Using Simulations for Cyber Stress Testing Exercises

We demonstrate how computer-based simulations could support cyber stress testing exercises through a three-step framework. First, cyber-attack scenarios are designed to target the systemic nodes of a payment network at different times, disrupting a major bank, critical service provider, large-value payment system, and a foreign exchange settlement system. Second, the stress resulting from the scenarios is simulated using transaction-level data, and its impact is measured through a range of risk metrics. And third, cyber preparedness is discussed to identify effective practices that could strengthen the cyber resilience of the financial sector. The exercise provides insights into the main vulnerabilities of the financial sector and key transmission channels under plausible scenarios that necessitate preemptive action and recovery and response measures. For example, simulation results for Finnish data suggest that end-of-day liquidity risk is most severe when a cyber-attack hits a major bank or several banks simultaneously through dependence on a common critical service provider, compared to an attack on a centralized payment system where effective queuing and liquidity-saving mechanisms can better support recovery. Outcomes could be aggravated under more severe and prolonged scenarios.