In recent years, the Chilean financial sector experienced a series of cyberattacks, and this growing global risk of cybersecurity is posing a threat to the sector. Banks and financial market infrastructures appear to be resilient against cybersecurity risks, supported by a comprehensive regulatory framework, but lack of substitutability and high concentration of these institutions could pose systemic risk to the financial system. Moreover, given the current business segment of the Chilean fintech sector, expansion of the sector would lead to larger exposures to cybersecurity risk which the ongoing regulation of the sector by the authorities aims to mitigate. Ensuring sufficient human resources to ensure effective cybersecurity supervision of the financial sector as well as implementing ongoing policy initiatives, are warranted.

Abstract

In recent years, the Chilean financial sector experienced a series of cyberattacks, and this growing global risk of cybersecurity is posing a threat to the sector. Banks and financial market infrastructures appear to be resilient against cybersecurity risks, supported by a comprehensive regulatory framework, but lack of substitutability and high concentration of these institutions could pose systemic risk to the financial system. Moreover, given the current business segment of the Chilean fintech sector, expansion of the sector would lead to larger exposures to cybersecurity risk which the ongoing regulation of the sector by the authorities aims to mitigate. Ensuring sufficient human resources to ensure effective cybersecurity supervision of the financial sector as well as implementing ongoing policy initiatives, are warranted.

Cybersecurity and Financial Stability: Considerations for Chile1

In recent years, the Chilean financial sector experienced a series of cyberattacks, and this growing global risk of cybersecurity is posing a threat to the sector. Banks and financial market infrastructures appear to be resilient against cybersecurity risks, supported by a comprehensive regulatory framework, but lack of substitutability and high concentration of these institutions could pose systemic risk to the financial system. Moreover, given the current business segment of the Chilean fintech sector, expansion of the sector would lead to larger exposures to cybersecurity risk which the ongoing regulation of the sector by the authorities aims to mitigate. Ensuring sufficient human resources to ensure effective cybersecurity supervision of the financial sector as well as implementing ongoing policy initiatives, are warranted.

A. Introduction

1. Cybersecurity risks have been growing globally and Chile’s financial sector already suffered from several cyberattacks. As the economy and financial sectors have become more digitalized and interconnected, the risks associated with cyberattacks are escalating. The number of cyberattacks (malicious use of IT technologies) in OECD peers increased dramatically over the past decade, especially since 2020 (Figure 1), according to University of Maryland CISSM Cyber Attacks Database (Harry and Gallagher, 2018).2 Notably, the share of cyberattacks on the financial sector (’finance and insurance sector’ in the following chart) was higher in Chile than in regional and OECD peers. The motives of attacks are mainly financial and cross-border cyberattacks are not rare.

2. The increasing cybersecurity risk is posing a threat to Chile’s financial sector, as it is in most other financial systems. While past cyberattacks did not cause systemic financial instability, they can pose stability risks going forward. For instance, a cyberattack on critical financial operations could erode confidence, leading to reluctance in extending liquidity or credit, potentially causing deposit runs (Duffie and Younger, 2019) and interbank payment failures (Eisenbach et al., 2022). Disrupting specific institutions’ critical services could also disrupt massive financial transactions due to low substitutability (Healey et al., 2018). These risks are amplified by interconnected financial linkages and technology dependencies, including exposure to third-party IT service providers (Adelmann et al., 2020).

3. The CMF and the BCCh consider cybersecurity risk a material risk, consistent with the international debate. In the global context, cybersecurity risk is recognized as a top concern by regulators and central banks (FSB, 2017a; FRB, 2021; ESRB, 2020; FSOC, 2022; ECB, 2022; BIS, 2022a).3 The Chilean authorities have also heightened their attention to this risk. The Financial Market Commission (CMF) included cybersecurity risk in its 2022 strategic plan and the Central Bank of Chile (BCCh)’s Financial Stability Reports (FSRs) have addressed cyber risk since 2016, including a thematic box on ‘Cyber Security and Financial Stability’ in the 2018 FSR.

Figure 1.
Figure 1.

Selected Economies: Cyberattacks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: University of Maryland CISSM Cyber Attacks Database and IMF staff calculations.Note: “Mining etc.” includes Mining, Quarrying, and Oil and Gas Extraction. “Regional peers” indicates the sum of Brazil, Mexico, Colombia, Argentina, and Peru. “OECD” indicates the sum of OECD countries.

B. Cyberattacks on the Chilean Financial Sector

4. Past cyberattacks on the Chilean financial sectors were concentrated on banks.4 Notably, the Chilean banking sector encountered cyberattacks that affected a few large banks which are currently designated as the Domestic Systemically Important Banks (D-SIBs).5 Specifically, Banco de Chile and Banco de Estado experienced attacks in 2018 and 2020, respectively (Box 1). In terms of the cyberattacks on Banco de Chile, the bank’s equity price declined following the disclosure of the cyberattacks (on May 28, 2018).6 Furthermore, in 2019, a cyberattack targeted Redbanc, the critical third-party IT service provider of ATMs and other services on retail payments.7

uA002fig01

Chile: Bank Equity Prices

(Open price on May 28, 2018=100)

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Santiago Stock Exchange and IMF staff calculations.Note: Close prices on each day. “Peers” includes Banco de Credito e Inversiones, Banco Santander-Chile, and Banco Itau Chile.

C. Cybersecurity Risk for Banks

5. Rapid digitalization has increased Chilean banks’ exposures to cybersecurity. Since 2013, the number of Chilean banks’ branches has decreased by around 35 percent, and the number of online banking accounts has significantly increased by more than four times,8 reflecting Chilean banks’ efforts to transition to digitalized financial activities (Figure 2). In line with the developments, their IT expenses (e.g., IT and communication expenses and outsourcing services for data processing) have been rapidly increasing.9 While this enables banks to improve efficiency of their business operations and enhance their business opportunities, it also increases banks’ exposures to cybersecurity risk.

