European Central Bank sets out a macroprudential framework for cyber resilience stress testing

The European Central Bank published a Macroprudential Bulletin article outlining how cyber resilience stress testing can be designed from a macroprudential perspective, arguing that cyber incidents can have systemic effects as they propagate across the financial sector through operational, financial and confidence channels. It proposes combining institution-led bottom-up exercises with supervisor-run top-down modelling to capture system-wide interlinkages, behavioural responses and second-round effects. The article describes how contagion can be amplified by shared dependencies on critical infrastructures and concentrated third-party providers, by financial interconnectedness and funding stress, and by confidence shocks that can trigger fire sales and bank-run dynamics, with cross-border spillovers and coordination as central considerations. It distils six design principles for macroprudential cyber stress tests: define the objective upfront, set an appropriate institutional perimeter, identify material propagation channels and their interactions, focus on tail-risk scenarios, incorporate behavioural responses, and use bottom-up and top-down results in a complementary way for calibration and benchmarking. It also notes the limits of mapping cyber incidents to monetary losses and points to complementary tools such as intelligence-led red team exercises, while citing the ECB’s 2024 cyber resilience stress test of 109 directly supervised banks as an example of a qualitative bottom-up exercise focused on response and recovery.