Cyber resilience stress testing from a macroprudential perspective

Prepared by Robert Vermeulen^[1], Matthias Sydow^[2], Claire Brousse^[3], Fernando Cascão^[4], Jose Fique^[5], Carla Marques^[6], Juho Nyholm^[7] and Fleurilys Virel^[8],[9]

Published as part of the Macroprudential Bulletin, March 2025.

Cyberattacks pose greater risk to financial stability than ever before as they have grown in both number and magnitude. A macroprudential perspective on cyber resilience stress testing is needed because cyber incidents can have a systemic impact as their effects spread across the financial sector via operational, financial and confidence mechanisms. While broader stress-testing principles also apply to cyber stress testing, stress testers need to focus in particular on clearly defining overall objectives, determining the institutional perimeter, identifying material risk propagation channels, focusing on tail risks, considering relevant behavioural responses and combining the outcomes of bottom-up and top-down exercises. Based on these principles, cyber resilience stress tests can be executed by following a bottom-up as well as a top-down approach. Top-down models can complement bottom-up results by providing harmonised modelling of system-wide financial interlinkages, behavioural responses and second-round effects.

1 Introduction

The increasing digitalisation of financial services and the rapidly changing nature of cyber threats, especially amid heightened geopolitical tensions, have brought cyber risk concerns to the forefront for central banks, financial supervisory authorities and financial institutions. A recent report on macroprudential tools for cyber resilience prepared by the European Systemic Risk Board (ESRB, 2024) indicates that the variety and number of cyberattacks grew significantly in 2023.^[10] In the systemic risk survey conducted by the Bank of England for the first half of 2024,^[11] 70% of respondents cited cyberattacks as a source of risk to the United Kingdom’s financial system. Such attacks were the second most frequently cited source of risk after geopolitical risk.

The ECB defines cyber resilience as the ability to protect electronic data and systems from cyberattacks, and to resume business operations quickly in the event of a successful cyberattack.^[12] Beyond the vulnerabilities specific to each institution, cyber incidents can trigger instability and can have systemic repercussions for the financial system. These repercussions include the interruption of critical financial market functions and the loss of confidence once a critical level has been reached, which can result in significant asset price volatility and bank runs. Furthermore, cyber incidents can extend beyond the financial system as cyberattacks can affect other critical infrastructures, e.g. third-party providers that support both the financial and other sectors.

Cybersecurity breaches in the financial sector are inevitable; however, the unpredictability of the timing of such breaches and the methods used underscores the critical importance of financial system resilience. This reflects the capacity of the system not only to withstand shocks but also to adapt to evolving threats.^[13] We have not yet experienced a systemic cyber crisis, although even a single cyber incident could have the potential to evolve rapidly into a systemic crisis if it undermined public confidence in financial infrastructure (see, for example, ESRB (2020)). Strengthening the resilience of our financial system is therefore of the utmost importance.

The inherently systemic nature of cyber threats means they must be integrated into the macroprudential framework as a novel risk category. Regulators, supervisors and policymakers recognise the urgency of developing a robust macroprudential approach for cyber risks and are actively engaged in initiatives designed to develop the framework. Their ongoing efforts are essential in shaping a resilient financial landscape capable of withstanding and responding to the dynamic challenges posed by cyber threats.^[14]

The first, crucial, step in the macroprudential framework should be to understand cyber risk within the financial system and the level of resilience within that system – stress tests are useful tools in this step. At the microprudential level, the ECB’s announcement in 2024 that 109 banks under its supervision would be tested to gauge their ability to respond and recover after a successful cyberattack represented a significant innovation.^[15] Although the ECB’s approach was aligned with the conceptual framework developed by the ESRB for testing systemic cyber resilience, the focus was on the resilience of individual banks (i.e. a broader systemic perspective was not adopted).

A framework for stress testing banks from a macroprudential perspective would be a desirable addition when assessing resilience levels from a systemic perspective, taking systemically important institutions and corresponding transmission and amplification mechanisms into consideration. The systemic cyber resilience scenario testing presented by the ESRB^[16] provides a conceptual framework for a bottom-up approach which could be complemented by a top-down approach. Such a framework would also consider amplification factors such as interconnections and common dependencies and vulnerabilities.

