银行网络风险压力测试

Patrizia Baudino April2026 FSI Briefs are written by staff members of the Financial Stability Institute (FSI) of the Bank for InternationalSettlements (BIS), sometimes in cooperation with other experts. They are short notes on regulatory andsupervisory subjects of topical interest and are technical in character. The views expressed in this This publication is available on the BIS website (www.bis.org). To contact the BIS Global Media and Publicteam,pleaseemailmedia@bis.org.Youcansignupforemailalerts Cyber risk stress testing by authorities for the banking sector Highlights •In the context of growing frequency and sophistication, and increasing potential impacts of cyberincidents, some authorities have disclosed that they are conducting cyber stress tests to enhancefirm and sector resilience to operational disruptions, such as those caused by cyber attacks.•These tests benefit both authorities and firms by identifying vulnerabilities and strengtheningresponse and recovery mechanisms as well as, in some circumstances, identifying the financialstability impacts of such disruptions. 1.Introduction In response to the increasing frequency, sophistication and potential impact of cyber incidents,2authoritieshave adopted a range of tools aimed at testing firms’ preparedness for managing cyber risk. Ideally, a comprehensive testing programme for cyber risk should be composed of vulnerabilityassessments, scenario-based testing, penetration tests and red team tests (see Committee for PaymentSystems and Infrastructure (CPMI) and International Organization of Securities Commissions (IOSCO),CPMI-IOSCO(2016)).3 Among these,scenario-based and penetration/red team testing offer acomplementary approach to identifying weaknesses. Penetration/red team tests simulate cyber attacks on 1Patrizia Baudino (patrizia.baudino@bis.org), Bank for International Settlements. The author is grateful to officials in the selectedauthorities and the European Systemic Risk Board Secretariat for helpful discussions, to Rodrigo Coelho, Ting Yang Koh, JermyPrenio, Caleb Wu and Hao Ying Yang for insightful comments, and to Theodora Mapfumo for administrative support. 2See for instance Khiaonarong and Shanyuan (2026) for a discussion of the rise of cyber events.3Global standard setters have provided guidance on the concept of cyber risk and methodologies to address it. In addition to the 2016 report by the BIS Committee for Payment Systems and Infrastructure (CPMI) and the International Organization ofSecurities Commissions (IOSCO), see also reports by the Basel Committee on Banking Supervision (BCBS (2018)), the FinancialStability Board (FSB (2023)), the International Association of Insurance Supervisors (IAIS (2023a,b)), the BIS Committee for While cyber stress tests cannot fully replicate the impact of a real-life cyber incident, they provideauthorities and firms with valuable insights into the effectiveness of their response processes. In particular,the static nature of such exercises allows firms to work through their planning and preparation, and assess The relative novelty of cyber stress tests means that experience of conducting them is somewhatlimited at the present time.5Moreover, disclosure is currently very restricted, both in terms of the numberof publishing authorities and the extent of the information that is released. This cautious approach reflects Nonetheless, the Bank of England, the Danish Financial Supervisory Authority (DFSA) and theEuropean Central Bank (ECB) Banking Supervision have recently published reports on their cyber stresstests (Bank of England (2025), DFSA (2024) and ECB (2024)).6This FSI Brief reviews the main aspects ofthese three exercises, which were selected on the basis of the relatively more extensive disclosure and Drawing on these examples, the Brief highlights critical considerations for authorities whendesigning and implementing cyber stress testing exercises. Section 2 defines a cyber stress test for thepurposes of this paper. Section 3 introduces the two approaches authorities can adopt when conducting 2.Defining a cyber stress test In principle, authorities can cover cyber risk in a stress test in two ways (ESRB (2022)).8In one, cyber risk isincluded within existing financial stress testing, putting emphasis on financial losses stemming from a 5The International Monetary Fund (IMF) has recently published a collection of good practices in cyber risk regulation andsupervision, drawing from its financial surveillance and technical assistance work (Gaidosch et al, 2026). Furthermore, the IMFhas supported financial authorities in enhancing their preparedness to address cyber risks. This effort is part of the work 6The Bank of England is considered among the first authorities to disclose findings of its cyber stress tests, starting in 2023 (Bankof England (2023b)). For both the DFSA and the ECB, the exercises covered in this Brief are the first of their kind (references tothe ECB Banking Su