In the stress test methodology, participating banks are required to evaluate the impact of a cyber attack. They must communicate their response and recovery efforts by completing a questionnaire and submitting pertinent documentation. Banks undergoing enhanced assessment are further mandated to conduct and report the results of IT recovery tests specific to the scenario. The reporting of the cyber incident is to be done using the template outlined in the SSM Cyber-incident reporting framework.

Assessing Digital Fortitude: Scope and Objectives

The ECB's decision to conduct a thematic stress test on cyber resilience in 2024 holds profound significance. The primary objective is to assess the digital operational resilience of 109 Significant Institutions, contemplating the impact of a severe but plausible cybersecurity event. This initiative seeks to uncover potential weaknesses within the systems and derive strategic remediation actions. Notably, 28 banks will undergo an enhanced assessment, heightening the scrutiny on their cyber resilience capabilities. The outcomes are poised to reverberate across the financial landscape, influencing the 2024 SREP OpRisk Score and shaping qualitative requirements.

General Overview and Scope​

• Supervisory Board of ECB has decided to conduct a thematic stress test on „cyber resilience“ in 2024.​
• Main objective is to assess the digital operational resilience in case of a severe but plausible cybersecurity event, to identify potential weaknesses and derive remediation actions.​
• Participants will be 109 Significant Institutions (28 banks will be in scope of an enhanced assessment).​
• The outcome will have an impact on the 2024 SREP OpRisk Score and qualitative requirements.​

Navigating the Evaluation: Stress Test Methodology

Participating banks find themselves at the epicenter of this evaluative process. They are tasked with assessing the impact of a simulated cyber attack and meticulously reporting their response and recovery efforts. This involves answering a comprehensive questionnaire and providing relevant documentation as evidence. For those under enhanced assessment, an additional layer of complexity is introduced – the execution and reporting of IT recovery tests tailored to the specific scenario. The cyber incident reporting follows a structured template outlined in the SSM Cyber-incident reporting framework.

Stress Test Methodology​

• Participating banks have to assess the impact of the cyber-attack and report their response and recovery by answering the questionnaire and providing relevant documentation as evidence.​
• Banks under the enhanced assessment are additionally requested to execute and provide results of IT recovery tests tailored to the specific scenario.​
• The cyber incident has to be reported by using the template of the SSM Cyber-incident reporting framework.​

Setting the Stage: Scenario Unveiled

The stress test unfolds with a meticulously crafted hypothetical scenario. Envision a landscape where all preventive measures against a cyber attack have either been bypassed or failed. The core of this simulation involves a cyber-attack causing a loss of integrity in the databases supporting a bank's main core banking system. Validation of the affected core banking system is a crucial step, overseen by the Joint Supervisory Team (JST). The final scenario details will be communicated on January 2, 2024, adding a real-time element to this strategic evaluation.

Scenario

• The stress test will consist of a hypothetical scenario that assumes that all preventive measures have been bypassed or have failed.​
• The cyber-attack will cause a loss of integrity of the database(s) that support the bank’s main core banking system.​
• The banks have to validate the selection of the affected core banking system with the JST.​
• The final scenario will be communicated on 2 January 2024.​

Partnering for Success: Zanders' Service Offering

In the complex terrain of the Cyber Resilience Stress Test, Zanders stands as a reliable partner. Armed with deep knowledge in Non-Financial Risk, we navigate the intricacies of the upcoming stress test seamlessly. Our support spans the entire exercise, from administrative aspects to performing assessments that determine the impact of the cyber attack on key financial ratios as requested by supervisory authorities. This service offering underscores our commitment to fortifying financial institutions against evolving cyber threats.

Zanders Service Offering​

• Our deep knowledge in Non-Financial Risk enables us to navigate smoothly through the complexity of the upcoming Cyber Resilience Stress Test.​
• We support participating banks during the whole exercise of the upcoming Stress Test.​
• Our Services cover the whole bandwidth of required activities starting from administrative aspects and ending up at performing assessments to determine the impact of the cyber-attack in regard of key financial ratios requested by the supervisory authority.​​

Seventy banks have been considered, which is an increase of twenty banks compared to the previous exercise.  The portfolios of the participating banks contain around three quarters of all EU banking assets (Euro and non-Euro).  

Interested in how the four Dutch banks participating in this EBA stress test exercise performed? In this short note we  compare them with the EU average as represented in the results published [1].   

General comments

The general conclusion from the EU wide stress test results is that EU banks seem sufficiently capitalized. We quote the main 5 points as highlighted in the EBA press release [1]: 

• The results of the 2023 EU-wide stress test show that European banks remain resilient under an adverse scenario which combines a severe EU and global recession, increasing interest rates and higher credit spreads. 
   
• This resilience of EU banks partly reflects a solid capital position at the start of the exercise, with an average fully-loaded CET1 ratio of 15% which allows banks to withstand the capital depletion under the adverse scenario. 
   

• The capital depletion under the adverse stress test scenario is 459 bps, resulting in a fully loaded CET1 ratio at the end of the scenario of 10.4%. Higher earnings and better asset quality at the beginning of the 2023 both help moderate capital depletion under the adverse scenario. 
   
• Despite combined losses of EUR 496bn, EU banks remain sufficiently apitalized to continue to support the economy also in times of severe stress. 
   
• The high current level of macroeconomic uncertainty shows however the importance of remaining vigilant and that both supervisors and banks should be prepared for a possible worsening of economic conditions. 

For further details we refer to the full EBA report [1]. 

Dutch banks

Making the case for transparency across the banking sector, the EBA has released a detailed breakdown of relevant figures for each individual bank. We use some of this data to gain further insight into the performance of the main Dutch banks versus the EU average.

CET1 ratios

Using the data presented by EBA [2], we display the evolution of the fully loaded CET1 ratio for the four banks versus the average over all EU banks in the figure below. The four Dutch banks are: ING, Rabobank, ABN AMRO and de Volksbank, ordered by size.

From the figure, we observe the following: 

• Compared to the average EU-wide CET1 ratio (indicated by the horizontal lines in the graph above), it can be observed that three out of four of the banks are very close to the EU average. 
• For the average EU wide CET1 ratio we observe a significant drop from year 1 to year 2, while for the Dutch banks the impact of the stress is more spread out over the full scenario horizon.  
• The impact after year 4 of the stress horizon is more severe than the EU average for three out of four of the Dutch banks.  

Evolution of retail mortgages during adverse scenario

The most important product the four Dutch banks have in common are the retail mortgages. We look at the evolution of the retail mortgage portfolios of the Dutch banks compared to the EU average. Using EBA data provided [2], we summarize this in the following chart:

Based on the analysis above , we observe: 

• There is a noticeable variation between the banks regarding the migrations between the IFRS stages. 
• Compared to the EU average there are much less mortgages with a significant increase in credit risk (migrations to IFRS stage 2) for the Dutch banks. For some banks the percentage of loans in stage 2 is stable or even decreases. 

Conclusion

This short note gives some indication of specifics of the 2023 EBA stress applied to the four main Dutch banks.

Should you wish to go deeper into this subject, Zanders has both the expertise and track record to assist financial organisations with all aspects of stress testing. Please get in touch.

References

1. EU-wide stress testing | European Banking Authority (europa.eu) 

2. https://www.eba.europa.eu/assets/st23/full_database/TRA_CRE_IRB.csv