The Austrian Financial Market Authority (FMA) and the Oesterreichische Nationalbank (OeNB) have conducted the first cyber stress test for the Austrian financial market. The resilience of the financial sector against various cyber attacks was tested in a cyber simulation in cooperation with Kuratorium Sicheres Österreich (KSÖ). The participants were ten representative credit institutions, their IT providers, the Computer Emergency Response Team Austria (CERT.at) and the Ministry for the Interior. According to international studies, approximately two thirds of losses sustained in cyber attacks are caused or at least enabled by employees, and therefore there was a special focus on the human factor in the simulation. Particular stress was applied to the cooperation between credit institution and the supervisor as well as other institutions that are relevant in relation to cybersecurity in the event of a hacking attack.
First inter-institutional cyber stress test
“The cyber simulation has demonstrated that on an organisational level that credit institutions are by and large well prepared in relation to cyber attacks, although the practical design of their preparation has proved to be very varied,” remarked the FMA’s Executive Directors, Helmut Ettl and Klaus Kumpfmüller. “The results will now be analysed in depth, conclusions drawn about the lessons learned and then subsequently be implemented in regulatory and supervisory activities.” The OeNB’s Vice Governor Andreas Ittner adds: “A common approach in ensuring the stability of the financial sector is particularly essential when defending against cyber attacks. We are therefore particularly pleased that representatives of all the relevant institutions have participated in the first inter-institutional cybersecurity simulation for the financial sector.”
The teams made up of the participating credit institutions had to react to a total of 170 individualised hacking attacks was the initial scenario for the one-day cybersecurity simulation, in which more than 100 experts took part. The attacks ranged from extorting ransom money using ransomware, the compromising of “Root-CAs” and “Online Banking Apps2, paralysis of ATM networks and websites, failure of electronic banking, the manipulation of account balances and transactions, loss of customer data, phishing e-mails and DDoS attacks through to customer complaints and social media shitstorms. The institutions’ internal preparations against such kinds of attacks, internal communications and decision-making structures, organisational and technical backup solutions, information and communication with institutions involved in supervision as well as external communications with customers and the general public were all tested.
“Global digital networking creates many fresh new opportunities and possibilities for the financial market participants, but at the same time also conceals enormous risks. We have therefore made IT and cyber security as strategic priorities for supervision”, added Messrs. Ettl, Kumpfmüller and Ittner regarding the embedding of the cyber stress test in to the supervisory strategy. In this regard, the FMA published a series of IT Security Guides in 2018, which form a clear set of rules for the governance of such risks. The observance of the rules set out in the IT Security Guides is also one of the supervisor’s focuses for inspections this year. The cyber simulation tested the implementation of these rules, as well as organisational and infrastructural preparation for their realistic and practical application. The supervisor will develop its regulatory and supervisory strategy further and will check and evaluate its strategy in future cyber stress tests.
Klaus Grubelnik (FMA) Dr. Christian Gutlederer (OeNB)
+43/(0)1/24959-6006 +43/(0)1/404 20-6900
+43/(0)676/882 49 516 firstname.lastname@example.org
 Certification bodies for root certificates
 DDoS: Distributed Denial of Services