The European Central Bank's first cyber security stress test has exposed weak spots in European banks.

The ECB evaluated 109 banks on their ability to respond to and recover from cyber-attacks. While most banks have basic protections in place, the test uncovered some "shortcomings."

"The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement," ECB supervisor Anneli Tuominen said in a blog post.

The assessment comes just one week after the devastating Crowstrike outage—what’s been called the largest IT outage in history—which affected just about every industry: banking, aviation, healthcare, and more.

“The importance of cyber resilience cannot be overstated,” said Tuominen. “An incident in one institution can have cascading effects across multiple sectors.”

28 banks undergo more extensive testing

The test actually had nothing to do with how banks would prevent a cyber attack, just how they would deal with one.

Banks answered a questionnaire and submitted details of how they would handle a cyber attack. The ECB assessed banks on their plans for how they would maintain operations, communicate with stakeholders, and restore normal services during and after a digital crisis.

From the initial group, 28 banks were flagged for more extensive testing. They had to undergo a simulated cyber attack and get their systems back up and running in real time. Regulators also completed an on-site inspection for those banks.

“Supervisors have provided individual feedback to each bank and will follow up with them accordingly,” the ECB said. “In some cases, banks have already improved or plan to remedy the shortcomings pinpointed during the exercise.”

The ECB kept quiet on the specific weaknesses they found (to keep that information away from would-be hackers).

However, they did recommend that all banks improve their backup protocols, look closely at third-party providers, and make better plans to keep business going in the event of a cyber attack.

While the stress test results will affect the ECB’s annual reviews of each bank, they will not affect capital requirements. The ECB will decide whether it will carry out more testing by the end of the year.

"Cyber incidents" on the rise

According to the ECB, there was a surge in "cyber incidents" in the second half of last year, in part due to "heightened geopolitical tensions." Though they didn’t say it outright, the ECB is likely referring to an increase in Russian hacking activity due to the war in Ukraine.

The ECB has also warned that aging IT systems and reliance on third-party vendors pose serious risks to the banking sector.

The finance industry saw a 64% increase in ransomware attacks last year, nearly double the levels seen in 2021, according to cybersecurity company Sophos. Banking regulators are sitting up and taking notice.

The United Kingdom and Denmark have also run similar cybersecurity stress tests.