ECB – Cyber Resilience Stress Test​: Scope, Methodology and Scenario.

December 2023
8 min read

The European Central Bank (ECB) is charting new territories in the realm of financial security with a groundbreaking thematic stress test slated for 2024


In the stress test methodology, participating banks are required to evaluate the impact of a cyber attack. They must communicate their response and recovery efforts by completing a questionnaire and submitting pertinent documentation. Banks undergoing enhanced assessment are further mandated to conduct and report the results of IT recovery tests specific to the scenario. The reporting of the cyber incident is to be done using the template outlined in the SSM Cyber-incident reporting framework.

Assessing Digital Fortitude: Scope and Objectives

The ECB's decision to conduct a thematic stress test on cyber resilience in 2024 holds profound significance. The primary objective is to assess the digital operational resilience of 109 Significant Institutions, contemplating the impact of a severe but plausible cybersecurity event. This initiative seeks to uncover potential weaknesses within the systems and derive strategic remediation actions. Notably, 28 banks will undergo an enhanced assessment, heightening the scrutiny on their cyber resilience capabilities. The outcomes are poised to reverberate across the financial landscape, influencing the 2024 SREP OpRisk Score and shaping qualitative requirements.

General Overview and Scope

  • Supervisory Board of ECB has decided to conduct a thematic stress test on „cyber resilience“ in 2024.​
  • Main objective is to assess the digital operational resilience in case of a severe but plausible cybersecurity event, to identify potential weaknesses and derive remediation actions.​
  • Participants will be 109 Significant Institutions (28 banks will be in scope of an enhanced assessment).​
  • The outcome will have an impact on the 2024 SREP OpRisk Score and qualitative requirements.​

Navigating the Evaluation: Stress Test Methodology

Participating banks find themselves at the epicenter of this evaluative process. They are tasked with assessing the impact of a simulated cyber attack and meticulously reporting their response and recovery efforts. This involves answering a comprehensive questionnaire and providing relevant documentation as evidence. For those under enhanced assessment, an additional layer of complexity is introduced – the execution and reporting of IT recovery tests tailored to the specific scenario. The cyber incident reporting follows a structured template outlined in the SSM Cyber-incident reporting framework.

Stress Test Methodology

  • Participating banks have to assess the impact of the cyber-attack and report their response and recovery by answering the questionnaire and providing relevant documentation as evidence.​
  • Banks under the enhanced assessment are additionally requested to execute and provide results of IT recovery tests tailored to the specific scenario.​
  • The cyber incident has to be reported by using the template of the SSM Cyber-incident reporting framework.​

Setting the Stage: Scenario Unveiled

The stress test unfolds with a meticulously crafted hypothetical scenario. Envision a landscape where all preventive measures against a cyber attack have either been bypassed or failed. The core of this simulation involves a cyber-attack causing a loss of integrity in the databases supporting a bank's main core banking system. Validation of the affected core banking system is a crucial step, overseen by the Joint Supervisory Team (JST). The final scenario details will be communicated on January 2, 2024, adding a real-time element to this strategic evaluation.

Scenario

  • The stress test will consist of a hypothetical scenario that assumes that all preventive measures have been bypassed or have failed.​
  • The cyber-attack will cause a loss of integrity of the database(s) that support the bank’s main core banking system.​
  • The banks have to validate the selection of the affected core banking system with the JST.​
  • The final scenario will be communicated on 2 January 2024.​

Partnering for Success: Zanders' Service Offering

In the complex terrain of the Cyber Resilience Stress Test, Zanders stands as a reliable partner. Armed with deep knowledge in Non-Financial Risk, we navigate the intricacies of the upcoming stress test seamlessly. Our support spans the entire exercise, from administrative aspects to performing assessments that determine the impact of the cyber attack on key financial ratios as requested by supervisory authorities. This service offering underscores our commitment to fortifying financial institutions against evolving cyber threats.