Cyberattacks on the Chilean Banking Sector

article image
Sources: University of Maryland CISSM Cyber Attacks Database, FSRs, and media reports.
Figure 2.
Figure 2.

Digitalization of Chilean Banks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Financial Market Commission (CMF) and IMF staff calculations.Notes: Number of offices in 2023 is as of September. Number of online bank accounts in 2023 is as of August. Expenses in 2023 are as of October 2023, annualized by multiplying 12/10.

Cybersecurity Levels

6. Chilean banks’ cybersecurity levels appear slightly higher than regional peers while they seem to still lag behind OECD peers. Commonly used indicators show Chile to be better prepared to cybersecurity risk, compared with banking systems in the region reflecting that Chilean banks have intensified investment in cybersecurity10 and established governance and measures to address cybersecurity risk (Figure 3).11 However, compared with banks in OECD peers, Chilean banks may fall behind to some extent. The measures include a privacy data management score,12 which is a proxy for the level of cybersecurity regarding data security, and the cybersecurity rating,13 which roughly represents the unconditional probability of becoming victim of cyberattacks, considering both the likelihood of encountering cyberattacks and the likelihood of being affected by them. Both indicators, the privacy data management score, and the cybersecurity rating, are slightly better than that of its regional peers while the cybersecurity ratings are lower than OECD peers.14

Figure 3.
Figure 3.

Selected Economies: Cybersecurity Levels of Banking Sector

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Bitsight, MSCI, and IMF staff calculations.Notes: In the left chart, “Low” indicates 0–4, “middle” indicates 5–8, and “high” indicates 9–10. In the right chart, companies are rated on a scale of 250 to 900, and “Advanced”, “Intermediate”, and “Basic” corresponds to 740–900, 640–730, and 250–630,”repsectively. “Regional peers” indicates the sum of Brazil, Mexico, Colombia, Argentina, and Peru. “OECD” indicates the sum of OECD countries. Privacy data management scores are as of 2022 and cybersecurity ratings are as of November 2023.

Resiliency to Solvency Risk

7. The banking sector’s solvency risk from cyberattacks appears contained so far. Cyberattacks frequently result in direct costs, including expenses for repairing compromised systems, compensating for data breaches, fines,15 and legal fees, and it is important to understand the quantitative impact of cyberattacks on banks’ solvency. Among the seven categories of operations losses,16 the share of ‘external fraud,’ which is most relevant to cyber losses, dominates (Figure 4).17 Using historical annual operational losses from internal and external frauds as the proxy for historical annual cyber losses,18 the impact of the losses on banks’ profitability is ranged predominantly between 0–0.5 percent of equity. The impact was higher in a few banks, exceeding 2 percent, but remained overall modest. Consistent with these observations, the maximum impact of the losses on capital ratios for each bank was less than 10 bps in most cases, with losses potentially higher for some banks.19 Even under a stress scenario in which banks suffer the historical maximum stress observed in the sector,20 the impact would range between 20–80 bps in all cases. Finally, when comparing the maximum of the historical annual losses to the capital required for operational risk by each bank,21 significant heterogeneity is evident across banks. Some banks would experience losses exceeding 20 percent of their capital to operational risk, but in all cases capital to operational risk would fully cover the gross losses. Adding the maximum impact of historical annual operational losses from incidents other than internal and external frauds increases the impacts, but the results remain broadly unchanged. Note that the calculations may overestimate the impact of cyber losses since data specifically related to operational losses from cyberattacks in Chile are unavailable, and the analysis uses bank-by-bank data on operational losses from internal and external frauds instead.22

Figure 4.
Figure 4.

Solvency Risk of Chilean Banks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Financial Market Commission (CMF) and IMF staff calculations.Note: “Historical Gross Operational Loss to Equity” indicates historical distribution of the impact of operational losses on equity in 2019–2022 and across all banks (62 samples, annual basis). In the bottom charts, “own historical maximum stress” on capital in 2019–2022 (annual basis). “Banking sector historical maximum stress” for internal and external frauds is calibrated based on the maximum impacts of historical losses from these frauds on total assets in 2019–2022 (annual basis) across all banks, and that for total is calculated by adding impacts of own historical maximum losses from other incidents on risk-weighted assets. Risk-weighted assets in 2021 are assigned to 2019 and 2020.

Resiliency to Liquidity Risk

8. Cyberattacks are considered a potential threat that could undermine bank liquidity. The literature highlights the importance of managing liquidity risk in the context of cybersecurity. Duffie and Younger (2019) argue that while capital adequacy ratios address operational risk, liquidity coverage ratios (LCRs) do not consider the liquidity risk associated with ‘cyber runs,’ which are serious and contagious bank runs caused by cyberattacks. The risks of such runs are heightened for banks that are heavily dependent on wholesale unsecured deposits. This is because unaffected large institutional depositors may swiftly withdraw their deposits as a precautionary measure.

