Tamas Gaidosch, Frank Adelmann, Anastasiia Morozova, and Christopher Wilson
This paper highlights the emerging supervisory practices that contribute to
effective cybersecurity risk supervision, with an emphasis on how these practices
can be adopted by those agencies that are at an early stage of developing a
supervisory approach to strengthen cyber resilience. Financial sector supervisory
authorities the world over are working to establish and implement a framework
for cyber risk supervision. Cyber risk often stems from malicious intent, and a
successful cyber attack—unlike most other sources of risk—can shut down a
supervised firm immediately and lead to systemwide disruptions and failures.
The probability of attack has increased as financial systems have become more
reliant on information and communication technologies and as threats have
continued to evolve.
International Monetary Fund. Monetary and Capital Markets Department
The Norwegian financial system has a long history of incorporating new technology. Norway is at the forefront of digitization and has tight interdependencies within its financial system, making it particularly vulnerable to evolving cyber threats. Norway is increasingly a cashless society, with surveys and data collection suggesting that only 10 percent of point-of-sale and person-to-person transactions in 2019 were made using cash.1 Most payments made in Norway are digital (e.g., 475 card transactions per capita per annum)2 and there is an increase in new market entrants providing a broad range of services. Thus, good cybersecurity is a prerequisite for financial stability in Norway.
Cyber risk has emerged as a key threat to financial stability, following recent attacks on financial institutions. This paper presents a novel documentation of cyber risk around the world for financial institutions by analyzing the different types of cyber incidents (data breaches, fraud and business disruption) and identifying patterns using a variety of datasets. The other novel contribution that is outlined is a quantitative framework to assess cyber risk for the financial sector. The framework draws on a standard VaR type framework used to assess various types of stability risk and can be easily applied at the individual country level. The framework is applied in this paper to the available cross-country data and yields illustrative aggregated losses for the financial sector in the sample across a variety of scenarios ranging from 10 to 30 percent of net income.
Financial technology (fintech) is emerging as an innovative way to achieve financial inclusion and the broader objective of inclusive growth. Thus far, fintech in the MENAP and CCA remains below potential with limited impact on financial inclusion. This paper reviews the fintech landscape in the MENAP and CCA regions, identifies the constraints to the growth of fintech and its contribution to inclusive growth and considers policy options to unlock the potential.
Joseph Goh, Mr. Heedon Kang, Zhi Xing Koh, Jin Way Lim, Cheng Wei Ng, Galen Sher, and Chris Yao
Cyber risk is an emerging source of systemic risk in the financial sector, and possibly a macro-critical risk too. It is therefore important to integrate it into financial sector surveillance. This paper offers a range of analytical approaches to assess and monitor cyber risk to the financial sector, including various approaches to stress testing. The paper illustrates these techniques by applying them to Singapore. As an advanced economy with a complex financial system and rapid adoption of fintech, Singapore serves as a good case study. We place our results in the context of recent cybersecurity developments in the public and private sectors, which can be a reference for surveillance work.
Emanuel Kopp, Lincoln Kaffenberger, and Christopher Wilson
Cyber-attacks on financial institutions and financial market infrastructures are becoming
more common and more sophisticated. Risk awareness has been increasing, firms actively
manage cyber risk and invest in cybersecurity, and to some extent transfer and pool their
risks through cyber liability insurance policies. This paper considers the properties of cyber
risk, discusses why the private market can fail to provide the socially optimal level of
cybersecurity, and explore how systemic cyber risk interacts with other financial stability
risks. Furthermore, this study examines the current regulatory frameworks and supervisory
approaches, and identifies information asymmetries and other inefficiencies that hamper the
detection and management of systemic cyber risk. The paper concludes discussing policy
measures that can increase the resilience of the financial system to systemic cyber risk.