As attacks grow, EU mulls banking stress tests for cyber risks

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

By Francesco Guarascio BRUSSELS (Reuters) - The European Union is considering testing banks' defenses against cyber attacks, EU officials and sources said, as concerns grow about the industry's vulnerability to hacking. Cyber attacks against banks have increased in numbers and sophistication in recent years, with criminals finding new ways to target banks beyond trying to illicitly obtain details of their customers' online accounts. Last February $81 million was taken from the Bangladesh central bank when hackers broke into its system and gained access to the SWIFT international transactions network. Global regulators have tightened security requirements for banks after that giant cyber fraud, one of the biggest in history, and in some countries have carried out checks on lenders' security systems. But complex cyber attacks have kept rising, as revealed in November by SWIFT in a letter to client banks and by the theft of 2.5 million pounds ($3 million) from Tesco Plc's banking arm in the first mass hacking of accounts at a Western lender. Banks "are struggling to demonstrate their ability to cope with the rising threat of intruders gaining unauthorized access to their critical systems and data," a report of the European Banking Authority (EBA) warned in December. The next step from European regulators to boost security could be an EU-wide stress test. The European executive commission is assessing additional initiatives to counter cyber attacks, a commission official told Reuters. "These include cyber-threat information sharing or penetration and resilience testing of systems." The European Central Bank announced last year it would set up a database to register incidents of cyber crime at commercial banks in the 19-country euro zone. But exchanges of information among national authorities on cyber incidents remains scant. The Commission is studying whether EU-wide tests would help step up security, a source at the EU executive said. This would be in addition to controls already carried out by national authorities. EBA, which is in charge of stress-testing the bloc's banks, is expected to detail in summer the checks it intends to conduct in the next exercise planned in mid 2018. EBA tests banks' capital cushions and can conduct checks on specific issues. Last year it monitored risks caused by fines, as EU lenders faced sanctions from U.S. regulators. An EBA official said cyber security was on the agency's radar but no decision had been made on a possible stress test. The body's chairman, Andrea Enria, has urged EU states to stress-test their financial institutions for cyber risks. Lloyds Banking Group is working with law enforcement agencies to trace who was behind a cyber attack that caused intermittent outages for customers of its personal banking websites almost two weeks ago, according to a source familiar with the incident. Lloyds said it would not speculate on the cause of the attack. No customers suffered any losses. BLOCKCHAIN As European banks keep relying on digital infrastructure that is "rigid and outdated", according to EBA, regulators are considering new technologies that could boost security. Blockchain, the technology behind the most successful virtual currency, Bitcoin, is being closely monitored in Brussels "to establish the advantages and possible risks" but also to weigh possible moves to enable blockchain where it is hindered, the Commission source said. More than 1 billion euros have been invested in blockchain startups, a World Economic Forum report said. The EU agency for network and information security (ENISA) said in a report last week the technology offered new opportunities and could cut costs, but may also pose new cyber security challenges, mostly caused by its decentralized network.