9. Chilean banks appear resilient to the cyber-related liquidity risk, i.e., massive withdrawal of the uninsured wholesale deposits. Scenario assessments of LCRs, which is already introduced in Chile as a part of Basel III liquidity requirement, are used to assesses the resilience of Chilean banks’ liquidity in response to ‘cyber runs’ above. Specifically, following Duffie and Younger (2019), two scenarios are considered: an ‘adverse cyber scenario’ and a ‘severe cyber scenario,’ assuming respective outflows of 50 and 75 percent from unsecured wholesale deposits (i.e., operational deposits and non-operational deposits in unsecured wholesale funding) due to massive deposit withdrawals by institutional depositors.23 The analysis finds that most banks including all D-SIBs could meet a 100 percent LCR regulatory requirement in case of a large outflow of uninsured wholesale deposit due to cyberattacks (Figure 5).24 The results reveal that Chilean banks are generally robust to such risks. Chilean banks’ substantial holdings of high-quality liquid assets (HQLAs) partly contribute to this result, and more importantly, outflow rate assumptions for unsecured wholesale deposits to calculate the LCRs are the major source of the resilience.25

10. Chilean banks also appear robust to liquidity outflows from retail deposits. A few countries experienced bank runs triggered by the spread of the rumors via digital media (Bouveret, 2018; BOE, 2018; Duffie and Younger, 2019). When calibrating a scenario of ‘retail deposit run’ based on a Bulgarian bank run in 2014 (10 percent) in addition to ‘severe cyber run scenario’ for unsecured wholesale deposits,26 the calculations suggest that most Chilean banks could withstand such a sizeable outflow (based on balance sheet data as of September-2023) due to the same reasons above while outflow rates for retail deposit are similar to their regional and OECD peers. It should be noted that the resilience may have been facilitated by the legacy of the temporary liquidity measures (Facility of Credit Conditional on Lending, FCIC) introduced by the BCCh during the pandemic, allowing banks to use their credit portfolios as collateral and potentially avoid the need to sell their HQLAs.27 Moreover, due to the high interconnectedness within the financial system, the liquidity risk of individual banks may pose large externalities to the system. Thus, the authorities’ close monitoring of this type of risk is warranted, and they should stand ready to provide liquidity to the system.

Figure 5.
Figure 5.

Liquidity Risk of Chilean Banks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Banks’ Pillar III disclosures and IMF staff calculations.Note: Liquidity Coverage Ratios are as of September 2023. The bottom charts indicate weighted average of the outflow rates of each item in unsecured wholesale deposit and retail deposit. “Regional and OECD peers” indicates D-SIBs in Brazil and Mexico, and G-SIBs in OECD countries.

Systemic Vulnerability

11. Consistent with its regional and OECD peers, the Chilean banking sector is highly concentrated, which poses a risk of near-single points of failure in the financial system. The three largest Chilean banks account for around 50 percent and the five largest banks for about 80 percent of total bank assets (Figure 6).28 The literature underscores that a highly concentrated banking sector can result in near-single points of failure due to limited substitutability of financial activities (Brando et al., 2022).

12. Third-party IT supplier risk is relevant for Chilean banks. According to the literature, banks using third-party IT service providers face added cybersecurity risks. Attacks on these providers could infiltrate banks’ systems, regardless of the banks’ own cybersecurity measures (BIS, 2018).29 Cyberattacks on IT suppliers can also create systemic risks, as they often result in their customers becoming simultaneous new victims (Crosignani et al., 2023). In Chile, the cybersecurity rating of IT service sectors is modestly higher than regional peers (and banks), implying that the cyberattacks on their third-party supplier risk may be relatively more contained. This might reflect the fact that Chilean banks have implemented the mitigation measures for the risk.30 However, based on Capital IQ Pro supply-chain data,31 although coverage is limited, three of the eight IT suppliers serving the Chilean banking sector provide services to multiple Chilean banks, indicating a systemic nature of third-party IT supplier risk in Chile.32

D. Cybersecurity Risk for Financial Market Infrastructures

13. Financial market infrastructures (FMIs)33 are considered critical entities in the context of cybersecurity risk. FMIs could increase the financial system’s vulnerability to cyber shocks due to low substitutability and high market concentration (BIS, 2014). For instance, if banks were compelled to redirect their payments without the netting and payment efficiencies from the cyber-attacked payment systems, it would necessitate additional liquidity for these payments, thus resulting in disruptions to market volumes and sudden price fluctuations (Brando et al., 2022). Against this backdrop, guidance, and best practices to address the FMIs’ cybersecurity risk has been proposed.34

Figure 6.
Figure 6.

Selected Economies: Systemic Vulnerability of Chilean Banks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Bitsight, World Bank, and IMF staff calculations.Notes: The left chart indicates assets of the top banks as a share of total commercial banking assets in 2021. The bars and whiskers of “Regional peers” and “OECD” indicate the median and max/min range of regional peers and OECD countries, respectively. In the right chart, “Computer Systems Design and Related Services” (NAICS code, 5415) is defined as IT service sector. “Regional peers” indicates the sum of Brazil, Mexico, Colombia, Argentina, and Peru. “OECD” indicates the sum of OECD countries.

14. In Chile, the risk from lack of substitutability is high. Six FMIs,35 four of them private entities, operate as monopolies within their respective segments.36 The Chilean high-value interbank payment systems (PSs) consist of Sistema LBTR, the central-bank operated real-time gross settlement system, complemented by ComBanc, a privately-owned net clearing system (Figure 7). DCV serves as the central security depository (CSD) for government and corporate securities, while CCLV operates as a securities settlement system (SSS) for debt securities and money market instruments. Two central counterparties (CCPs), ComDer and CCLV, hold monopolistic positions in their respective segments: ComDer covers over-the-counter (OTC) derivatives, while CCLV handles equities and exchange-traded derivatives. Additionally, the BBCh operates SIID-TR as trade repository (TR) for reporting foreign exchange derivatives transactions. Compared with regional peers, in Chile, PSs and CSD are relatively larger while CCPs are smaller.37 Most of the participants in the PSs and ComDer (CCP) are banks, but DCV (CSD) and CCLV (CCP) have many other participants.

Chile: Financial Market Infrastructure

article image
Source: BCCh.Note: “Sistema LBTR” is Sistema de Liquidación Bruta en Tiempo Real and “SIID-TR” is Sistema Integrado de Información sobre Transacciones de Derivados.

