Abstract
The ability of attackers to undermine, disrupt and disable information and communication technology systems used by financial institutions is a threat to financial stability and one that requires additional attention.
Cyber Risk as a Threat to Financial Stability
A. Growing Risk
1. Attacks on information and communication technology systems (cyberattacks) are rising globally, and financial services continue to be the most targeted industry.4 Use by criminals (“cybercrime”) has become more widespread—there is a relatively low risk of prosecution and widespread availability of easy-to-use attack tools and cybercrime support services. Advances in technology have provided additional opportunities for attackers as well as for financial institutions aiming to prevent and mitigate the risk. Hacking tools have evolved over the past two decades and can now be used by relatively low-skilled attackers at a fraction of the previous cost (Figure 1). This has led to a sharp rise in the number of cyber incidents and data breaches (Figure 2).
Evolution of Cyber Risk
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Carnegie Mellon University.Note: DDoS = distributed denial of service; GUI = graphical user interface.Evolution of Cyber Risk
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Carnegie Mellon University.Note: DDoS = distributed denial of service; GUI = graphical user interface.Evolution of Cyber Risk
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Carnegie Mellon University.Note: DDoS = distributed denial of service; GUI = graphical user interface.
The Rising Number of Cyber Incidents
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Identity Theft Resource Center.The Rising Number of Cyber Incidents
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Identity Theft Resource Center.The Rising Number of Cyber Incidents
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: Identity Theft Resource Center.2. Cyber threats have become more sophisticated and typically span several jurisdictions, making them harder to investigate and prosecute. Cyberattacks have been industrialized—for many operations there is an international division of work; there are markets for hacking services, vulnerability exchanges, specialist operators, and outsourcing service providers. Attackers show a degree of agility in cooperation across borders that authorities find difficult to match.
3. While most attacks are financially motivated, rising geopolitical tensions also increase the risk of disruption-motivated incidents (Figure 3). Financial services are vulnerable to a wide range of attackers, from lone hackers to sophisticated organizations and nation-state cyber warfare units. The financial sector’s reliance on data increases the vulnerability and the complexities of cybersecurity. Data corruption—sometimes also referred to as “data poisoning”—is an emerging additional threat in which the cyberattack feeds bad or misleading data into systems. As with the introduction of disinformation through “fake news,” the most worrisome aspect of such attacks is the undermining of confidence. The advent of machine learning and artificial intelligence makes this risk even more relevant should undetected corrupted data be fed into algorithms and used in decision-making.
Evolution of Cyberattacks, 2010–20
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff illustration.Evolution of Cyberattacks, 2010–20
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff illustration.Evolution of Cyberattacks, 2010–20
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff illustration.B. From Cyberattack to Financial Stability Risk
4. Cyber risk can impact financial stability through loss of confidence and lack of substitutability and interconnectedness.5 Figure 4 illustrates the causal chain from cyberattack to financial instability, highlighting the most common root causes and likely transmission channels, although of course alternative combinations are possible. We observe that—with some notable exceptions—most successful cyberattacks affect one institution and produce limited damage. A successful attack with enough technical force to disable or disrupt a key institution or spread through the system could, however, become a systemic event.
Cybersecurity and Financial Stability Channels
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.Note: FMI = financial market infrastructure.Cybersecurity and Financial Stability Channels
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.Note: FMI = financial market infrastructure.Cybersecurity and Financial Stability Channels
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.Note: FMI = financial market infrastructure.Loss of Confidence
5. Lengthy outages and compromised data integrity can lead to a loss of confidence. If a widespread attack paralyzes critical operations for an extended period, it may eventually lead customers and market participants to lose confidence in the financial system, making them reluctant to extend liquidity or credit, thereby causing further damage. Attacks and outages affecting one firm may lead to the conclusion that other firms are similarly vulnerable. For example, in the week following the announcement of the Equifax data breach in the United States in 2017, the firm lost 35 percent of its stock value.6 Although similar firms TransUnion and Experian did not report data breaches, market contagion triggered a 13 percent and 6 percent drop in their equity prices, respectively.7 Similarly, the disruption of New Zealand’s stock exchange in 2020 due to a series of cyberattacks led to a loss of confidence; the trading system remained technically operational, but trading had to be stopped because of concerns about market integrity.8 Under extreme scenarios, investors and depositors may demand their funds or try to cancel their accounts or other services and products they regularly use.
