Cyber Risk Stress Testing for Banks

This document is a brief published by the Financial Stability Institute (FSI) discussing the implementation of cyber risk stress testing for banks. It outlines the increasing frequency and sophistication of cyber incidents and the necessity for authorities to conduct stress tests to enhance resilience against operational disruptions caused by cyber attacks. The brief describes two distinct approaches to cyber stress testing: firm-focused and system-focused. It emphasizes the importance of selecting the appropriate approach based on institutional objectives. The publication also reviews recent exercises conducted by the Bank of England, the Danish Financial Supervisory Authority, and the European Central Bank, highlighting critical considerations for authorities when designing and implementing these tests. Furthermore, it defines what constitutes a cyber stress test and discusses the unique challenges and methodologies associated with assessing cyber risks compared to traditional financial stress tests. The brief concludes by noting the exploratory nature of these exercises, which aim to improve preparedness and response strategies.