This article provides a comprehensive discussion of how cyber incidents, whether at an individual institution or multiple institutions, could evolve into a systemic crisis. The article details potential transmission and amplification mechanisms and looks at how such mechanisms can be included effectively by the overarching principles of cyber stress testing from a macroprudential perspective. While existing stress testing principles remain applicable when conducting macroprudential cyber stress tests, it is important to consider the specificities of cyber incidents and define clearly what a stress test can and cannot capture.

Section 2 describes the contagion channels propagating cyber incidents. Section 3 elaborates on how a top-down stress testing approach can complement bottom-up stress testing approaches to gauge cyber risk. Section 4 defines the key principles and elements of a macroprudential cyber stress-testing framework. Section 5 concludes.

2 Contagion channels propagating cyber incidents

Contagion may arise and amplify across the financial system through three main transmission channels: operational, financial and confidence (ESRB, 2020; Bank of England, 2024). The three channels can interact with each other and incidents may be transmitted between institutions. For example, a cyber incident disrupting the payments network within an individual bank may cause a ripple effect which impacts the liquidity and operations of other banks (IMF, 2024). In particular, loss of confidence is a crucial transmission channel which can be difficult to restore once lost, whereas operational and financial contagion can be mitigated by applying workaround solutions (e.g. manually processing impaired systems or finding alternative sources of funding).

The first contagion channel can, due to its operational nature, amplify shocks by technological dependencies such as critical infrastructures or by essential software offered by a small number of third-party providers. The lack of available substitutes for such software or systems during a cyber incident, combined with a reliance of many market participants on these systems, can lead to the disruption of key financial and payment services or market liquidity. In February 2023, several market participants in the United States (US) and the European Union were affected by a ransomware incident targeting ION, a large financial trading services group. ION was unable to process its transactions until the issue had been resolved.

Disrupting critical infrastructures or economic functions, such as payment services, can have systemic consequences. Critical financial services include securities custody, central clearing or payment services such as real-time gross settlement systems and the SWIFT messaging system. These crucial systems are potential single points of failure in the global payment infrastructure. Disruption of these services can jeopardise payments and settlements worldwide. The pre-mortem modelling carried out by the Federal Reserve Bank of New York is an example of an assessment of the potential impact of such disruptions. ^[17] It shows that a cyber incident in the wholesale payments network at one of the five largest participants in the US payment system would affect, on average, 38% of the network (as a share of US banking system assets). Another source of vulnerability is high level of concentration in the system. Concentration arises when there is a reliance on a small number of providers of a given service, meaning that an incident at one provider could have a disproportionate impact on the system (Bank of England, 2024). A cyber map identifying operational and technology connections may make it easier to detect concentration risks (Adelmann et al., 2020). Furthermore, the European Digital Operational Resilience Act (DORA), which came into application in January 2025, requires operational resilience testing for all financial institutions in scope of DORA and threat-led penetration testing to be carried out for the most critical financial institutions.

The second contagion channel, which is of a financial nature, is propagation through financial interconnections between institutions. Given the interconnectedness of the financial system, a cyber incident affecting one institution can spill over to other institutions. Also, a cyber incident affecting multiple institutions can increase counterparty credit risk. Moreover, loss of access to funding leads to market volatility and liquidity stress in markets (IMF, 2024). For example, on 9 November 2023 a ransomware attack crippled the IT systems of the US financial services arm of Industrial and Commercial Bank of China. This cyberattack paralysed the bank’s IT systems, disrupting the processing of transactions on behalf of other market participants and the liquidity of the US Treasury bill market. The attack highlights the strong interconnections between market participants, the spillover from the operational to the financial channel and the risk of contagion spreading to the entire financial sector.

The third contagion channel relates to (loss of) confidence, which may trigger fire sale and bank-run dynamics. Loss of confidence can be fuelled by suspicions over an institution’s reliability. For example, customers may become concerned over temporary disconnections of systems or a data leak. Moreover, even just the disclosure of a cyber incident or data corruption can lead to a loss of confidence among clients and other financial institutions and can create liquidity stress for the financial institution concerned. Channels interact with each other since a loss of confidence on the part of investors could cause fire sales and asset price volatility. These events could cause panic among depositors, resulting in large deposit outflows and a “cyber run” (see Duffie and Younger, 2019).

