Cyber risk stress testing for banks

Highlights

• In the context of growing frequency and sophistication, and increasing potential impacts of cyber incidents, some authorities have disclosed that they are conducting cyber stress tests to enhance firm and sector resilience to operational disruptions, such as those caused by cyber attacks.
• These tests benefit both authorities and firms by identifying vulnerabilities and strengthening response and recovery mechanisms as well as, in some circumstances, identifying the financial stability impacts of such disruptions.
• Based on recent exercises, two distinct approaches emerge, namely firm- or system-focused cyber stress tests. It is important for the authority in charge to select the approach that best reflects the institutional setup and the objectives of the stress test, ensuring consistency across all parts of the exercise.
• Continued enhancements and disclosure of the methodological aspects in cyber stress tests can help raise awareness and establish best practices.

The views expressed in this publication are those of the authors and do not necessarily reflect the views of the BIS, its member central banks or the Basel-based standard-setting bodies.