The Federal Reserve published its 2026 stress test results on June 24. The headline number sounds reassuring: the Fed ran thirty-two of America's largest banks through a 'severely adverse scenario', a hypothetical recession the Fed designs on purpose, specifically to see who breaks. Commercial property values fall 39 percent. House prices fall 30 percent. Unemployment hits 10.6 percent. The banks survived it. But analyst Mayra Rodriguez Valladares, writing in Forbes the same day, points out that this test answers a narrower question than the headlines suggest. Look at what it leaves out. It does not model a ransomware attack that knocks core banking systems offline. It does not model a private-credit crisis on its own, even though nonbank lenders (hedge funds, private-equity credit arms, and other firms that lend money outside the traditional banking system) now supply roughly half of all lending worldwide, according to the IMF. The Fed's scenario, published that same day, never puts a dollar figure on either failure. So Rodriguez Valladares's point just sits there, unanswered, in the report itself: a test that measures $708 billion in credit losses has no line item at all for a ransomware outage or a private-credit default.
Eight days before the Fed's results landed, Hong Kong's two financial regulators went the other way, and the numbers they cited explain why. On June 2, the Securities and Futures Commission and the Hong Kong Monetary Authority issued joint circulars ordering electronic trading firms to patch systems faster, assess third-party supply-chain risk (checking whether your vendor's vendor is the weak link), and run daily backups. Their justification was a rise in local cyber incidents that is hard to wave away: Hong Kong's cyber emergency response team, HKCERT, logged 15,877 cyber incidents in 2025, up 27 percent from 12,536 the year before. That is why the HKMA is now building a dedicated Cyber Resilience Testing Framework with the banking industry, kept completely separate from capital stress tests, with live testing planned for late 2026. The separation is the tell: regulators have concluded that a recession test and a cyberattack test measure two different ways a bank can fail, and you cannot fold one into the other. The Fed's test was built to answer for a 39 percent property crash. The HKMA's framework is built to answer for those 15,877 incidents. Different threats, different exams.
The Fed's 2026 test and the HKMA's 2026 framework measure different things on different clocks. One closed on June 24. The other does not even go live until late this year. Basel, the body that sets global bank capital rules, has not added a cyber capital charge to either. So for now, a bank chartered in both jurisdictions files two separate resilience reports, graded against two separate disasters, and that is not changing anytime soon.