When a cyber incident occurs during a period of financial stress the overall impact can be more severe than it normally would be. Specifically, a cyber incident during a period of stress may slow down market participants’ responses to liquidity requests, exacerbating the overall effects. Also, during fire sales financial institutions are obliged to liquidate their assets at heavily discounted prices, especially in the case of common asset holdings (Caccioli, Ferrara and Ramadiah, 2024), which generates further downward pressure on asset prices.

It is essential to consider the cross-border nature of all three contagion channels and the implications for a global financial system. Incidents in one jurisdiction can quickly spill over into another, meaning that cross-border coordination is essential to mitigate system-wide cyber risk (IMF, 2024). In addition, a cyber incident may be cross-border from the early stages if the impact is on a global institution (e.g. as in the case of CrowdStrike).^[18] Cooperation between financial authorities and the financial sector is essential to limit the risk of cyber contagion (ESRB, 2024). Industry coordination aimed at identifying macro vulnerabilities and responding to cyber incidents may reduce contagion effects by promoting system-wide resilience.

3 Bottom-up and top-down approaches to cyber risk stress testing

Two complementary approaches exist for testing institutions’ resilience under severe but plausible cyber incident scenarios: bottom-up and top-down. In the first, a primarily bottom-up approach, institutions are asked to assess the extent to which they would be able to respond operationally and recover from a cyber incident, while continuing to provide key services. Institutions may have different assumptions on the behaviour of other market participants, thereby providing supervisors more information on their reactions (ESRB, 2023). Such an approach is followed by the Bank of England,^[19] the Banco de Portugal,^[20] the Danish Financial Supervisory Authority^[21] and the ECB.^[22] In the second, the top-down approach, the supervisor has a model that contains individual institutions and their system-wide financial interlinkages, behavioural reactions and second-round effects, which can propagate stress to interconnected market participants that had not initially been affected. These elements are crucial for understanding the financial stability implications of cyber incidents that might be difficult to assess from the standpoint of individual institutions. One key difference between the two approaches is that in the bottom-up approach the starting point and reactions essentially reflect an operational channel, whereas the top-down approach mainly covers financial interconnections and implications.

3.1 Bottom-up approaches

The Bank of England’s 2022 cyber stress test assumed a successful attack on retail payments’ data integrity and assessed firms’ ability to respond and recover, as well as the potential financial stability impact of firms’ actions. The qualitative exercise covered not only individual firms’ actions and impacts but also systemic impacts (e.g. by considering coordination and communication within the industry). One of the main objectives of the exercise was to understand potential financial stability impacts rather than simply evaluate individual firms. The findings of the exercise supported recommendations for follow-up actions, both at the individual and the sector level, to improve operational resilience for the sector overall.

The ECB’s bottom-up approach simulated a stress test scenario in which a cyberattack disrupted the operations of banks, prompting them to activate emergency protocols and recovery strategies to restore normal function. Supervisors evaluated banks’ ability to respond to and recover from such disruptions. This qualitative exercise did not affect banks’ capital requirements under Pillar 2 guidance but it did inform the broader 2024 Supervisory Review and Evaluation Process. The results and insights were discussed with each bank during the Supervisory Review and Evaluation Process to assess their risk profiles and have helped to increase awareness of the strengths and weaknesses of banks’ cyber resilience frameworks. The ECB concluded that although banks have response and recovery frameworks in place, areas for improvement still remain.^[23]

There is a substantial difference between the microprudential and the macroprudential use of bottom-up cyber resilience stress testing approaches. As illustrated by the ECB and Bank of England examples above, bottom-up cyber resilience stress tests can be developed for both microprudential and macroprudential purposes. However, the differing objectives need to be reflected in the stress test design, so a different exercise is required for each situation. The macroprudential objective should guide the scenario specification (e.g. a financial market infrastructure disruption rather than an individual bank disruption), participant selection and the design of the questionnaire in order to cover the different contagion channels. Lastly, the conclusions and consequences of the exercise should prioritise a system-wide understanding over an assessment of individual banks. Nevertheless, for the sake of optimising resources and reducing the burden on reporting institutions, both objectives can be combined in a single exercise, as shown by the Banco de Portugal experience, although this might require a certain amount of compromise, considering the differences between them.

