Cyber stress tests: Two approaches to boost bank resilience

In response to the increasing frequency, sophistication, and potential impact of cyber incidents, authorities are adopting a range of tools to test firms' preparedness.

Cyber stress tests, specifically, assume that preventative measures have failed, focusing instead on firms' cyber incident response and recovery – their operational resilience.

These exercises provide valuable insights into the effectiveness of response processes, allowing firms to identify critical arrangements and assess weaknesses in their design.

They benefit both authorities and firms by identifying vulnerabilities, strengthening response and recovery mechanisms, and, in some circumstances, identifying financial stability impacts.

Two distinct approaches, firm- or system-focused, are emerging, with the choice depending on institutional setup and test objectives.

Cyber stress tests are relatively new, with limited experience and restricted public disclosure to maintain confidentiality and prevent malicious attacks.

However, the Bank of England, Danish Financial Supervisory Authority, and ECB Banking Supervision have recently published reports on their exercises.

This FSI Brief reviews these three examples, chosen for their extensive disclosure and comparable focus on banks.

Unlike traditional solvency or liquidity stress tests, cyber stress tests lack a single quantitative impact indicator and are not pass/fail exercises.

They serve as learning opportunities, focusing on operational capability and system-wide resilience, rather than financial losses.