6. Liquidity is likely to be affected quickly if confidence is lost. System outages and severed communication links can prevent otherwise financially healthy institutions from accessing funding or assets, which would impair their ability to manage exposures and conduct lending and other operations, with the potential for solvency concerns. If the attack compromises the pricing of securities, it will have a system-wide impact (Boer and Vasquez 2017). A simultaneous attack on several institutions could, for example, disrupt safeguards in clearing and settlement systems, resulting in a halt in trading. Recovery of data, moreover, can be complex, and questions about the accuracy of the recovered data could mean that the problem continues over a lengthy period of time.
Lack of Substitutability
7. The loss of a key service—without easy substitution by other service providers—is another channel through which cyberattacks can affect financial stability. In many financial systems, one or two large institutions may provide critical services such as custodial or clearing services, which if impacted in an outage would have repercussions in the rest of the sector. Large institutions that dominate interbank markets or institutions that provide niche services and—in developing economies, correspondent banks—may pose substitutability risks. For example, a systems outage at a key financial market infrastructure (FMI), such as a payment system, could disrupt transaction processing, with a chain effect across the system (see Appendix I for a more detailed discussion of the criticality of FMI).
8. Weaknesses in technology used across the industry can expose many institutions to threats simultaneously and have a broad effect on the entire financial sector.9 Finding alternative technologies is often difficult and expensive, as is evident, for example, in the long life cycles of infrastructure and business software used in banks. The consolidation of the information and communication technology sector increases this difficulty. Appendix II considers potential approaches to third-party outsourcing in detail.
Interconnectedness
9. Interconnectedness—within the financial system and across technologies—also increases the financial stability risk arising from cyberattacks. Financial institutions transact bilaterally and through trading, settlement, and clearing platforms; the central bank; and payment systems. Institutions are also linked through lending and counterparty risk. An outage in one institution may cause difficulties for counterparties, leading to liquidity problems across the system. For example, in a real-time gross settlement system several banks may rely on incoming payments from a major participant, which if incapacitated can put pressure on intraday liquidity. The financial sector is heavily dependent on data and relies on common data sources, enhancing interconnectedness. Data integrity concerns may call into question a chain of transactions—particularly since the inception of the breach may not be easy to pinpoint. Even if only one institution is directly affected by an attack, the interconnections in the system may spread the impact more widely.
10. Technology interconnectedness—exposure to common hardware and software packages, as well as common technology service providers such as cloud services—may also exacerbate contagion risk from cyberattacks. Cyberattacks can propagate not only through third-party technology service providers but also through targeted clients, retail partners, or counterparties. The cross-border nature of both financial and IT services also raises the risk of cross-border contagion from large-scale cyberattacks.
Enhancing Cybersecurity in the Financial System
11. Mitigating cyber risk in the financial sector is a key public policy objective. The digitalization of the financial sector has led to even greater emphasis on cyber risk, which is now a priority for private financial institutions—chief executive officers often cite this risk as among their top three concerns. But there is also clear public interest in managing cyber risk across the financial sector, especially since a successful cyberattack has the potential to jeopardize financial stability. Crucially, although financial institutions have clear individual incentives to invest in protection, absent regulation and public policy intervention, they will tend to underinvest from the perspective of society and the broader financial system interest—for example, they will not take into account the impact of their failure or a broader attack on the system as a whole (Kashyap and Wetherilt 2018). While much is being done, we set out below areas where we see a need for further work, with emphasis on the official sector’s role.
A. Financial Stability Analysis and Cyber Risk
12. Further improving the identification of major sources of system-wide cyber risk and the potential impact on financial stability will strengthen risk mitigation. Cyber risk is now commonly highlighted in financial stability reports published by central banks and prudential authorities, although there is significant scope to improve both the quantification of risks and the integration of cyber risk into broader financial stability analysis. Tools are emerging to allow authorities to better understand the nature of the systemic threat and its potential impact. We outline below three such tools that could be widely adopted.
Cyber Mapping
13. A “cyber map” identifies the main technologies, services, and connections between financial sector institutions, service providers, and in-house or third-party systems. At a conceptual level, mapping aims to highlight key financial and technological connections between financial institutions (including FMIs) and between these firms and third-party technology and service providers. Even a basic map will identify systemic institutions, service providers, and technology providers and their relationships in the financial system (Figure 5) and thus provide a valuable reference for supervisors to identify key vulnerabilities and allocate resources.10 As an example, Norges Bank produced a map of the Norwegian financial sector that sets out fundamental functions. Based on these functions, critical objects, infrastructures, and information systems have been defined at the national level. Sectoral agencies have then added further detail to the initial map, which is used to inform both supervision and financial stability analysis (IMF 2020).11
Elements of a Simple Financial Sector Map
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.Elements of a Simple Financial Sector Map
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.Elements of a Simple Financial Sector Map
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A001
Source: IMF staff.14. The dynamism and complexity of the financial sector and the technologies it uses can make cyber mapping challenging. It can be expensive and time-consuming to build detailed maps. However, mapping exercises that do not aspire to completeness and apply thresholds for inclusion, as well as qualitative approaches, have proved to be a useful tool.
