1. Background
It is an objective in the 2025 strategy of the Danish Financial Supervisory Authority (DFSA) that the ICT security in the financial sector should match the sector’s ICT dependency as well as the threats. Moreover, the Danish National Strategy for Cyber and Information Security 2022-2024, which comprises the financial sector, has as its goal to secure that vital societal functions and economic activity in society can be maintained in a crisis in which critical ICT infrastructure is non-functional. Therefore, the DFSA launches this programme of cyber stress testing. The programme builds on, among other things, the work of Finansielt Sektorforum for Operationel Robusthed (FSOR, Financial Sector forum for Operational Robustness) chaired by the Central Bank of Denmark. The Central Bank is included in the programme as an advisory partner.
The programme is part of the DFSA’s response to the increasing cyber threats. In keeping with international recommendations from eg. The European Systemic Risk Board (ESRB) and the Basel Committee, this implies that it must be assumed that extensive disruptions are unavoidable. The ESRB has pointed to cyber stress testing as a valuable tool to provide information about the financial or cyber resilience of institutions and financial infrastructures, and the Bank of England has piloted cyber stress testing since 2019.
Through its supervision, the DFSA has identified a need for strengthening the ability of systemically important financial institutions (SIFIs) to restore operations following a serious disruption in light of the increasing threats described above. This includes, among other things, that the consequences of a disruption for the institutions and for the financial system, including the financial infrastructure, must be identified and assessed. Further, it should be clarified to which extent the institutions have adequate disaster recovery plans and sufficient business continuity plans.
2. Objective of the programme
The objective of the programme is to analyse what will happen in case of an extensive ICT disruption; both at enterprise and at sector level. Based on the knowledge about the consequences acquired in the programme, the DFSA will further the implementation of appropriate initiatives with the individual institutions in order to prevent and reduce the consequences of a disruption. Follow-up initiatives at sector level will be coordinated with The Central Bank of Denmark and initiatives in FSOR.
3. Initial project
The initial project will be an analysis of the consequences of an extensive ICT disruption via cyber stress testing at enterprise level.
The starting point is a scenario where a systemically important ICT service provider (and/or financial institution) experiences an extensive ICT disruption.
The financial institutions, which participate in the test, must map the operational consequences of the disruption step-by-step. E.g. mapping which business processes will be affected, describing the institutions’ business continuity plans in place, including approval processes for important decisions, and the extent to which these plans will enable the institution to continue its processes until normal ICT operations have been restored, and how. Further, the disaster recovery plans, that the service provider or financial institution has in place, must be described and documented, including how fast normal ICT operations can be restored.
Based on the detailed mapping of the operational consequences, the institutions must assess the financial, legal and reputational consequences of the disruption at various stages up until normal operations can be restored and provide supporting evidence.
Finally, depending on the results of the analyses, it will be assessed whether there is a need for additional measures/investments in the individual institutions and/or at sector level.
The financial institutions and ICT service providers, which will take part in the test, will be informed directly. As cyber stress testing is a new initiative, the DFSA will actively involve the test participants in the process.
4. Consultancy services
The DFSA expects to publish a contract notice shortly in order to procure consultancy services to assist the DFSA in the design and implementation of the initial cyber stress project.