Anneli Tuominen addressed the growing importance of banks’ resilience to hybrid threats, noting that what were once considered “tail risks” are now part of the baseline. Hybrid threats—deliberate, coordinated actions often sponsored by autocratic states—include cyberattacks, economic coercion, disinformation, and other methods designed to destabilize democratic societies. Banks, as critical components of open economic systems, are prime targets.

Key Points:

Understanding Risks: Hybrid threats affect banks both directly (cyberattacks on their systems) and indirectly (through critical infrastructure disruptions). Digitalisation has increased the potential exposure, while geopolitical tensions amplify these risks. Traditional banking risks, such as credit and market risk, can also be influenced by hybrid threats. Operational Resilience: Banks must strengthen operational frameworks to mitigate these threats. ECB stress tests revealed gaps in cyber resilience, particularly related to ICT outsourcing, cloud service dependency, and change risks from technological innovation (AI, quantum computing). AI can both enhance banks’ cybersecurity and enable more sophisticated attacks, highlighting the need for continuous adaptation. Governance: Management bodies must deepen their understanding of ICT and security risks. Surveys indicate cybersecurity is a top concern, but collective expertise needs improvement. The ECB has issued supervisory expectations to guide banks and support compliance with the EU Digital Operational Resilience Act (DORA). Contingency Planning and Communication: Banks need “what if” scenarios and contingency plans, including for disinformation risks. Social media and AI-driven misinformation could accelerate deposit withdrawals or market disruptions, requiring proactive monitoring and communication strategies. ECB stress tests highlighted deficiencies in communication plans, which supervisors are addressing. Supervisory Implications: ECB supervisory practices are adapting to these risks. Key initiatives include threat-led penetration testing, oversight of critical ICT third-party service providers, and an EU-wide systemic cyber incident coordination framework. Effective cross-border coordination is essential for resilience.

Conclusion:

Hybrid threats are increasing, requiring banks to strengthen operational resilience, governance, and contingency planning. Supervisors are adapting regulatory frameworks and tools to support this. While banks cannot address all hybrid risks alone, collaboration across states, institutions, and society is essential. Preparing for hybrid threats is critical, echoing Benjamin Franklin’s principle: “By failing to prepare, you are preparing to fail.”

(bankingsupervision.europa.eu)