Cyber risk has emerged as a significant threat to the financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.
Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.
Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks.
The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.
A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.
The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.
There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.
Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.
In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.
Full article
© International Monetary Fund
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article