3.2 Top-down approaches

Top-down models for analysing contagion and amplification effects could be used in combination with cyber scenarios, ideally guided by the outcome of a bottom-up exercise. The three contagion channels can be captured by their financial implications (e.g. the confidence channel can be reflected in fire-sale or bank-run dynamics). Figure 1 provides a visual illustration of how bottom-up and top-down approaches could be combined in an overarching macroprudential cyber stress test. Despite challenges relating to the quality of data and results derived from a bottom-up exercise, top-down liquidity (both market and funding) stress testing is a useful complementary tool that can process high-level results from a bottom-up cyber stress test (see, for example, Duffie and Younger, 2019; Eisenbach, Kovner and Lee, 2022a; Koo et al., 2022; Boungou, 2023). In the absence of stress testing results, hypothetical scenarios with a cyber narrative (see, for example, Kaffenberger and Kopp, 2019; ESRB, 2020), potentially informed by historical events (see, for example, Kotidis and Schreft, 2022), can be used to flesh out the possible financial stability implications of cyber incidents.

Figure 1

Complementarity of bottom-up and top-down approaches in macroprudential cyber stress testing

Additionally, a top-down approach to cyber resilience can more easily accommodate multiple scenarios and reverse stress testing than a bottom-up approach because it has comparatively low resource intensity, especially for large-scale exercises (see, for example, Koo et al., 2022).^[24] This is a useful insight, since it is possible that certain cyberattacks could be timed by a malicious strategic actor to coincide with adverse conditions already present in the financial system.^[25] This would warrant the use of multiple scenarios (see, for example, Eisenbach, Kovner and Lee, 2022a; Eisenbach, Kovner and Lee, 2022b).

The results of the top-down cyber stress test carried out by Koo et al. (2022) and the scenario analysis conducted by the ESRB (2020) indicate that contagion and amplification channels can lead to a systemic event, but only under rather extreme conditions. The cyber stress test carried out by Koo et al. studied two amplification channels through which a cyber incident could potentially cause a severe disruption to the Dutch banking sector. The first channel assumed operational problems related to the TARGET2 payment system and the second a cyber-induced loss of confidence sparking a bank run. ESRB (2020) explored different scenarios to conclude that although a systemic cyber incident was plausible it would require a special alignment of situations, including the activation of the confidence channel.

Finally, the results of top-down models can be used to benchmark and cross-check the financial results of bottom-up stress tests. For instance, models developed to analyse contagion effects via fire sales (e.g. Cont and Schaanning, 2017; Caccioli, Ferrara and Ramadiah, 2024; Fukker, et al. 2022) could be used to sense-check institutions’ reported reactions and the assumed asset price responses under a cyber scenario underpinned by compromised price and position data (e.g. Hypothetical Scenario III in ESRB, 2020).

4 Principles for cyber resilience stress testing

For macroprudential cyber resilience stress tests, certain cyber risk specificities and caveats need to be taken into account in a way that differs from traditional stress tests in finance. First, cyber risk may be viewed as a special case of operational risk – it can be non-monetary in nature and is difficult to quantify in a stress-test setting. Instead of trying to map a cyber incident onto a macroeconomic scenario and a financial loss, other techniques such as intelligence-led red team exercises might be better suited to revealing significant vulnerabilities.^[26] Second, amplification through the operational contagion channel requires new modelling techniques that potentially go beyond the financial system, given that cyberattacks can simultaneously affect other critical infrastructure. A prominent example is the non-functioning of trading platforms and payment systems, which can change traditional amplification mechanisms.

In this section, the key points from the above discussion are distilled into a set of core principles and a framework for use during macroprudential cyber-risk stress testing.^[27] While broader stress-testing principles apply to cyber stress testing (BCBS, 2018), the following stress testing principles are worth highlighting in particular.

Principle 1. Clearly define the overall objective of the exercise upfront (objective)

One key general principle of overarching importance in cyber stress testing is to define the overall objective of the exercise upfront. A cyber stress test is a complex exercise that requires a certain degree of simplification and simulation. The overall objective will guide the calibration and choices surrounding all the elements of the exercise. Defining an objective will ensure that the stress test provides an answer to the key question(s). The key output will then be focused on the objective of the exercise rather than capital requirements such as the CET1 ratio.