Zanders Service Offering

  • Our deep knowledge in Non-Financial Risk enables us to navigate smoothly through the complexity of the upcoming Cyber Resilience Stress Test.​
  • We support participating banks during the whole exercise of the upcoming Stress Test.​
  • Our Services cover the whole bandwidth of required activities starting from administrative aspects and ending up at performing assessments to determine the impact of the cyber-attack in regard of key financial ratios requested by the supervisory authority.​​

Biodiversity risks and opportunities for financial institutions explained

November 2023
8 min read

The European Central Bank (ECB) is charting new territories in the realm of financial security with a groundbreaking thematic stress test slated for 2024


In this report, biodiversity loss ranks as the fourth most pressing concern after climate change adaptation, mitigation failure, and natural disasters. For financial institutions (FIs), it is therefore a relevant risk that should be taken into account. So, how should FIs implement biodiversity risk in their risk management framework?

Despite an increasing awareness of the importance of biodiversity, human activities continue to significantly alter the ecosystems we depend on. The present rate of species going extinct is 10 to 100 times higher than the average observed over the past 10 million years, according to Partnership for Biodiversity Accounting Financials[i]. The Intergovernmental Science-Policy Platform on Biodiversity and Ecosystem Services (IPBES) reports that 75% of ecosystems have been modified by human actions, with 20% of terrestrial biomass lost, 25% under threat, and a projection of 1 million species facing extinction unless immediate action is taken. Resilience theory and planetary boundaries state that once a certain critical threshold is surpassed, the rate of change enters an exponential trajectory, leading to irreversible changes, and, as noted in a report by the Nederlandsche Bank (DNB), we are already close to that threshold[ii].

We will now explain biodiversity as a concept, why it is a significant risk for financial institutions (FIs), and how to start thinking about implementing biodiversity risk in a financial institutions’ risk management framework.

What is biodiversity?

The Convention on Biological Diversity (CBD) defines biodiversity as “the variability among living organisms from all sources including, i.a., terrestrial, marine and other aquatic ecosystems and the ecological complexes of which they are part.”[iii] Humans rely on ecosystems directly and indirectly as they provide us with resources, protection and services such as cleaning our air and water.

Biodiversity both affects and is affected by climate change. For example, ecosystems such as tropical forests and peatlands consist of a diverse wildlife and act as carbon sinks that reduce the pace of climate change. At the same time, ecosystems are threatened by the accelerating change caused by human-induced global warming. The IPBES and Intergovernmental Panel on Climate Change (IPCC), in their first-ever collaboration, state that “biodiversity loss and climate change are both driven by human economic activities and mutually reinforce each other. Neither will be successfully resolved unless both are tackled together.”[iv]

Why is it relevant for financial institutions?

While financial institutions’ own operations do not materially impact biodiversity, they do have impact on biodiversity through their financing. ASN Bank, for instance, calculated that the net biodiversity impact of its financed exposure is equivalent to around 516 square kilometres of lost biodiversity – which is roughly equal to the size of the isle of Ibiza in Spain[v]. The FIs’ impact on biodiversity also leads to opportunities. The Institute Financing Nature (IFN) report estimates that the financing gap for biodiversity is close to $700 billion annually[vi]. This emphasizes the importance of directing substantial financial resources towards biodiversity-positive initiatives.

At the same time, biodiversity loss also poses risks to financial institutions.

The global economy highly depends on biodiversity as a result of the increasedglobalization and interconnectedness of the financial system. Due to these factors, the effects of biodiversity losses are magnified and exacerbated through the financial system, which can result in significant financial losses. For example, approximately USD 44 trillion of the global GDP is highly or moderately dependent on nature (World Economic Forum, 2020). Specifically for financial institutions, the DNB estimated that Dutch FIs alone have EUR 510 billionof exposure to companies that are highly or very highly dependent on one or more ecosystems services[vii]. Furthermore, in the 2010 World Economic Forum report worldwide economic damage from biodiversity loss is estimated to be around USD 2 to 4.5 trillion annually. This is remarkably high when compared to the negative global financial damage of USD 1.7 trillion per year from greenhouse gas emissions (based on 2008 data), which demonstrates that institutions should not focus their attention solely on the effects of climate change when assessing climate & environmental risks[viii].

