ESRB publishes report on operational policy tools for cyber resilience

16 April 2024

As part of its macroprudential strategy to advance system-wide cyber resilience, the European Systemic Risk Board (ESRB) today published a report focusing on three groups of operational policy tools:

1. Tools for gathering, sharing and managing information provide high-quality data for monitoring, tool calibration and ex post management of systemic cyber incidents. These tools, as well as cyber incident reporting centres, are vital for an EU-wide information sharing mechanism.
2. Coordination tools help authorities and financial institutions mitigate potential negative effects on financial stability by ensuring an effective joint response across all stakeholders. The ongoing implementation of a pan-European systemic cyber incident coordination framework (EU-SCICF) will greatly improve efforts in this regard.
3. Emergency and backup systems which are put in place to help ensure continuity of critical economic functions even in acute emergency situations.

Against this background, three avenues may be considered by private and public institutions:

1. improving information management and information sharing efforts;
2. aligning crisis management and coordination practices;
3. considering the pros and cons of system-wide contingency options and backup arrangements.

This report builds on the ESRB’s extensive work on how to mitigate risks from a systemic cyber incident. The ESRB’s first report on systemic cyber risk lays the conceptual foundation for a macroprudential response to systemic cyber risk. The report on mitigating systemic cyber risk includes the basis for the systemic impact tolerance objective (SITO) approach to define thresholds beyond which macroprudential policy responses may be needed to avoid severe damage to the financial sector. The report on advancing macroprudential tools for cyber resilience evaluates preventative and remedial responses in the hands of authorities, including the use of capital buffers and cyber resilience scenario testing (CyRST).

The ESRB will continue its work on a comprehensive macroprudential cyber strategy, which will also be in line with the implementation of the Digital Operational Resilience Act (DORA). It is currently piloting the SITO approach, reviewing recent developments in CyRST and further analysing synergies from combining operational and financial policy tools. The European Systemic Cyber Group continues to serve as a hub for macroprudential authorities in the European Economic Area, in collaboration with the Bank of England.

For media queries, please contact Clara Martín Marqués, tel.: +49 69 1344 17919.