Cyber stress testing strengthens the operational resilience of the financial sector

Published 07-11-2024

Earlier this year the Danish Financial Supervisory Authority (DFSA) reported the results of its first cyber stress test. The test yielded important insights for both the participating companies as well as the supervisory authority. The complete report and its key findings are now accessible in English.

The reliance on information technology is significantly growing, a trend that is clearly evident in the financial sector. As this dependence increases, it becomes increasingly vital to mitigate cyber threats and disruptions. Consequently, it is more crucial than ever for financial companies to be well-prepared to manage extensive and prolonged IT disruptions.

The Danish FSA, in collaboration with seven companies, has developed and implemented a new method, a cyber stress test, which examines the companies' ability to manage extensive IT disruptions.

"The test provides all participating companies and the DFSA with valuable learning points and has strengthened our mutual understanding of how companies should handle major IT disruptions," says Deputy Director Karen Dortea Abelskov, who is responsible for the DFSA's cyber stress testing.

The cyber stress test offers companies insights into several critical themes, including:

  • Timeframe for restoring normal IT operations
  • Continuation of critical business functions without normal IT
  • Overview of the consequences of the outage
  • Communication as an integrated part of contingency plans and crisis management
  • Coordination of emergency response

A key learning, is that what originates as an extensive IT disruption will have consequences for critical operations of the affected companies and must be handled by the entire organization.

Both the companies which participated in the test and other companies can enhance their operational resilience by working with these learning points.

"We have had very good cooperation with the sector. Everyone has approached the task with the mindset, that together we need to improve our understanding of how best to prepare the financial sector to handle IT and cyber disruptions," says Karen Dortea Abelskov.

The test was conducted as a learning exercise and has not led to any supervisory actions.

The publication of the report on the results of the cyber stress test marked the first round of tests. In 2025, the DFSA, in collaboration with the Danish National Bank, will conduct another cyber stress test focusing on how an extensive, prolonged IT disruption would be handled across actors in the sector and what consequences it would have at the sector level.

Read the full report on the cyber stress test

Fact box

The Danish Financial Supervisory Authority's first cyber stress test specifically targeted retail payments, a societal critical area with significant importance for citizens' daily lives.

Seven companies participated in the test: Danske Bank, Jyske Bank, Nykredit, Sydbank, as well as the data centers JN Data, BEC, and Bankdata.

 

Contact

Marie Schelde Holde
Deputy Director