Examples of financial impact

Similarly to climate risk, biodiversity risk is expected to materialize through the traditional risk types a financial institution faces. To illustrate how biodiversity loss can affect individual financial institutions, we provide an example of the potential impact of physical biodiversity risk on, respectively, the credit risk and market risk of an institution:

Credit risk:

Failing ecosystem services can lead to disruptions of production, reducing the profits of counterparties. As a result, there is an increase in credit risk of these counterparties. For example, these disruptions can materialize in the following ways:

  • A total of 75% of the global food crop rely on animals for their pollination. For the agricultural sector, deterioration or loss of pollinating species may result in significant crop yield reduction.
  • Marine ecosystems are a natural defence against natural hazards. Wetlands prevented USD 650 million worth of damages during the 2012 Superstorm Sandy [OECD, 2019), while the material damage of hurricane Katrina would have been USD 150 billion less if the wetlands had not been lost.

Market risk:

The market value of investments of a financial institution can suffer from the interconnectedness of the global economy and concentration of production when a climate event happens. For example:

  • A 2011 flood in Thailand impacted an area where most of the world's hard drives are manufactured. This led to a 20%-40% rise in global prices of the product[ix]. The impact of the local ecosystems for these type of products expose the dependency for investors as well as society as a whole.

Core part of the European Green Deal

The examples above are physical biodiversity risk examples. In addition to physical risk, biodiversity loss can also lead to transition risk – changes in the regulatory environment could imply less viable business models and an increase in costs, which will potentially affect the profitability and risk profile of financial institutions. While physical risk can be argued to materialize in a more distant future, transition risk is a more pressing concern as new measures have been released, for example by the European Commission, to transition to more sustainable and biodiversity friendly practices. These measures are included in the EU biodiversity strategy for 2030 and the EU’s Nature restoration law.

The EU’s biodiversity strategy for 2030 is a core part of European Green Deal. It is a comprehensive, ambitious, and long-term plan that focuses on protecting valuable or vulnerable ecosystems, restoring damaged ecosystems, financing transformation projects, and introducing accountability for nature-damaging activities. The strategy aims to put Europe's biodiversity on a path to recovery by 2030, and contains specific actions and commitments. The EU biodiversity strategy covers various aspects such as:

  • Legal protection of an additional 4% of land area (up to a total of 7%) and 19% of sea area (up to a total of 30%)
  • Strict protection of 9% of sea and 7% of land area (up to a total of 10% for both)
  • Reduction of fertilizer use by at least 20%
  • Setting measures for sustainable harvesting of marine resources

A major step forwards towards enforcement of the strategy is the approval of the Nature restoration law by the EU in July 2023, which will become the first continent-wide comprehensive law on biodiversity and ecosystems. The law is likely to impact the agricultural sector, as the bill allows for 30% of all former peatlands that are currently exploited for agriculture to be restored or partially shifted to other uses by 2030. By 2050, this should be at least 70%. These regulatory actions are expected to have a positive impact on biodiversity in the EU. However, a swift implementation may increase transition risk for companies that are affected by the regulation.

The ECB Guide on climate-related and environmental risks explicitly states that biodiversity loss is one of the risk drivers for financial institutions[x]. Furthermore, the ECB Guide requires financial institutions to asses both physical and transition risks stemming from biodiversity loss. In addition, the EBA Report on the Management and Supervision of ESG Risk for Credit Institutions and Investment Firms repeatedly refers to biodiversity when discussing physical and transition risks[xi].

Moreover, the topic ‘biodiversity and ecosystems’ is also covered by the Corporate Sustainability Reporting Directive (CSRD), which requires companies within its scope to disclose on several sustainability related matters using a double materiality perspective.[1] Biodiversity and ecosystems is one of five environmental sustainability matters covered by CSRD. At a minimum, financial institutions in scope of CSRD must perform a materiality assessment of impacts, risks and opportunities stemming from biodiversity and ecosystems. Furthermore, when biodiversity is assessed to be material, either from financial or impact materiality perspective, the institution is subject to granular biodiversity-related disclosure requirements covering, among others, topics such as business strategy, policies, actions, targets, and metrics.

Where to start?