15. Chilean FMIs follow international standards for cybersecurity risk. Chile has implemented the ‘CPSS-IOSCO (Committee on Payment and Settlement Systems Technical Committee of the International Organization of Securities Commissions) Principles for Financial Market Infrastructures’ (BIS, 2012) which includes information security, business continuity management, and operational risk management.38 Additionally, the CPSS-IOSCO FSAP assessment conducted by World Bank in 201639 concluded that the FMIs have adopted best practices and international standards for the management of operational risks including cyber risk. All the private FMIs have certificates of ISO 22301 (Business Continuity Management) and ISO/IEC 27001 (information security management).40 Moreover, as operator of the Sistema LBTR, the BCCh has implemented several policies and measures to enhance cyber resilience standards and also signed a Memorandum of Understanding (MoU) with other FMIs to improve coordination in this matter.

Figure 7.
Figure 7.

Selected Economies: Financial Market Infrastructures

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: CEMLA and IMF staff calculations.Note: As of 2021 except for the number of participants in CSD (as of 2019).

E. Cybersecurity Risk for the Fintech Industry

16. Fintech is considered vulnerable to cybersecurity risk due to the nature of their business. Fintech innovations are frequently exposed to cybersecurity risks due to the increased connectivity that creates numerous entry points for cyber hackers seeking vulnerabilities in the network (Lukonga 2018). This concern is particularly pertinent for client-facing applications that handle customer data (FSB, 2017b). Moreover, cyberattacks on cryptocurrencies have been rapidly increasing recently,41 with a notable uptick in attacks on Decentralized Finance (DeFi), a crypto-market-based financial intermediation system without central intermediaries, driving this upward trend (Figure 8).42

Figure 8.
Figure 8.

Global: Crypto Hacks

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Chainalysis and IMF staff calculations.

17. The Chilean fintech firm market appears to be smaller than its regional peers but has exposures with the segment of handling a large amount of customer data.43 Compared with regional peers, the number of fintech firms had grown more slowly, but there has been a recent substantial increase (Figure 9). The technologies used by Chilean fintech firms are concentrated on ‘Open platforms &APIs’ and ‘Cloud computing,’ which handle a big volume of customer data, and align with those utilized by its regional peers. The majority of fintech firms operating in Chile are payment and remittance systems for both domestic and foreign fintech firms,44 and the share of payment and remittance segment in Chile is higher than its regional peers. The implementation of the Fintech Law is expected to further foster market.

18. Cybersecurity risk for Chilean financial sector through cryptocurrencies appear fairly contained. Chilean financial sector does not have meaningful exposures to cryptocurrencies. In particular, the sector has no exposure to DeFi activities. Moreover, the transaction volume of cryptocurrencies in Chile is smaller than that of regional peers. It should be noted that issuers of these currencies are global entities, which are not in the regulatory perimeter of the authorities.

uA002fig02

Chile: Cryptocurrency Value Received

(In US billions)

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Chamalysis and IMF staff calculations.Note: As of June 2022-July 2023. The bars and whiskers of “Regional peers” indicate the median and max/min range of Brazil, Mexico, Colombia, Argentina, and Peru.
Figure 9.
Figure 9.

Fintech Firms

Citation: IMF Staff Country Reports 2024, 042; 10.5089/9798400266591.002.A002

Sources: Finnovista, Inter-American Development Bank (IDB), IDB Invest, and IMF staff calculations.Notes: As of 2023 except for “Fintech Segment for Identified Foreign Fintech Firms” (as of 2021). In the upper left panel, the bars, and whiskers of “Regional peers” indicate the median and max/min range of Brazil, Mexico, Colombia, and Argentina. In other panels, the bars, and whiskers of “Regional peers” indicate the median and max/min range of Mexico, Colombia, and Argentina. Mexico is as of 2022.

F. Regulations on Cybersecurity Risk in the Financial Sector

19. The CMF mainly regulates the cybersecurity risk in the Chilean financial sector. In line with global standards, Chile has adopted various initiatives to address cybersecurity risk for the nation.45 However, the country so far has no general law or authority that address cybersecurity risk, and there is no specialized data protection authority while the relevant laws are discussed in Congress.46 Hence, cybersecurity risk in each industry is mainly covered by sectoral regulations and the regulatory authorities.

20. The CMF has recently issued many regulations on cybersecurity risk in the financial sector, and the regulatory framework for cybersecurity risk would be comprehensive (Box 2). A stand-alone Report on the Observance of Standards and Codes for the implementation of the Basel Core Principles for Effective Banking Supervision in Chile, undertaken by the IMF and the World Bank during March-May of 2021, concluded that the Chilean regulatory framework for banks’ operational risk management including cybersecurity risk is comprehensive. Moreover, the Financial Stability Council (CEF)47 monitors and follows cyber incidents with possible systemic impact, and the CEF has an operational continuity working group (Abarca, 2023). Note that the CMF has already established a reporting and information-sharing framework and risk management requirements for banks and insurers. Additionally, plans are in place to enforce them for FMIs, fintech,48 and fund managers. This ensures comprehensive coverage of cybersecurity risk in the financial sectors.49

21. Ensuring sufficient human resources for the effective cybersecurity risk supervision is critical. While the regulatory framework is comprehensive, the report above also indicated that the number of cybersecurity experts in the CMF was not sufficient to effectively conduct cybersecurity risk supervision. Ensuring sufficient budget resources for the CMF to attract and retain specialized talent was already one of the 2021 FSAP recommendations. Given that the regulatory perimeter of the CMF is expected to expand to include the fintech sector, this problem could become more serious and hinder the effectiveness of cybersecurity risk supervision. Note that the CMF’s budget for cybersecurity risk supervision has incremented while total budget has decreased.

