The Bank for International Settlements' Financial Stability Institute published an FSI Brief that takes stock of how authorities are using cyber stress tests to assess banks’ preparedness for severe cyber-related operational disruptions and, in some cases, to gauge potential financial stability impacts. Drawing on the limited public disclosures available, the brief identifies two main design models, either firm-focused exercises aimed at weaknesses in individual banks’ operational resilience frameworks or system-focused exercises aimed at the resilience of the financial system to a common shock. The brief reviews recent exercises disclosed by the Bank of England, the Danish Financial Supervisory Authority and European Central Bank Banking Supervision, and links the choice of approach to implications for scope, scenario design, participation, resourcing, engagement with firms, and follow-up. It notes that cyber stress tests are typically qualitative tabletop-style exercises rather than pass/fail assessments, with outputs often collected via questionnaires and validated through benchmarking, workshops, or additional supervisory scrutiny for selected firms. Given the sensitivity of cyber vulnerabilities, public disclosure is generally limited to aggregated lessons, with firmer constraints in firm-focused tests, while follow-up can range from confidential firm-level feedback to integration into ongoing supervisory processes. Looking ahead, the brief argues that repeating cyber stress tests and improving transparency on methodologies can help establish better practices, while recognising confidentiality constraints. It also points to areas for further development, including wider cross-sector and cross-border disruptions, broader participation (including non-bank financial institutions and critical third-party providers), and more complete planning for authorities’ own communication and coordination in system-wide scenarios.

Original source View in tracker