银行网络安全风险评估测试

Patrizia Baudino FSI Briefs are written by staff members of the Financial Stability Institute (FSI) of the Bank for InternationalSettlements (BIS), sometimes in cooperation with other experts. They are short notes on regulatory andsupervisory subjects of topical interest and are technical in character. The views expressed in thispublication are those of the authors and do not necessarily reflect the views of the BIS, its member centralbanks or the Basel-based standard-setting bodies. Furthermore, the views expressed in this publication donot reflect the views of the authors’ employers or firms. Authorised by the Chair of the FSI, Fernando Restoy. This publication is available on the BIS website (www.bis.org). To contact the BIS Global Media and PublicRelationsteam,pleaseemailmedia@bis.org.Youcansignupforemailalertsatwww.bis.org/emailalerts.htm. ©Bank for International Settlements 2026. All rights reserved. Brief excerpts may be reproduced ortranslated provided the source is stated. Cyber risk stress testing by authorities for the banking sector1 Highlights •In the context of growing frequency and sophistication, and increasing potential impacts of cyberincidents, some authorities have disclosed that they are conducting cyber stress tests to enhancefirm and sector resilience to operational disruptions, such as those caused by cyber attacks.•These tests benefit both authorities and firms by identifying vulnerabilities and strengtheningresponse and recovery mechanisms as well as, in some circumstances, identifying the financialstability impacts of such disruptions.•Based on recent exercises, two distinct approaches emerge, namely firm- or system-focused cyberstress tests. It is important for the authority in charge to select the approach that best reflects theinstitutional setup and the objectives of the stress test, ensuring consistency across all parts of theexercise.•Continued enhancements and disclosure of the methodological aspects in cyber stress tests can helpraise awareness and establish best practices. 1.Introduction In response to the increasing frequency, sophistication and potential impact of cyber incidents,2authoritieshave adopted a range of tools aimed at testing firms’ preparedness for managing cyber risk. Ideally, a comprehensive testing programme for cyber risk should be composed of vulnerabilityassessments, scenario-based testing, penetration tests and red team tests (see Committee for PaymentSystems and Infrastructure (CPMI) and International Organization of Securities Commissions (IOSCO),CPMI-IOSCO(2016)).3 Among these,scenario-based and penetration/red team testing offer acomplementary approach to identifying weaknesses. Penetration/red team tests simulate cyber attacks onlive systems to identify exploitable vulnerabilities.4Conversely, scenario-based stress testing, or morebroadly, a stress test, assumes that firms’ preventative measures have failed, and focuses on firms’ cyberincident response and their recovery, ie their operational resilience. While cyber stress tests cannot fully replicate the impact of a real-life cyber incident, they provideauthorities and firms with valuable insights into the effectiveness of their response processes. In particular,the static nature of such exercises allows firms to work through their planning and preparation, and assessits effectiveness. This, together with the extended timespan over which a stress test is conducted, givesfirms and authorities room to identify critical arrangements in their response strategies, assess possibleweaknesses in their design and reflect on their suitability. The relative novelty of cyber stress tests means that experience of conducting them is somewhatlimited at the present time.5Moreover, disclosure is currently very restricted, both in terms of the numberof publishing authorities and the extent of the information that is released. This cautious approach reflectsthe need to preserve confidentiality around the scope and findings of the exercises, to avoid exposingparticipating firms to malicious attacks. Nonetheless, the Bank of England, the Danish Financial Supervisory Authority (DFSA) and theEuropean Central Bank (ECB) Banking Supervision have recently published reports on their cyber stresstests (Bank of England (2025), DFSA (2024) and ECB (2024)).6This FSI Brief reviews the main aspects ofthese three exercises, which were selected on the basis of the relatively more extensive disclosure andrange of approaches they represent. They also exhibit a relatively high degree of comparability due totheir shared focus on banks and the banking sector, and were nearly simultaneous.7 Drawing on these examples, the Brief highlights critical considerations for authorities whendesigning and implementing cyber stress testing exercises. Section 2 defines a cyber stress test for thepurposes of this paper. Section 3 introduces the two approaches authorities can adopt when conductinga cyber stress test, ie either system o