Recent Regulations on Cybersecurity Risk in the Financial Sector

article image
Sources: Financial Market Commission (CMF) and BCCh.

G. Recommendations

22. Steady implementation of the ongoing policy initiatives is warranted. The regulatory proposals for FMIs and fund managers are expected to strengthen the preparedness of the financial sector to cybersecurity risk. Implementation of the Fintech Law is also critical to address new cybersecurity risk exposures created by fintech activities while embracing the benefits from them. Moreover, the national initiatives, such as establishing the National Cybersecurity Agency and the National Registry of Cybersecurity, could also be beneficial for the financial sector, given potential spillovers from third-party service providers and importance of information sharing across industries.

23. The authorities should continue to prioritize the recruitment of additional cybersecurity experts. While the regulatory framework appears sound and comprehensive, the effectiveness of these regulations depends on the availability of supervisory resources. In this regard, the increase in the budget for cybersecurity risk supervision is welcome. As experienced with fintech, new technologies, such as AIs and quantum computing, could exacerbate cybersecurity risks for the financial sector (Shabsigh and Boukherouaa, 2023), and thus continued efforts to ensure sufficient supervisory resources are vital.

24. The authorities should consider adopting new supervisory exercises to further enhance an industry-wide crisis management framework. For instance, given the systemic nature of cybersecurity risk for Chilean financial sector, creating cyber maps of financial networks and third-party dependencies would enable the authorities to identify the critical nodes, conduct in-depth analysis of the potential impact on liquidity and solvency, and run top-down stress tests based on cyber scenarios to assess the potential impact on financial stability risks. Additionally, introducing supervisory bottom-up cybersecurity stress tests, which were initiated by the Bank of England in 2022 and are planned by the ECB for 2024,50 could enhance the financial sector’s preparedness for cybersecurity risks.

References

  • Abarca, I., 2023. “Construyendo Ciber Resiliencia en la Industria Financiera (in Spanish).” Banco Central de Chile, blog on Wednesday, May 31, 2023.

    • Search Google Scholar
    • Export Citation
  • Adelmann, F., J. Elliott, I. Ergen, T. Gaidosch, N. Jenkinson, T. Khiaonarong, A. Morozova, N. Schwarz, and C. Wilson, 2020. “Cyber Risk and Financial Stability: It’s a Small World After All.” IMF Staff Discussion Notes 2020/007, International Monetary Fund.

    • Search Google Scholar
    • Export Citation
  • Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach, 2022a. “The Drivers of Cyber Risk.” Journal of Financial Stability, 60(C).

  • Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach, 2020b. “Operational and Cyber Risks in the Financial Sector.” BIS Working Papers No 840.

    • Search Google Scholar
    • Export Citation
  • Bank for International Settlement (BIS), 2012. “Principles for Financial Market Infrastructures.” April 2012.

  • Bank for International Settlement (BIS), 2014. “Cyber Resilience in Financial Market Infrastructures.” November 2014.

  • Bank for International Settlement (BIS), 2016. “Guidance on Cyber Resilience for Financial Market Infrastructures.” June 2016.

  • Bank for International Settlement (BIS), 2018. “Cyber-Resilience: Range of Practices.” December 2018

  • Bank for International Settlement (BIS), 2022a. “Business Continuity Planning at Central Banks during and after the Pandemic.” April 2022.

    • Search Google Scholar
    • Export Citation
  • Bank for International Settlement (BIS), 2022b. “Implementation Monitoring of the PFMI: Level 3 Assessment on Financial Market Infrastructures’ Cyber Resilience.” November 2022.

    • Search Google Scholar
    • Export Citation
  • Bank of England (BOE), 2018. “Could a Cyber Attack Cause a Systemic Impact in the Financial Sector?Quarterly Bulletin, 2018 Q4.

  • Bouveret, A, 2018. “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment.” IMF Working Paper 18/143.

  • Brando, D., A. Kotidis, A. Kovner, M. Lee, and S. Schreft, 2022. “Implications of Cyber Risk for Financial Stability.” FEDS Notes, Board of Governors of the Federal Reserve System, May 12, 2022, Washington, DC.

    • Search Google Scholar
    • Export Citation
  • Carney, M., 2019. “Enable, Empower, Ensure: A New Finance for the New Economy.” Speech delivered at the Mansion House Bankers’ and Merchants’ Dinner, London.

    • Search Google Scholar
    • Export Citation
  • Cohen, R., and J. Humphries, S. Veau, and R. Francis, 2019. “An Investigation of Cyber Loss Data and Its Links to Operational Risk.” Journal of Operational Risk, 14(3).

    • Search Google Scholar
    • Export Citation
  • Crosignani, M., M. Macchiavelli, and A. Silva, 2023. “Pirates without Borders: The Propagation of Cyberattacks through Firms’ Supply Chains.” Journal of Financial Economics, 147, pp. 432448.

    • Search Google Scholar
    • Export Citation
  • Duffie, D. and J. Younger, 2019. “Cyber Runs.” Hutchins Center Working Paper 51, The Brookings Institution.

  • Eisenbach, T., A. Kovner, and M. Lee, 2022. “Cyber Risk and the U.S. Financial System: A pre-Mortem Analysis.” Journal of Financial Economics, 145(3), pp. 802826.

    • Search Google Scholar
    • Export Citation
  • Eisenbach, T., A. Kovner, and M. Lee, 2023. “When It Rains, It Pours: Cyber Risk and Financial Conditions.” Staff Reports 1022, Federal Reserve Bank of New York. European Systemic Risk Board (ESRB), 2020. “Systemic Cyber Risk.” February 2020.

