Summary:

This Financial Stability Board (FSB) peer review assesses the Netherlands' strategies for enhancing cyber resilience amid a rapidly evolving threat landscape. Heightened geopolitical tensions and rapid digitalization have expanded the attack surface for financial institutions, evidenced by a doubling of cyber‑related operational losses reported by Dutch banks between 2018 and 2020. This context of increasing DDoS and ransomware attacks makes cyber resilience a critical component of financial stability.

The Netherlands has responded with a sophisticated, multi‑tiered strategy, signifying a maturation from compliance to proactive defense. This approach is built on several market‑leading innovations. For mature institutions, the Threat Intelligence‑Based Ethical Red‑teaming (TIBER) framework serves as the gold standard, using live adversary tactics to test end‑to‑end detection, response, and recovery capabilities. The modular Advanced Red Teaming (ART) framework provides a crucial on‑ramp for smaller firms, extending advanced testing to a broader segment of the sector. The capstone innovation is the integration of cyber resilience assessments into the banking sector's Internal Capital Adequacy Assessment Process (ICAAP), a move that translates operational risk into quantifiable financial risk and elevates it to a core, board‑level concern.

The FSB's recommendations highlight that the next frontier lies in securing the system's connective tissues. These are necessary steps to future‑proof the sector against systemic risks:

1. Strengthen Information Sharing: Periodically review information‑sharing forums with industry to address potential hesitancy in sharing sensitive data in large groups. During an incident, authorities and industry must collaborate to share timely, accurate intelligence to enable defensive actions and prevent incident contagion across the sector.
2. Support Broader Resilience Testing: De Nederlandsche Bank (DNB) should develop strategies to help less mature entities build the capabilities needed to participate in advanced testing like ART, ensuring resilience is strengthened across the entire financial ecosystem.
3. Conduct National Third‑Party Risk Analysis: Leverage Digital Operational Resilience Act (DORA) registers for a national‑level analysis of concentration risk. This serves a dual purpose: as a peacetime exercise to map dependencies and as a critical crisis‑response tool to understand an incident's blast radius and identify third‑party providers whose failure could trigger cascading disruptions.