In line with regulatory requirements, financial institutions should already be integrating biodiversity into their risk management practices. Zanders recognizes the challenges associated with biodiversity-related risk management, such as data availability and multidimensionality. Therefore, Zanders suggests to initiate this process by starting with the following two steps. The complexity of the methodologies can increase over time as the institution’s, the regulator’s and the market’s knowledge on biodiversity-related risks becomes more mature.  

  1. Perform materiality assessment using the double materiality concept. This means that financial institutions should measure and analyze biodiversity-related financial materiality through the identification of risks and opportunities. Institutions should also assess their impacts on biodiversity, for example, through calculation of their biodiversity footprint. This can start with classifying exposures’ impact and dependency on biodiversity based on a sector-level analysis.
  2. Integrate biodiversity-related risks considerations into their business strategy and risk management frameworks. From a business perspective, if material, financial institutions are expected to integrate biodiversity in their business strategy, and set policies and targets to manage the risks. Such actions could be engagement with clients to promote their sustainability practices, allocation of financing to ‘biodiversity-friendly’ projects, and/or development of biodiversity specific products. Moreover, institutions are expected to adjust their risk appetites to account for biodiversity-related risks and opportunities, establish KRIs along with limits and thresholds. Embedding material ESG risks in the risk appetite frameworks should include a description on how risk indicators and limits are allocated within the banking group, business lines and branches.

Considering the potential impact of biodiversity loss on financial institutions, it is crucial for them to extend their focus beyond climate change and also start assessing and managing biodiversity risks. Zanders can support financial institutions in measuring biodiversity-related risks and taking first steps in integrating these risks into risk frameworks. Curious to hear more on this? Please reach out to Marije Wiersma, Iryna Fedenko, or Jaap Gerrits.


[1] CSRD applies to large EU companies, including banks and insurance firms. The first companies subject to CSRD must disclose according to the requirements in the European Sustainability Reporting Standards (ESRS) from 2025 (over financial year 2024), and by the reporting year 2029, the majority of European companies will be subject to publishing the CSRD reports. The sustainability report should be a publicly available statement with information on the sustainability-matters that the company considers material. This statement needs to be audited with limited assurance.


[i] PBAF. (2023). Dependencies - Pertnership for Biodiversity Acccounting Financials (PBAF)

[ii] De Nederlandche Bank. (2020). Indepted to nature - Exploring biodiversity risks for the Dutch Financial Sector.

[iii] CBD. (2005). Handbook of the convention on biological diversity

[iv] IPBES. (2021). Tackling Biodiversity & Climate Crises Together & Their Combined Social Impacts

[v] ASN Bank (2022). ASN Bank Biodiversity Footprint

[vi] Paulson Institute. (2021). Financing nature: Closing the Global Biodiversity

[vii] De Nederlandche Bank. (2020). Indepted to nature - Exploring biodiversity risks for the Dutch Financial Sector

[viii] PwC for World Economic Forum. (2010). Biodiversity and business risk

[ix] All the examples related to credit and market risk are presented in the report by De Nederlandsche Bank. (2020). Biodiversity Opportunities and Risks for the Financial Sector

[x] ECB. (2020). Guide on climate-related and environmental risks.

[xi] EBA. (2021). EBA Report on Management and Supervision of ESG Risk for Credit Institutions and Investment Firms

The 2023 Banking Turmoil

November 2023
8 min read

The European Central Bank (ECB) is charting new territories in the realm of financial security with a groundbreaking thematic stress test slated for 2024


Early October, the Basel Committee on Banking Supervision (BCBS) published a report[1] on the 2023 banking turmoil that involved the failure of several US banks as well as Credit Suisse. The report draws lessons for banking regulation and supervision which may ultimately lead to changes in banking regulation as well as supervisory practices. In this article we summarize the main findings of the report[2]. Based on the report’s assessment, the most material consequences for banks, in our view, could be in the following areas:

  • Reparameterization of the LCR calculation and/or introduction of additional liquidity metrics
  • Inclusion of assets accounted for at amortized cost at their fair value in the determination of regulatory capital
  • Implementation of extended disclosure requirements for a bank's interest rate exposure and liquidity position
  • More intensive supervision of smaller banks, especially those experiencing fast growth and concentration in specific client segments
  • Application of the full Basel III Accord and the Basel IRRBB framework to a larger group of banks

Bank failures and underlying causes

The BCBS report first describes in some detail the events that led to the failure of each of the following banks in the spring of 2023:

  • Silicon Valley Bank (SVB)
  • Signature Bank of New York (SBNY)
  • First Republic Bank (FRB)
  • Credit Suisse (CS)

While each failure involved various bank-specific factors, the BCBS report highlights common features (with the relevant banks indicated in brackets).