    • Search Google Scholar
    • Export Citation
  • Florackis, C., C. Louca, R. Michaely, and M. Weber, 2023. “Cybersecurity Risk.” The Review of Financial Studies, 36 pp. 351407.

  • The Board of Governors of the Federal Reserve System (FRB), 2021. “Cybersecurity and Financial System Resilience Report.” September 2021.

    • Search Google Scholar
    • Export Citation
  • Financial Stability Board (FSB), 2017a. “Stocktake on Cybersecurity Regulatory and Supervisory Practices.” October 2017.

  • Financial Stability Board (FSB), 2017b. “Financial Stability Implications from FinTech.” June 2017.

  • Financial Stability Oversight Committee (FSOC), 2022. “Annual Report.”

  • Goh, J., H. Kang, Z. Koh, J. Lim, C. Ng, G. Sher, and C. Yao, 2020. “Cyber Risk Surveillance: A Case Study of Singapore.” IMF Working Papers 2020/028, International Monetary Fund.

    • Search Google Scholar
    • Export Citation
  • Harry, C., and N. Gallagher, 2018. “Classifying Cyber Events.” Journal of Information Warfare, 17(3), pp. 1731.

  • Healey, J., P. Mosser, K. Rosen, and A. Tache, 2018. “The Future of Financial Stability and Cyber Risk.” mimeo.

  • He, Z., S. Jiang, D. Xu, and X. Yin, 2023. “Investing in Lending Technology: IT Spending in Banking.” NBER Working Paper No. 30403.

  • Jamilov, R., H. Rey, and A. Tahoun, 2021. “The Anatomy of Cyber Risk.” mimeo.

  • Lukonga, I., 2018. “Fintech, Inclusive Growth and Cyber Risks: Focus on the MENAP and CCA Regions.” IMF Working Papers 2018/201, International Monetary Fund.

    • Search Google Scholar
    • Export Citation
  • Modi, K., N. Pierri, Y. Timmer, M. Soledad Martinez Peria, 2022. “The Anatomy of Banks’ IT Investments: Drivers and Implications.” IMF Working Paper 22/244.

    • Search Google Scholar
    • Export Citation
  • Montoya, A., and R. Celedon, 2021. “Guidelines for the Development of an Open Finance Framework in Chile, with a Focus on Competition and Financial Inclusion.” August 2021, Ministerio de Hacienda.

    • Search Google Scholar
    • Export Citation
  • Shabsigh, G., and E. Boukheroua, 2023, “Generative Artificial Intelligence in Finance: Risk Considerations.” International Monetary Fund, Fintech Notes, 2023/006.

    • Search Google Scholar
    • Export Citation
1

Prepared by Tatsushi Okuda. The paper has benefited from the synergies and association with the ongoing work for the IMF’s Global Financial Stability Report. The author would like to thank the BCCh and CMF staff for the helpful discussions.

2

This database is prepared by leveraging an application to scrape data from relevant cyber sources, which is then reviewed and coded by the research team. Note that this database covers only the incidents that had media coverage, and many of those which were blocked by the targets are not included. Indeed, according to Trend Micro, in Chile, the number of malware detections, email threat detections, and malicious URL detections in the first half of 2021 were, respectively, over 2 million, 47 million, and 1 million, which were much larger than the number of incidents reported by this database.

3

The IMF assessed cybersecurity risk in several Financial Sector Assessment Programs (FSAP) (Switzerland in 2019; Belize and Norway in 2020; Mexico, South Africa, and the United Kingdom in 2022; Iceland and Sweden in 2023) and provided Technical Assistance (e.g., Trinidad and Tobago in 2023).

4

Information and data are from the University of Maryland CISSM Cyber Attacks Database and the BCCh’s FSRs.

5

D-SIBs are designated annually using a methodology developed by the CMF, based on the one from the Basel Committee and with the favorable agreement of the BCCh. The current D-SIBs were designated in March 2023.

6

This observation is consistent with the empirical literature which documents that cybersecurity risk is priced in equity markets (Jamilov et al., 2021; Florackis et al., 2023).

7

Moreover, the CMF experienced cyberattacks in March 2021 while these attacks did not disrupt the CMF’s platforms or services, as the organization promptly activated cybersecurity protocols and containment measures to ensure the continuity of services.

8

During the pandemic, the number of online bank accounts was boosted as these accounts were used for the transfer of state aid to lower-income households and due to the greater use of online purchases. This shift led banks to expand their digital offerings and close offices. The rise of online bank accounts may also partially reflect Banco Estado’s introduction of Cuenta RUT in 2006 which is a demand account featuring simplified opening procedures, no income prerequisites, and no maintenance fees.

9

The growth rate of Chilean banks’ nominal IT expenses in the 2010s (threefold) is similar to that of U.S. banks (Modi et al., 2022; He et al., 2023). Because the inflation rate has been moderately higher in Chile than in the U.S., the growth rate of real IT expenses may be modestly higher in the U.S. than in Chile.

10

For example, in its 2022 annual report, Banco de Crédito e Inversiones reported that it invested US$ 80 million to cybersecurity. Aldasoro et al. (2022a) empirically document that the firms which invest more in information technology security tend to be more resilient to cyberattacks.

11

According to their 2022 annual reports, Chilean banks have contingency plans for cybersecurity incidents and regularly conduct cybersecurity training for employees. They also adopt international standards for the best practices to address cybersecurity risk including ISO/IEC 27001 (information security management), National Institute of Standards and Technology (NIST) cybersecurity framework, and the Payment Card Industry Data Security Standard (PCI-DSS). Some banks hire cybersecurity specialists as executives, such as Chief Information Security Officers (CISOs).