Principle 2. Define the institutional perimeter appropriately (coverage)

From a macroprudential perspective, it is essential to reach an understanding of how cyber incidents spread across the different segments of the financial system. Cyber stress tests should therefore cover a diverse set of institutions active in key financial markets (e.g. banks and financial market infrastructures) that align with the overall objectives of the exercise. Ideally, the coverage would extend beyond the “usual candidates” as stress tests might uncover interlinkages that could prove to be material when certain factors interact. In addition, as stress tests are inherently data intensive exercises, data availability (and granularity) will be a key factor in defining the perimeter. This is especially relevant in top-down quantitative stress tests. Finally, even if a multi-step approach is envisaged whereby the scenario underlying the exercise is based on the outcome of other cyber-risk assessment tools (e.g. bottom-up cyber-resilience scenario tests), the institutions in scope need not be the same across both exercises as contagion channels may differ. For example, a bottom-up exercise focusing on operational responses may indicate shock spillovers to non-banks. These non-banks can then be included in a top-down exercise to achieve more realistic modelling of financial amplification effects.

Principle 3. Identify material channels of risk propagation (channels of propagation)

To capture the full spectrum of second-round effects, a stress test should naturally include the relevant channels of risk propagation (see section 2) but should also focus on how these channels might reinforce each other. For instance, (market and/or funding) liquidity stress stemming from a loss of confidence may be so severe that it leads to solvency stress (and vice versa). At the same time, an appropriate balance needs to be struck between information content and the complexity of the exercise.

Principle 4. Focus on tail risks (scenario)

Ideally, given the complementarities explained above, the scenarios used in top-down cyber stress tests should be informed by the results of bottom-up cyber resilience scenario tests (as also pointed out in ESRB, 2022). Bearing in mind that the results of bottom-up cyber resilience stress tests are likely to be mainly qualitative, a scenario design for top-down financial stress tests would probably envisage the use of more traditional (high-frequency) financial scenario design tools. Consistency with a cyber narrative should be ensured (e.g. disrupted price discovery mechanisms would also be included when calibrating financial asset price shocks following a cyberattack). Alternatively, hypothetical severe-yet-plausible scenarios with a cyber narrative, potentially informed by past events, could be used to flesh out the potential financial stability implications of cyber incidents. Additionally, scenario design should consider cyber specificities, such as an attack by a strategic actor with malicious intent timed to coincide with heightened financial vulnerabilities. Finally, reverse stress testing might also prove to be a valuable tool which could be used to uncover non-linearities and previously concealed pockets of vulnerabilities.

Principle 5. Consider relevant behavioural responses (behavioural responses)

There would probably need to be a loss of confidence in the financial system for a cyber incident to morph into a full-blown systemic crisis. Market participants’ responses would be expected to further destabilise the financial system. Since top-down modelling is sufficiently flexible to allow for “rule-of-thumb” behaviour, this could be a way to introduce potentially amplifying behavioural responses over and above the “mechanical” operation of stress transmission channels (see also Principle 2). It could provide useful information in a bottom-up setting where there is no need to model such behaviour.

Principle 6. Use the results in a complementary manner (results)

A comprehensive assessment of the impact on financial stability would benefit from using the outcome of bottom-up exercises to design (financial) shock scenarios and possibly methodological features of the top-down exercise. Also, the results of the top-down stress test could be used to gain an understanding of financial stability implications that are difficult to ascertain from the standpoint of individual institutions. Additionally, the results of top-down analyses could contribute to the calibration of bottom-up cyber resilience stress tests. They could do this by providing insights regarding the magnitude of the financial losses from a cyber incident that could, in turn, trigger second-round financial losses.

5 Conclusion

The purpose of macroprudential policy is to enhance the financial system’s resilience when it comes to absorbing risks, ensuring adequate financial intermediation. To achieve this objective, a macroprudential framework makes use of risk and vulnerability analyses to determine policy measures in order to minimise the probability of systemic risks materialising by improving resilience. A macroprudential toolbox may be seen as a set of instruments developed and implemented by macroprudential authorities to prevent such risks from materialising.