  • Long-term unsustainable business models (all), in part due to remuneration incentives for short-term profits
  • Governance and risk management did not keep up with fast growth in recent years (SVB, SBNY, FRC)
  • Ineffective oversight of risks by the board and management (all)
  • Overreliance on uninsured customer deposits, which are more likely to be withdrawn in a stress situation (SVB, SBNY, FRC)
  • Unprecedented speed of deposit withdrawals through online banking (all)
  • Investment of short-term deposits in long-term assets without adequate interest-rate hedges (SVB, FRC)
  • Failure to assess whether designated assets qualified as eligible collateral for borrowing at the central bank (SVB, SBNY)
  • Client concentration risk in specific sectors and on both asset and liability side of the balance sheet (SVB, SBNY, FRC)
  • Too much leniency by supervisors to address supervisory findings (SVB, SBNY, CS)
  • Incomplete implementation of the Basel Framework: SVB, SBNY and FRB were not subject to the liquidity coverage ratio (LCR) of the Basel III Accord and the BCBS standard on interest rate risk in the banking book (IRRBB)

Of the four failed banks, only Credit Suisse was subject to the LCR requirements of the Basel III Accord, in relation to which the BCBS report includes the following observations:

  • A substantial part of the available high quality liquid assets (HQLA) at CS was needed for purposes other than covering deposit outflows under stress, in contrast to the assumptions made in the LCR calculation
  • The bank hesitated to make use of the LCR buffer and to access emergency liquidity so as to avoid negative signalling to the market

Although not part of the BCBS report, these observations could lead to modifications to the LCR regulation in the future.

Lessons for supervision

With respect to supervisory practices, the BCBS report identifies various lessons learned and raises a few questions, divided into four main areas:

1. Bank’s business models

  • Importance of forward-looking assessment of a bank’s capital and liquidity adequacy because accounting measures (on which regulatory capital and liquidity measures are based) mostly are not forward-looking in nature
  • A focus on a bank’s risk-adjusted profitability
  • Proactive engagement with ‘outlier banks’, e.g., banks that experienced fast growth and have concentrated funding sources or exposures
  • Consideration of the impact of changes in the external environment, such as market conditions (including interest rates) and regulatory changes (including implementation of Basel III)

2. Bank’s governance and risk management

  • Board composition, relevant experience and independent challenge of management
  • Independence and empowerment of risk management and internal audit functions
  • Establishment of an enterprise-wide risk culture and its embedding in corporate and business processes.
  • Senior management remuneration incentives

3.Liquidity supervision

  • Do the existing metrics (LCR, NSFR) and supervisory review suffice to identify start of material liquidity outflows?
  • Should the monitoring frequency of metrics be increased (e.g., weekly for business as usual and daily or even intra-day in times of stress)?
  • Monitoring of concentration risks (clients as well as funding sources)
  • Are sources of liquidity transferable within the legal entity structure and freely available in times of stress?
  • Testing of contingency funding plans

4. Supervisory judgment

  • Supplement rules-based regulation with supervisory judgment in order to intervene pro-actively when identifying risks that could threaten the bank’s safety and soundness. However, the report acknowledges that a supervisor may not be able to enforce (pre-emptive) action as long as an institution satisfies all minimum requirements. This will also depend on local legislative and regulatory frameworks

Lessons for regulation

In addition, the BCBS report identifies various potential enhancement to the design and implementation of bank regulation in four main areas:

1. Liquidity standards

  • Consideration of daily operational and intra-day liquidity requirements in the LCR, based on the observation that a material part of the HQLA of CS was used for this purpose but this is not taken into account in the determination of the LCR
  • Recalibration of deposit outflows in the calculation of LCR and NSFR, based on the observation that actual outflow rates at the failed banks significantly exceeded assumed outflows in the LCR and NSFR calculations
  • Introduction of additional liquidity metrics such as a 5-day forward liquidity position, survival period and/or non-risk based liquidity metrics that do not rely on run-off assumptions (similar to the role of the leverage ratio in the capital framework)

2. IRRBB

  • Implementation of the Basel standard on IRRBB, which did not apply to the US banks, could have made the interest rate risk exposures transparent and initiated timely action by management or regulatory intervention.
  • More granular disclosure, covering for example positions with and without hedging, contractual maturities of banking book positions and modelling assumptions 

3. Definition of regulatory capital

  • Reflect unrealised gains and losses on assets that are accounted for at amortised cost (AC) in regulatory capital, analogous to the treatment of assets that are classified as available-for-sale (AFS). This is supported by the observation that unrealised losses on fixed-income assets held at amortised cost, resulting from to the sharp rise in interest rates, was an important driver of the failure of several US banks when these assets were sold to create liquidity and unrealised losses turned into realised losses. The BCBS report includes the following considerations in this respect:
    • If AC assets can be repo-ed to create liquidity instead of being sold, then there is no negative impact on the financial statement
    • Treating unrealised gains and losses on AC assets in the same way as AFS assets will create additional volatility in earnings and capital
    • The determination of HQLA in the LCR regulation requires that assets are measured at no more than market value. However, this does not prevent the negative capital impact described above
  • Reconsideration of the role, definition and transparency of additional Tier-1 (AT1) instruments, considering the discussion following the write-off of AT1 instruments as part of the take-over of CS by UBS

4. Application of the Basel framework

  • Broadening the application of the full Basel III framework beyond internationally active banks and/or developing complementary approaches to identify risks at domestic banks that could pose a threat to cross-border financial stability. The events in the spring of this year have demonstrated that distress at relatively small banks that are not subject to the (full) Basel III regulation can trigger broader and cross-border systemic concerns and contagion effects.
  • Prudent application of the ‘proportionality’ principle to domestic banks, based on the observation that financial distress at such banks can have cross-border financial stability effects
  • Harmonization of approaches that aim to ensure that sufficient capital and liquidity is available at individual legal entity level within banking groups

Conclusion

The BCBS report identifies common shortcomings in bank risk management practices and governance at the four banks that failed during the 2023 banking turmoil and summarizes key take-aways for bank supervision and regulation.

The identified shortcomings in bank risk management include gaps in the management of traditional banking risks (interest rate, liquidity and concentration risks), failure to appreciate the interrelation between individual risks, unsustainable business models driven by short-term incentives at the expense of appropriate risk management, poor risk culture, ineffective senior management and board oversight as well as a failure to adequately respond to supervisory feedback and recommendations.

Key take-aways for effective supervision include enforcing prompt action by banks in response to supervisory findings, actively monitoring and assessing potential implications of structural changes to the banking system, and maintaining effective cross-border supervisory cooperation.

Key lessons for regulatory standards include the importance of full and consistent implementation of Basel standards as well as potential enhancements of the Basel III liquidity standards, the regulatory treatment of interest rate risk in the banking book, the treatment of assets that are accounted for at amortised cost within regulatory capital and the role of additional Tier-1 capital instruments.

The BCBS report is intended as a starting point for discussion among banking regulators and supervisors about possible changes to banking regulation and supervisory practices. For those interested in engaging in discussions related to the insights and recommendations in the BCBS report, please feel free to contact Pieter Klaassen.


[1] Report on the 2023 banking turmoil (bis.org) (accessed on October 19, 2023)

[2] Although recognized as relevant in relation to the banking turmoil, the BCBS report explicitly excludes from its consideration the role and design of deposit guarantee schemes, the effectiveness of resolution arrangements, the use and design of central bank lending facilities and FX swap lines, and public support measures in banking crises.

This site is registered on wpml.org as a development site.