12

The indicator is calculated based on the quality and coverage of data protection policy, organizational structure, internal control, and privacy-enhancing technologies etc., and provided by MSCI.

13

This indicator is calculated based on three types of vectors: i) security practices, ii) the presence of malware or unwanted software, and iii) employee activities, and provided by Bitsight. In its 2022 annual report, Banco Santander Chile explicitly commits to scoring 800 points in this measure.

14

In terms of privacy data management scores, Chilean banks outperform their OECD peers; however, this may be indicative of sample selection bias, as samples from advanced economies encompass both large and small banks, whereas samples from emerging economies only include large banks. Regarding sample size, that of the cybersecurity rating is much larger than that of privacy data management scores.

15

Bouveret (2018) estimates the potential aggregate costs of cyberattacks to range between 10 percent to 30 percent of banks’ net income. While there exist indirect costs, such as reputational damage which can have serious, long-lasting financial impacts, the literature has not yet covered this cost as it is difficult to estimate.

16

i) Internal fraud: misappropriation of assets, tax evasion, intentional mismarking of positions and bribery, ii) External fraud: theft of information, hacking damage, third-party theft and forgery, iii) Labor practices and business safety: discrimination, workers’ compensation, employee health and safety, iv) Customers, products and business practices: market manipulation, antitrust, improper trade, product defects, fiduciary breaches and account churning, v) Damage to physical assets: natural disasters, terrorism and vandalism, vi) Business interruption and systems failures: utility disruptions, software failures and hardware failures, and vii) Execution, delivery and process management: data entry errors, accounting errors, failed mandatory reporting and negligent loss of client assets.

17

This ‘external fraud’ includes self-induced fraud by customers.

18

‘Internal fraud’ is included to consider the possibility that employees caused cyber incidents.

19

The impact is calculated by dividing annual gross operational losses by risk-weighted assets.

20

The maximum stress is calibrated to the maximum impact of historical operational losses to assets in the annual frequency panel dataset of all individual banks in 2019–22. The impact on capital ratios under the stress is calculated by multiplying the impact of historical operational losses on capital ratios by the ratio between maximum stress and historical impact in terms of operational losses to assets. The same applies to the calculation of the operational loss to capital to operational risk.

21

The capital to operational risk is calculated by dividing the risk weighted assets for operational risk by 12.5, and the loss to capital ratio is calculated by dividing annual gross losses by the capitals to operational risk. Note that the share of risk-weighted assets for operational risk is around 10 percent among Chilean banks.

22

The database is also expected to include the operational losses from the cyberattacks which were not reported in the media and thus are not included in CISSM Cyber Attacks Database. Aldasoro et al. (2020b) reported that while operational losses from cyber incidents represent a small fraction of total operational losses, they can significantly impact the total operational value-at-risk. Cohen et al. (2019) also suggest that cyber loss data shares a risk profile similar to non-cyber operational losses. This allows for the application of existing operational risk modeling techniques to assess the financial impact of cyber risk.

23

The outflows from unsecured wholesale deposits are assumed to decrease high-quality liquid assets (HQLAs) by forcing banks to sell them. The outflows are also assumed to reduce their unweighted exposures to the deposits. The former channel decreases the LCRs while the latter channel increases the LCRs. Outflow rates for the deposits are assumed to remain unchanged.

24

Cyberattacks often occur during financial stress (Eisenbach et al. 2023) and thus, banks should continue to satisfy the 100 percent LCR requirement after cyberattacks.

25

Note that the LCRs decrease to some extent if same outflow rates from secured wholesale funding are additionally assumed because the outflow rate assumptions for the item are low. However, the results remain overall unchanged.

26

On June 27, 2014, Bulgaria’s largest domestic bank, First Investment Bank (FIB), experienced a 10 percent deposit run due to false emails and social media rumors about a liquidity shortage, prompting the bank to use a government-provided liquidity assistance scheme.

27

However, it should also be noted that the implemented Basel III liquidity requirement provides incentives for banks to continue holding HQLAs to meet a 100 percent LCR regulatory requirement, even after the unwinding of the FCIC.

28

17 banks are operating in Chile, in which six are D-SIBs (Banco de Chile, Banco de Crédito e Inversiones, Banco del Estado de Chile, Banco Santander-Chile, Banco Itaú Chile, and Scotiabank Chile) as of March 2023, accounting for around 90 percent of bank assets.

29

For example, on June 27, 2017, Ukrainian banks and companies fell victim to a cyberattack by Russian hackers using the NotPetya virus. This malware spread rapidly through a software update for accounting programs, affecting a wide range of businesses, financial institutions, and government agencies. According to the National Bank of Ukraine’s December 2017 Financial Stability Report, the attack impacted 35 percent of the Ukrainian banking sector by net assets and 32 percent by household deposits, with most banks facing operational difficulties for several days. Foreign multinational companies were also affected through their Ukrainian subsidiaries (Crosignani et al., 2023).

30

According to their 2022 annual reports, Chilean banks have implemented measures to mitigate the cybersecurity risk from third-party IT suppliers such as setting cybersecurity standards for suppliers.

31

The database is prepared based on banks’ publicly disclosed data.

32

On October 23, 2023, a Chilean telecommunications company, GTD, suffered a ransomware attack that affected part of its Infrastructure as a service (IaaS) platform, disrupting online services. According to the media, about 3,500 firms were impacted by this incident. This incident highlights the importance of the third-party IT supplier risk in Chile. Moreover, in terms of the concentration of IT service providers, cloud computing services are reported to be highly concentrated globally (Carney, 2019).

33

Payment systems (PS), central securities depositories (CSD), securities settlement systems (SSS), central counterparties (CCP) and trade repositories (TR) are designated as FMIs (BIS, 2012).

