On 16 April 2024, the European Systemic Risk Board (ESRB) published a report on operational policy tools for cyber resilience.

The report builds on the ESRB’s extensive work on how to mitigate risks from a systemic cyber incident. This includes the ESRB’s reports on:

  • Systemic cyber riskwhichlays the conceptual foundation for a macro-prudential response to systemic cyber risk. 
  • Mitigating systemic cyber risk which includes the basis for the systemic impact tolerance objective approach to define thresholds beyond which macro-prudential policy responses may be needed to avoid severe damage to the financial sector.
  • Advancing macroprudential tools for cyber resilience which evaluates preventative and remedial responses in the hands of authorities, including the use of capital buffers and cyber resilience scenario testing.

In this latest report the ESRB reviews operational policy tools used to address systemic cyber crises across ESRB members. It focuses on three sets of operational policy tools:

  1. Tools for gathering, sharing and managing information to provide high quality data for monitoring, tool calibration and ex post management of systemic cyber incidents. These tools, as well as cyber incident reporting centres, are vital for an EU wide information sharing mechanism.
  2. Coordination tools to help authorities and financial institutions mitigate potential negative effects on financial stability by ensuring an effective joint response across all stakeholders. The ongoing implementation of a pan-European systemic cyber incident coordination framework (EU-SCICF) will greatly improve efforts in this regard.
  3. Emergency and backup systems which are put in place to help ensure continuity of critical economic functions even in acute emergency situations.

The ESRB identifies certain areas for further action. This includes considering the pros and cons of system-wide contingency options and backup arrangements. This is because there may be systemic incidents that cannot be solved by the business continuity measures individual institutions have in place. A European level emergency system would require extensive discussion with national institutions and a careful evaluation of its benefits and any potential implications at both the system-wide and national level. Following the work done to date the ESRB states that its next step is also to further identify the gaps between operational and financial policy tools.