report and the final report within 20 working days of the interim report.

      The extended approach concerns 20 selected credit institutions and stipulates that the banks actually carry out recovery tests tailored to the designed scenario. Detailed logs of the activities and results must be provided to prove that the tests have been carried out. The evidence provided is then analysed by the supervisory authority in an on-site validation.

      Extended approach

      The extended approach takes up the scenario and also includes an IT recovery test at the audited banks. This follows the banks' internal procedures in addition to the questionnaire and is monitored by Internal Audit or the 2nd line of defence (IT or cyber risk).

      The evidence from the recovery test proves that the critical systems and infrastructures are adequately covered and confirms that the banks have the necessary capabilities to rebuild in the event of an emergency.

      The on-site validation includes the examination of the completed questionnaire and the IT recovery test by the supervisor.

       

      The simplified approach to the stress test will begin on 2 January 2024, after which the banks will be given two months to complete the questionnaire and submit the necessary evidence. Following the completion of the simplified approach on 29 February, the extended approach and on-site investigation will begin. The end date is 30 April. The stress test concludes with a contribution to the SREP and a lessons learned on 30 June.

      KPMG Webcast - "ECB stress test on cyber resilience: How to prepare successfully"

      Documents of the webcast live from 29 September 2023, 9:00 - 9:45 am

      Start quick check now
      Mobile phone and coffee on the table

      Fields of action and roadmap for preparation and implementation

      Fahrplan des EZB Cyber Stress Tests

      Grafik: Fahrplan des EZB Cyber Stress Test

      The key to successfully mastering the stress test lies in adequate preparation. The following areas of action should be taken into account:

      • In preparation, a project should be set up with the relevant 1st and 2nd line representatives as early as possible
      • Identification of central contact persons and technical experts in the areas of IT SCM, BCM, ISMS, IT, risk management, financial controlling and other 1st, 2nd and 3rd lines of defence. LoD (Lines of Defence) and setting up awareness-raising measures
      • In the event of outsourcing, contact and coordination with internal and external (IT) service providers should be established at an early stage
      • Status quo analysis of the required evidence with regard to end-to-end coverage of possible cyber scenarios
      • Identification of plausible and severe test scenarios for critical core banking systems
      • Carrying out dry runs, e.g. tests of the cyber reporting procedure

      How KPMG supports you

      KPMG has extensive technical expertise in all relevant disciplines relating to cyber stress testing. Our wide-ranging project experience from previous stress tests has also provided us with valuable insights and findings that help us to better understand the challenges and requirements of our clients. With our process model for the cyber stress test, we use these insights in a targeted manner and develop customised solutions to prepare for the stress test:

      Analysis of the requirements based on the information provided by the ECB (methodology and questionnaire) and categorisation of the requirements into subject areas. Based on this, identification of functions and areas involved (e.g. IT-SCM, BCM, ISMS, risk management, financial controlling) and their assignment to stakeholders as well as initial sensitisation.

      Creation of a detailed description of the probable emergency scenario based on the existing emergency scenarios in the bank. The approach for calculating the economic impact and the derivation of the core banking system are developed and harmonised.

      To ensure the best possible preparation, KPMG offers a review of your governance structures and subsequent workshops with the responsible stakeholders in order to identify deviations from the supervisory authority's expectations at an early stage. The gaps identified in this way are analysed and prioritised in a heat map according to their criticality. The areas for action are presented to management in order to obtain approval for prioritisation and enable the gaps to be addressed in a targeted manner.

       

      Based on the identified and prioritised gaps, short-term measures are implemented and the stakeholders and departments are supported.

      To ensure that the stress test runs smoothly, KPMG supports the parties involved in advance by creating awareness in the departments involved and planning the test schedule in the form of a script.

      In addition to preparing for the test, the support services offered by KPMG also include assistance with aspects relating to the stress test implementation:

      We provide support with document analyses in the selection of suitable evidence and advise on the expectations of the supervisory authority in order to achieve an appropriate level of detail in the results submitted.

      In cooperation with your employees, we also organise workshops to bring together the necessary experts from the strategic and operational levels and to process the contents of the questionnaire in a target group-oriented manner.

      Depending on the supervisory scenario, we also contribute our experience and in-depth understanding of the systems and areas involved and support you in identifying measures.

      We already provide benchmark information during the test. This enables a comparison with other participating banks, both nationally and internationally, and thus allows conclusions to be drawn regarding any anomalies.

      Interested in our services? Please contact us
      attach_email

      Bestens informiert über Entwicklungen im IT-Compliance- und Security-Umfeld
      Jetzt registrieren

      Your contact

      Peter Hertlein
      Peter Hertlein

      Partner, Financial Services, IT Compliance & Cyber resilience

      KPMG AG Wirtschaftsprüfungsgesellschaft