34

For example, in 2016, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions published ‘Guidance on cyber resilience for FMIs’ (BIS, 2016), and in 2022 they published ‘Implementation monitoring of the PFMI: Level 3 assessment on Financial Market Infrastructures’ Cyber Resilience,’ which summarized the adoption status of the guidance above in each country (BIS, 2022b). Additionally, one of the critical service providers in payment systems, the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a global messaging network used by financial institutions to send and receive information is imposing SWIFT Customer Security Programme on users, to improve information sharing among SWIFT users, to increase the level of security awareness and education, and to establish a set of mandatory security controls that SWIFT customers must implement.

35

Within the low-value payment system (involving credit cards, checks, and ATMs), CCA (Centro de Compensación Automatizado), a privately-owned for-profit corporation, operates alongside low-value clearinghouses. Moreover, implementation of Low Value Payment Clearing Houses (CPBV) is in progress; CCA will start to operate ‘Clearinghouse for interbank Electronic Funds Transfers’ at the end of 2023-early 2024, and the BCCh is currently reviewing internal rules of other six CPBVs.

36

Moreover, according to the BCCh’s FSR, the BCCh has promoted incorporating the Chilean peso into the Continuous Linked Settlement (CLS) in Switzerland, the world’s leading provider of FX settlement services. If successful, integrating the LBTR system with interbank payment systems in other countries via CLS would heighten cybersecurity risks for Chilean financial sector while it also enhances the efficiency of financial activities.

37

These charts are created based on the ‘Yellow Book Statistics,’ which is the statistics about payments and financial market infrastructures in Latin American and Caribbean Countries and published by the Center for Latin American Monetary Studies (CEMLA). The methodology follows the structure of the BIS Red Book, and national central banks prepare the data with the support of CEMLA.

38

This is based on Level 1 self-assessments. Chile has not participated in level 2 (peer review) and level 3 (peer benchmarking) assessments.

39

The reports are available here: Systema LBTR, ComBanc, DCV, CCLV, and ComDer.

40

In Chile, the National Institute for Standardization (INN) authenticates the ISO standards.

41

The charts of cryptocurrency used in this study are created based on the estimates by Chainalysis, the blockchain data platform. It should be noted that so far financial stability risk from cyberattacks on cryptocurrencies are limited. For example, global banks’ exposures to cryptocurrencies are limited, according to the Basel III monitoring report in 2022.

42

The vulnerability of DeFi to cybersecurity threats is connected to the reliance on smart contracts—computer codes stored on the blockchain and activated when specific conditions are met. All transactions occur on the blockchain, and the codes overseeing DeFi protocols are publicly accessible. While this transparency aims to improve transactions among blockchain users, it also exposes DeFi to cybersecurity risks. Hackers can scrutinize the computer codes to pinpoint vulnerabilities and strategically exploit transaction data to maximize the impact of their cyberattacks.

43

The charts of fintech firms used in this study are created based on the joint study by Finnovista and Inter-American Development Bank and Fintech Radars by Finnovista, which publishes research and periodical reports on the state and latest trends of Fintech innovations in Latin America.

44

In Chile, 20 percent of operation fintech firms are foreign, most of which are Colombian, Mexican, and Argentinian.

45

For example, Chile published its National Cybersecurity Policy 2017–2022, with the goal of promoting a free, open, safe, and resilient cyberspace. Afterwards, in 2018, Chile established the Computer Security Incident Response Team (CSIRT) under the Ministry of the Interior and Public Security to strengthen and promote cybersecurity practices, policies, laws, regulations, protocols, and standards in state administration and critical infrastructures. Chile also joined international initiatives such as the Cyber Security Program, developed by the Organization of American States (OAS). Moreover, In June 2022, Chile introduced a computer crimes law, covering offenses like system attacks, unauthorized access, data interception, forgery, fraud, and device abuse, with penalties based on severity. In December 2023, Chile’s National Cybersecurity Policy for 2023–2027 was introduced. It advocates for the establishment of the National Cybersecurity Agency and the National Registry of Cybersecurity Incidents and aims to enhance the resilience of information infrastructures and facilitate internal and international coordination.

46

The Cybersecurity and Critical Information Infrastructure Framework Bill, which aims to create a National Cybersecurity Agency and establish procedures for protecting essential services, drawing from EU regulations like NIS 1 and NIS 2 Directives, and Spain’s critical information infrastructure protection rules, is discussed under the congress. The bill includes definitions for terms like cyberattack and cybersecurity and sets minimum requirements for incident prevention, containment, resolution, and response. It also proposes the creation of entities such as the National Cybersecurity Agency and the National Registry of Cybersecurity Incidents. The bill on personal data protection is discussed under Congress. The bill aligns with international standards, such as the EU’s GDPR, to protect people’s rights and freedoms regarding their personal data, while also proposing the establishment of a national authority for personal data protection. The National Consumer Service (SERNAC) currently manages personal data protection in consumer affairs and will do so until a dedicated data protection authority is established.

47

The CEF was created in 2011, and it is chaired by the finance minister and includes the CMF president, the Pension Superintendent, and the BCCh Governor as a permanent invitee and advisor.

48

Note that payment providers engaging in fintech activities are already subject to cybersecurity regulations issued by the CMF.

49

The CMF presented detail of the regulations on FMIs in 2018 and 2023. Note that Chile received Technical Assistance on cybersecurity policies by the IMF in 2017 (Abarca, 2023).

50

Additionally, in collaboration with the IMF, the Monetary Authority of Singapore conducted bottom-up cyber stress testing on banks’ capital ratios and liquidity ratios (LCRs) (Goh et al., 2020).

Chile: Selected Issues
Author: International Monetary Fund. Western Hemisphere Dept.