Banca d'Italia is committed to strengthening the cybersecurity measures of operators and the financial system as a whole, in order to pursue the objective of safeguarding financial stability, of fostering business continuity and of promoting user confidence in the system.
This page describes:
- systemic cyber risk for the financial sector;
- the activities of Banca d'Italia;
- the activities at European and international level.
Systemic cyber risk for the financial sector
The financial system is characterized by continuous technological evolution. It is made up of a dense network of interdependencies and is increasingly dependent on the ICT infrastructure and suppliers from other sectors. This makes it particularly vulnerable to technological malfunctions and a prime target of cyberattacks, on account, among other things, of the economic and strategic value of the functions it provides.
These properties of the financial system and the specific characteristics of cyber risk ‒ not constrained by geographic boundaries, mutable, easily spread across entities and economic sectors, exploitable by multiple threat actors ‒ entail that cyber risk in the financial system can be prevented and mitigated but not totally eliminated.
The repercussions of significant ICT incidents, especially those arising from external attacks and not adequately contained, can affect multiple critical financial operators and infrastructures at once, and disrupt service continuity and financial stability.
The operational and financial interconnections created by digitization open up scenarios that need to be assessed from a systemic perspective and in relation to cyber threats.
To address these risks, financial authorities and central banks work in close cooperation to strengthen risk prevention, improve tools for coordination and communication in the event of major crises, carry out exercises with large-scale cyber incident scenarios, mitigate the risk of contagion and ensure a prompt restart in case of incidents.
The activities of Banca d'Italia
Banca d'Italia fosters the prevention of and the response to ICT risks in the financial sector through regulation, supervision and oversight, and through institutional and public-private cooperation, in line with the objective, among several others, of countering systemic risks to financial stability.
In the event of a high-impact operational or cyber incident, Codise, the unit for business continuity in the Italian financial marketplace, intervenes. Codise coordinates the crisis management process in order to limit the impact of incidents and quickly restore services. It cooperates with the Ministry of Economy and Finance (MEF), the National Cybersecurity (ACN) and other authorities, acting as a contact point for the Italian financial sector in case of crises with international impact and participating in regular cyber-scenario exercises.
In addition, Banca d'Italia contributes to the initiatives of the Eurosystem, the Single Supervisory Mechanism (SSM) and the European Systemic Risk Board (ESRB), and collaborates with the financial industry (see below and 'Institutional cooperation and dialogue with the market').
Activities at European and international level
Macro-prudential and micro-prudential supervisory authorities, working in parallel with regulatory authorities, have developed frameworks to identify and monitor systemic risks arising from cyberattacks and to develop appropriate rules to mitigate them.
In this context, Banca d'Italia participates with the other European financial authorities in the ESRB to prevent and mitigate systemic risks, including cyber risks, in the European financial sector. Activities include: i) the definition of a conceptual model of analysis and the adoption of a specific macro-prudential strategy for cyber risks; ii) the identification of tools to mitigate the systemic impacts of large-scale cyber incidents, such as mapping nodes and interconnections between European financial entities (i.e. cyber mapping); iii) developing and running the Cyber Resilience Scenario Testing (CyRST) tool and iv) defining tolerance thresholds for disruptions to the critical economic functions performed by the financial system, within the scope of the Systemic Impact Tolerance Objectives (SITOs) tool.
The ESRB has also established a framework for coordination and communication between financial authorities in the event of major incidents with potential systemic impacts.
In addition, thematic stress tests were conducted within the SSM in 2024 to assess the cyber resilience of individual supervised entities. The results will help supervisory authorities identify vulnerabilities and develop appropriate mitigation strategies.
Cyber resilience is also a key element of the Financial Stability Board's work programme to promote the stability of the global financial system (see 'Legislation and guidelines').
Further information:
- Digital resilience in the Italian financial sector: evidences from the supervisory incident reporting framework
- Codise
- ECB - Towards a framework for assessing systemic cyber risk (external link)
- ESRB (external link)
- Systemic Cyber Risk, ESRB 2020 (external link)
- The making of a cyber crash: a conceptual model for systemic risk in the financial sector, ESRB 2020 (external link)
- Mitigating systemic cyber risk, ESRB 2022 (external link)
- Advancing macroprudential tools for cyber resilience, ESRB 2023 (external link)
- Advancing macroprudential tools for cyber resilience – Operational policy tools, ESRB 2024 (external link)
- Reccomendation ESRB/2021/17 on a pan-European systemic cyber incident coordination framework for relevant authorities (external link)
- ECB - Stress test (external link)
- FSB - Cyber resilience (external link)