Current macroprudential tools are calibrated to tackle risks stemming from financial activities such as excessive lending, but these tools are not specifically designed to mitigate (operational) cyber risk. The ESRB has argued that to explicitly cover systemic cyber risk the macroprudential framework would have to be amended in three main areas: (i) the inclusion of systemic cyber risk aspects in the intermediate objectives; (ii) the development of an analytical framework and monitoring indicators; and (iii) the development of systemic cyber-risk-specific tools (ESRB, 2022). An analysis of the cyber resilience scenario would feed into the analytical framework, the aim being to build knowledge and identify points for improvement from the perspective of institutions and authorities alike.

Top-down cyber stress tests could fill the gap in analytical tools by providing a quantitative perspective. Such tests could be used in conjunction with bottom-up exercises to develop an overarching macroprudential cyber stress test. The tests could be designed to cover important transmission mechanisms and propagation channels as well as behavioural responses across their institutional perimeter. Modelling the propagation of a cyber shock through different channels and the related feedback effects could provide quantitative information on the financial system’s level of cyber resilience.

References

Adelmann, F., Elliott, J., Ergen, I., Gaidosch, T., Jenkinson, N., Khiaonarong, M.T., Morozova, A., Schwarz, N. and Wilson, C. (2020), “Cyber risk and financial stability: It’s a small world after all”, IMF Staff Discussion Note 2020/007, International Monetary Fund.

Bank of England (2024), Financial Stability in Focus: The FPC’s macroprudential approach to operational resilience.

BCBS (2018), Stress testing principles, Bank for International Settlements, October.

Boungou, W. (2023), “Cyber-attacks and banking intermediation”, Economics Letters, No 233, 111354.

Brando, D., Kotidis, A., Kovner, A., Lee, M. and Schreft, S.L. (2022), “Implications of cyber risk for financial stability”, FEDS Notes, Board of Governors of the Federal Reserve System, 12 May.

Caccioli, F., Ferrara, G. and Ramadiah, A. (2024), “Modelling fire sale contagion across banks and non-banks”, Journal of Financial Stability, No 71, 101231.

Cont, R. and Schaanning, E. (2017), “Fire sales, indirect contagion and systemic stress testing”, Indirect Contagion and Systemic Stress Testing, 13 June.

Duffie, D. and Younger, J. (2019), “Cyber Runs”, Hutchins Center Working Paper Series, No 51, Hutchins Center on Fiscal & Monetary Policy at Brookings, June.

Eisenbach, T.M., Kovner, A. and Lee, M.J. (2022a), “Cyber risk and the US financial system: A pre-mortem analysis”, Journal of Financial Economics, Vol. 145(3), pp. 802-826.

Eisenbach, T.M., Kovner, A. and Lee, M. (2022b), “When It Rains, It Pours: Cyber Risk and Financial Conditions”, Staff Reports, No 1022, Federal Reserve Bank of New York.

ECB (2025), TIBER-EU Framework: How to implement the European framework for Threat-Intelligence-based Ethical Red Teaming, January.

ECB (2024), “ECB to stress test banks’ ability to recover from cyberattack”, press release, 3 January.

ESRB (2020), Systemic Cyber Risk.

ESRB (2022), Mitigating systemic cyber risk.

ESRB (2023), Advancing macroprudential tools for cyber resilience.

ESRB (2024), Advancing macroprudential tools for cyber resilience – Operational policy tools, April.

Fukker, G., Kaijser, M., Mingarelli, L. and Sydow, M. (2022), “Contagion from market price impact: a price-at-risk perspective”, Working Papers, No 2692, European Systemic Risk Board.

IMF (2024), “Cyber Risk: A Growing Concern for Macrofinancial Stability”, Global Financial Stability Report, Chapter 3, April.

Kaffenberger, L. and Kopp, E. (2019), Cyber risk scenarios, the financial system, and systemic risk assessment, Carnegie Endowment for International Peace.

Koo, H., van der Molen, R., Pollastri, A., Verhoeks, R. and Vermeulen, R. (2022), “A macroprudential perspective on cyber risk”, Occasional Studies, Vol. 20 – 01, De Nederlandsche Bank.

Kotidis, A. and Schreft, S. (2022), “Cyberattacks and financial stability: Evidence from a natural experiment”, Finance and Economics Discussion Series, Board of Governors of the Federal Reserve System.

Ong, L.L. and Jobst, A. (eds.) (2020), Stress Testing: Principles, Concepts, and Frameworks, International Monetary Fund.