Cyber risks to the financial system are the most expensive attacks of all. These MEGABANK institutions are the most attractive targets because of their crucial role in inter-mediating funds between parties: the payments system of a bank for instance, if targeted, could leave that institution unable to operate.
The financial sector is particularly vulnerable to cyber-attacks because of the risk of contagion: a successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. As we saw in 2009 when Lehman Bros went down, the ability for trust to evaporate quickly when liquidity is being questioned is a dramatic threat.
The financial sector is highly exposed to cyber risk due to a combination of factors across all types of countries. Threat levels are particularly high for financial institutions due to cybercrime, hacktivism, proxy organizations—sophisticated attackers conducting espionage on behalf of a beneficiary— and surveillance of communication by third parties. Vulnerabilities to cyber incidents including cyber-attacks can be considered high because financial institutions are dependent on highly interconnected networks and critical infrastructures. Moreover, many institutions have legacy systems which might not be resilient to cyber-attacks .The increased level of sophistication of cyber criminals, along with the decline in the cost of launching cyber-attacks, make institutions with legacy systems all the more vulnerable. Consequences of cyber-attacks are also high because financial activity is dematerialized and therefore highly dependent on technology.
True quantitative analysis of cyber risk is still at the infant stage, and is hampered by the lack of data on the cost of cyber-attacks, and difficulties in modelling cyber risk. Recent high-profile cases have increasingly put cyber risk firmly on the agenda of the official sector—including international organizations like the IMF.
A recent study by the IMF (International Monetary Fund) estimated that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, with a damaging effect on bank profits and potentially threatening financial stability on a global scale. The IMF is uniquely positioned as an institution to perform such a study, as they are able to source data from a wider range of countries than even individual central banks.
Their study used techniques from actuarial science and operational risk measurement to estimate recent aggregate losses from cyber-attacks. It factored in the frequency of cyber-attacks on financial institutions in 50 countries, and produced metrics on the distribution of losses from such events. Numerical simulations were then used to estimate the distribution of aggregate cyber-attack losses.
The results are remarkable as well as scary; the study suggested that average annual potential losses from cyber-attacks could be as large as 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past, and with greater contagion— the estimate for losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.
So what about insurance, this has been one way open to banks who wish to take out protection: is this adequate? Despite recent growth, the insurance market for cyber risk remains small with only around $3 billion in premiums globally in 2017. Surprisingly, most financial institutions do not even carry cyber insurance. This could be because coverage is limited, and insurers themselves face challenges in evaluating the possible extent of the risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects across the entire financial industry.
What are the next logical steps?
We already understand the need to strengthen the resilience of financial institutions and infrastructures. In every institution, it’s possible to find older systems that might not cope well with today’s cyber-attacks, as this was not a consideration in the original design. We need not just to reduce the odds of a successful cyber-attack but also to make a smooth and rapid recovery possible if they occur.
Increasing the capacity of the official sector in many parts of the world in their role as monitor and regulator can mitigate such risks.
There is much scope to improve risk assessments themselves. Official data collection on the frequency and impact of cyber-attacks would help assess risk for the financial sector, especially if that data is consistent and more granular. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks.
Scenario analysis could be used to game out how quickly cyber-attacks could spread and design adequate responses by both private institutions and at the highest levels within governments. The regulators can also play their part: designing effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning is within their brief.
As cybersecurity is expected to continue to be an integral function for financial institutions, improving capabilities will likely be an ongoing challenge as threats keep evolving in scope, technique, and sophistication. FSIs should keep adapting to stay one step ahead of threat actors that intend to do them harm.
Points to Ponder
- You have to meet the expectations of regulations (and beyond).
- You must have vigilance in your cybersecurity execution.
- You must excel at detection and recovery.
- You need to manage risk in the third-party ecosystem.
- You should consider information sharing.
Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.
But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your customers lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result. Think Security. Think Ahead.
(Data Reference IMF http://www.imf.org)