The European Central Bank has asked banks to prepare for a test of how they will respond to a cyberattack of unprecedented severity. Beyond that, regulators did not reveal the exact timing of the cyberattack, as they would with real-life hackers. At a briefing last month, the ECB provided banks with only a rough outline of the tests, according to people familiar with the matter. The attack assumed that hackers had breached all of the bank's defenses and gained access to the core of the bank's main technology systems, people familiar with the matter said.
This would make the incident simulated by the ECB more serious than any public cyber incident affecting the industry in recent years, with large amounts of customer data at risk. Regulators have frequently warned of the dangers posed by hackers, including last year after Russia invaded Ukraine, and said the stress test would be a learning experience for lenders and regulators.
European banks targeted by cyberattacks
KPMG said banks currently need to answer about 400 exam questions. KPMG provides exam advice to banks.
Lucas Daus, a partner in consulting cybersecurity at KPMG, said in an interview that companies that have dealt with cyber issues have been able to answer some of these questions, while others can only be solved after lenders understand the situation.
However, the bank will not release details of the supposed attack until next month from the European Central Bank, people familiar with the matter said. "They're still very surprised once they hear what's actually going on," Daus said.
The ECB review comes as European authorities say the risk of cyberattacks remains high and geopolitical unrest has spread to the private sector. The test is billed as an initiative to improve banks' risk management, rather than an exam that will have a direct impact on banks' capital requirements.
The tests involve more than 100 banks directly supervised by the European Central Bank. 28 banks will undergo more detailed assessments and may undergo on-site investigations.
Results for individual lenders are not expected to be released. However, they will indirectly feed into the ECB's regular assessment of the risks faced by banks, which determines their capital requirements.
Daus said,