(Bloomberg) -- The European Central Bank has told lenders to brace for a test of how they would respond to a cyber attack unprecedented in its severity. Beyond that, the regulator is keeping them guessing, just like real life hackers would.

At a briefing last month, the ECB gave banks only a broad outline of the exam, according to people familiar with the matter. The attack assumes hackers have overcome all of a bank’s defenses and are at the core of their main technology system, the people said, asking for anonymity discussing private information.

That would make the event simulated by the ECB worse than any public cyber incident affecting the industry in recent years, with a multitude of customer data at risk. The regulator has frequently warned of the danger posed by hackers, including after Russia’s invasion of Ukraine last year, and has said the stress test will be a learning experience for lenders and supervisors alike.

Banks now have about 400 questions that they will need to answer for the test, according to KPMG, which is advising lenders on the exam.

An ECB spokesperson declined to comment.

Firms that have dealt with cyber issues will already be able to answer some of the questions, while others can only be addressed once lenders know the scenario, Lucas Daus, partner in the field of consulting cyber security at KPMG, said in an interview. Many points are of a more general nature, he added, like: 

  • Do you perform recovery tests? Which ones?
  • What kind of recovery tests have been performed in the past?
  • What kind of economic impact do you have when the scenario hits you?
  • What is your crisis management?
  • How do you communicate with clients?

Still, banks will have to wait until next month for the ECB to share the details of the hypothetical attack, said the people familiar with the matter.  

“There’s still a big element of surprise once they hear about the actual scenario,” Daus said. 

The ECB’s scrutiny comes as authorities in Europe say the risk from cyber attacks remains elevated, with geopolitical turmoil spilling over into the private sector. The test has been billed as an exercise to improve banks’ risk management rather than as an exam that will have a direct impact on their capital requirements.

The test involves more than 100 banks directly overseen by the ECB. Twenty-eight lenders will be subject to a more detailed assessment with possible on-site investigations.

The results of individual lenders aren’t expected to be made public. However, they will indirectly feed into the ECB’s regular assessment of the risks that banks face, which determines their capital requirements. 

“It’s going to be complex, it’s going to be difficult to deal with it and it’s going to be bigger than the recent threats we saw in the market,” Daus said.

©2023 Bloomberg L.P.