Rising Cyber Threats Pose Serious Concerns for Financial Stability
Cyberattacks have more than doubled since the pandemic. While companies have
historically suffered relatively modest direct losses from cyberattacks,
some have experienced a much heavier toll. US credit reporting agency
Equifax, for example, paid more than $1 billion in penalties after a major
data breach in 2017 that affected about 150 million consumers.
As we show in a chapter of the April 2024 Global Financial Stability Report,
the risk of extreme losses from cyber incidents is increasing. Such losses
could potentially cause funding problems for companies and even jeopardize
their solvency. The size of these extreme losses has more than quadrupled
since 2017 to $2.5 billion. And indirect losses like reputational damage or
security upgrades are substantially higher.
The financial sector is uniquely exposed to cyber risk. Financial
firms—given the large amounts of sensitive data and transactions they
handle—are often targeted by criminals seeking to steal money or disrupt
economic activity. Attacks on financial firms account for nearly one-fifth
of the total, of which banks are the most exposed.
Incidents in the financial sector could threaten financial and economic
stability if they erode confidence in the financial system, disrupt critical
services, or cause spillovers to other institutions.
For example, a severe incident at a financial institution could undermine
trust and, in extreme cases, lead to market selloffs or runs on banks.
Although no significant “cyber runs” have occurred thus far, our analysis
suggests modest and somewhat persistent deposit outflows have occurred at
smaller US banks after a cyberattack.
Cyber incidents that disrupt critical services like payment networks could
also severely affect economic activity. For example, a December attack at
the Central Bank of Lesotho disrupted the national payment system,
preventing transactions by domestic banks.
Another consideration is that financial firms increasingly rely on
third-party IT service providers, and may do so even more with the emerging
role of artificial intelligence. Such external providers can improve
operational resilience, but also expose the financial industry to systemwide
shocks. For example,
a 2023 ransomware attack on a cloud IT service provider caused simultaneous outages at 60 US credit
unions.
With the global financial system facing significant and growing cyber risks
from increasing digitalization and geopolitical tensions, as shown in the
chapter, policies and governance frameworks at firms must keep pace.
Because private incentives may be insufficient to address cyber risks—for
example, firms may not fully account for the systemwide effects of
incidents—public intervention may be necessary.
However, according to an IMF survey of central banks and supervisory
authorities, cybersecurity policy frameworks, especially in emerging market
and developing economies, often remain insufficient. For example, only about
half of countries surveyed had a national, financial sector-focused
cybersecurity strategy or dedicated cybersecurity regulations.
To
strengthen resilience in the financial sector, authorities should develop an adequate national
cybersecurity strategy accompanied by effective regulation and supervisory
capacity that should encompass:
-
Periodically assessing the cybersecurity landscape and identifying
potential systemic risks from interconnectedness and concentrations,
including from third-party service providers. -
Encouraging cyber “maturity” among financial sector firms, including
board-level access to cybersecurity expertise, as supported by the
chapter’s analysis which suggests that better cyber-related governance
may reduce cyber risk. -
Improving cyber hygiene of firms—that is, their online security and
system health (such as antimalware and multifactor authentication)—and
training and awareness. -
Prioritizing data reporting and collection of cyber incidents, and
sharing information among financial sector participants to enhance their
collective preparedness.
As attacks often emanate from outside a financial firm’s home country and
proceeds can be routed across borders, international cooperation is
imperative to address cyber risk successfully.
While cyber incidents will occur, the financial sector needs the capacity to
deliver critical business services during these disruptions. To this end,
financial firms should develop, and test, response and recovery procedures
and national authorities should have effective response protocols and crisis
management frameworks in place.
The IMF actively helps member countries strengthen their cybersecurity
frameworks through policy advice, for example as part of the
Financial Sector Assessment Program, and through
capacity-building activities.
—This blog is based on Chapter 3 of the April 2024 Global Financial
Stability Report, “Cyber Risk: A Growing Concern for Macrofinancial
Stability.”
