Although the announcement by the Russian ministry of defence that it is to withdraw some of the troops stationed near the border with Ukraine has taken the diplomatic tension down a notch, the complexity of the latent conflict between Moscow and the West remains a reality. If it does not transpire on the traditional battlefield, the conflict may well move to computer networks, especially with cyber attacks on European banking infrastructures. It is indeed more difficult for soldiers and tanks to cross borders than for armies of hackers.
Earlier this week, the international press reported that the European Central Bank (ECB) is currently preparing banks for the possibility of cyber attacks coordinated by Moscow. The ECB first probed European banking institutions about their exposure to Russia in the face of the risk of new sanctions against stakeholders close to the Kremlin. Now, the ECB is reportedly seeking to learn more about the cyber security capabilities of the banks it supervises.
Sources have even suggested that banks are currently running "war games" to test their defences in the event of an attack campaign against them. The same is true in the United States where, according to Thomson Reuters' regulatory intelligence team, the state of New York has issued an alert to banks about possible retaliatory cyber attacks from Russia.
Cyber risk taken into account
When contacted by Delano’s sister publication Paperjam, the ECB declined to comment on the risk of coordinated cyber attacks against European banking institutions: “We cannot speculate on such scenarios.” However, we are told that the ECB expects banks to adhere to industry best practice and to remain vigilant to new cyber threats, especially in the current situation.
Coincidentally, the chairman of the ECB's supervisory board, Andrea Enria, held a press conference on 10 February where he addressed the subject of cyber security for banking institutions: “Cyber risk is indeed an area that is receiving increased attention from us. We recently had an in-depth discussion in our supervisory board and we have decided to raise the level of priority we assign to this issue in the future.”
Cyber risk is indeed an area that is receiving increased attention from us.
Without specifically mentioning tensions with Russia, Andrea Enria mentioned the possibility of seeing an increase in cyber attacks against banks due to the geopolitical context: “I would say that this is something we will focus on more this year, and something we are also drawing the attention of banks to, in relation to the potential worsening of global tensions that could indeed trigger more attacks.”
A systemic risk
According to the European Systemic Risk Board (ESRB), the body responsible for macro-prudential oversight of the European Union’s financial system, financial authorities need to include the cyber resilience of banks more in their management of systemic risks. In this respect, a report published on 27 January recommends the establishment of a systemic coordination framework for cyber incidents.
The Luxembourg regulator, the Financial Sector Supervisory Commission (CSSF), tells us that the cyber security of the supervised entities is a permanent subject of attention. The CSSF also states that it keeps itself informed of the current context. On the other hand, it has not issued any recommendations following the tension between Russia and Ukraine and is not aware of any general communication on the risk of Russian cyber-attacks from the ECB to banks.
If the cyber attacks fall under systemic risk, then 115 European banks are affected, as they are supervised by the ECB because of the systemic risk they pose to the stability of the financial system. Four of these systemic banks are registered and operate in Luxembourg. For some of them, contacted by Paperjam about the risk of cyber attacks, it is difficult for them to provide a comment due to the sensitivity of the issue.
One of these systemic banks present in Luxembourg agreed to answer our questions, without its name appearing publicly. The bank refused to provide detailed information on the security measures taken on a case-by-case basis, but “considers the security and reliability of its activities as well as data protection as one of its highest priorities.”
It also states that it takes into account “possible attacks at different levels” both “in the development phase and in the operation” of each of its activities. We are also told that IT security tools control processes, and budgets are developed on an ongoing basis.
Resilience as a regulatory requirement
Resilience to cyber attacks is a regulatory requirement for critical entities in the Luxembourg financial sector. They must be able to ensure their own resilience as well as that of the financial sector as a whole, following the joint adoption by the Central Bank of Luxembourg (BCL) and the CSSF of the European framework, Tiber, aimed at testing the response capacity of banking institutions to simulated cyber attacks.
“The main strength of Tiber is the secrecy of the exercise: only a few managers are informed, which implies a non-simulated reaction of the institutions’ employees,” explains the CSSF. The Tiber exercise is based on techniques and procedures actually used by cyberterrorists, placing the defence of the institutions in a credible situation.
More generally, the CSSF expects regulated entities to put in place both detective and preventive cyber security measures as well as mitigation and continuity measures for their critical activities. In case of a cyber attack, a financial institution is obliged to report it to the CSSF, which then ensures that the entity concerned effectively manages the incident and that an action plan is put in place to prevent the same incident from happening again.
This story was first published in French on It has been translated and edited for Delano.