Cyberattacks on financial institutions are becoming more common and considerably more sophisticated. High-profile cases like the Equifax breach, which compromised the confidentiality of 143 million Americans’ credit information, and the theft of US$81 million from Bangladesh Bank, are just two examples of recent cyber breaches in the financial industry.
Today, cyber risk is a permanent threat to financial institutions and the proper functioning of the highly interconnected financial system. Banks of all sizes experience cyberattacks every day. Breaches of individual firms can cause adverse knock-on effects for other financial and nonfinancial firms and give rise to systemic risk, a new dimension of cyber risk that is little understood.
Our recent IMF Working Paper suggests that international organizations like the Bank for International Settlements, the Financial Stability Board, and the IMF can play a key role in supporting information sharing, designing coordinated policies, helping resolve disputes, and containing systemic risk.
Some of the most dangerous cyberattacks include attacks on money transfer and ATM operations, malicious software introduced into bank systems, destruction of files and hardware, and extortionary events that disrupt internal operations.
Yet with the current patchwork of national regulation and industry self-policing, comprehensive data are lacking, and the risk is likely underestimated.
Companies themselves contribute to the uncertainty because, fearing damage to their reputation or loss of business, they often withhold information about cyber events. In some cases, breaches are disclosed only months or years later.
Limits of security
How to manage such a broad and complex threat? Security measures such as firewalls, data encryption, training, and business continuity planning, while necessary, can be costly and may make it harder for a company to conduct routine business operations. Redesigning products or processes may help avoid risk, but new practices can introduce new vulnerabilities.
Firms can transfer risk to third parties such as insurance companies or outside cybersecurity vendors. But asymmetries and a lack of information among these players—and generally little experience with this kind of economic risk—limit the potential for the private sector to reduce cyber risk in the financial system. Firms typically underestimate their exposure to cyber risk and overestimate their ability to defend against it and the coverage provided by their cyber insurance policies. Compared with other insurable risks, cyber risk is not well understood, so insurance companies are pricing a cushion into premiums to account for uncertainty.
These third parties may themselves become targets of hackers. And if only a few insurers or cybersecurity vendors are in the marketplace, this concentration could become a source of systemic risk throughout the financial system.
Systemic risk can also arise from concentration of information technology within the financial system, whose firms use common operating systems and programs, cloud servers, and electronic network hubs. Connections through interbank and transfer markets could allow shocks to spread quickly throughout the financial system. The popularity of cyber insurance policies has created a fast-growing market, but the continuing buildup of cyber risk in the insurance sector can itself become a systemic risk.
There is a clear role for the public sector to ensure that losses from cyberattacks do not give rise to systemic risk.
National authorities should provide incentives to ensure that cyberattacks are reported promptly and accurately and that loss data are collected systematically. Because cyberattacks are criminal in nature, banking regulators should be able to coordinate rapidly with law enforcement agencies. And it’s essential that regulators have the ability and the authority to adapt their responses quickly as cyberthreats evolve.
Cyber risk has no geographical borders, and the threat is global, so the role of international institutions is crucial. The time has come for governments to consider a coordinated response to systemic cyber risk. International bodies like the Financial Stability Board and international forums like the Group of Seven are leading an effort to disseminate information among members and foster policy coordination among countries. They appear to be well placed to help address some of the informational and cross-border coordination challenges presented by systemic cyber risk.