Quantitative Analysis
15. Accurate quantitative estimates of potential losses could usefully inform both firm risk management and financial stability analysis, although producing reliable estimates is difficult and remains a work in progress. Difficulties stem in part from the limited availability of data on the frequency and loss severity of cyberattacks. Moreover, even if complete data on historical losses were available, the rapidly evolving nature of cyberattacks and the threat landscape would still pose a challenge to accurate estimation of potential future losses. Distributions of losses from cyberattacks are also characterized by heavy tails, which complicates formal statistical analysis. A promising development in measuring losses as a result of cyber risk is the new operational risk framework of the Basel Committee, which could motivate more banks to collect operational risk data, including on cyber risk.12
16. Against this backdrop, improving the quality and availability of data on losses from cyberattacks, as well as further development of modeling techniques, would help support risk management, supplementing qualitative approaches that rely heavily on expert judgment. At the firm level, the total costs of cyber incidents include a wide range of direct and indirect elements, with indirect costs typically accounting for the majority. Direct costs (those that can be specifically traced to the occurrence) are incurred early and over a relatively short time period. Indirect (or hidden) costs are incurred over a longer time period and are more difficult to attribute and quantify. These include declines in future revenue, lost productivity, devaluation of trade name, increased borrowing costs, and so on. Insurance does not cover such costs, which compounds the problem. Although the cost is difficult to quantify, industry research suggests that total costs have ballooned in recent years. For example, a recent Accenture study puts the average yearly cost of cybercrime for larger organizations at $13 million, a 72 percent increase over five years (Accenture 2019).13 In addition, a recent study from Aldasoro and others (2020) found that losses from cyberattacks are still only a small portion of operational losses, but can account for a significant share of total operational value at risk (VaR).
Stress Testing
17. Stress testing of cyber risk offers promise as a tool to support supervisors and policymakers. Under such approaches, financial institutions are typically asked to assess the impact of cyberattacks on liquidity and capital. These tests generally involve institutions estimating losses from a prescribed scenario and supervisory review of financial institutions’ procedures and coverage against cybersecurity risk. Cyber risk scenarios could also be included in the stress testing and network analysis of FMIs (Heijmans and Wendt 2020). Such exercises encourage financial institutions to further develop their risk management practices in this area. As an example, the Monetary Authority of Singapore conducted a firm-level cyber risk survey as part of the 2019 IMF Financial Sector Assessment Program, which included quantitative estimates of potential losses, among other matters. On average, banks estimated that losses from a direct cyberattack would amount to about 35–65 percent of quarterly net profits, depending on the cyber scenario type, and would cause the Capital Adequacy Ratio (CAR) and the Liquidity Coverage Ratio (LCR) to drop by 0.1–0.4 and 8.4–35 percent respectively (Goh and others 2020).
18. Comparatively, cyber risk quantification at the systemic level is at an earlier stage of development. This is an active area of financial stability analysis. Although there are large uncertainty margins around current estimates, these are likely to narrow as data and modeling approaches continue to improve. Estimates of potential losses are high. For example, through Monte Carlo simulations, Bouveret (2018) estimates the 95 percent VaR loss to be $147 billion for financial institutions globally (14 percent of global net income). Bouveret conducts a further experiment in which the mean cyberattack frequency is set to two times its historical peak. Under this scenario, the 95 percent VaR loss rises to $352 billion (34 percent of net income).
B. Regulatory and Supervisory Frameworks
19. Cybersecurity regulation and supervision play an important role in strengthening resilience and delivering public policy objectives. Regulation and supervision set consistent minimum standards to be used by financial institutions, including promoting good cyber hygiene and setting expectations for risk management practices, incident reporting, and response and recovery protocols, as well as internal governance procedures. Active financial supervision supports effective implementation (Gaidosch and others 2019).
20. Good progress has been made to strengthen cybersecurity regulatory requirements, but fragmentation within and across borders causes inefficiencies. National requirements typically incorporate internationally recognized technical standards14—requirements governing how to deal with the technology itself. But there are currently often differences in the transposition of the technical standards into national frameworks. While certain differences in requirements may be justified, fragmented control environments may complicate cyber risk management and drive compliance costs up, particularly for international financial institutions. It is not uncommon, for example, for large international banks to be required to comply with many cybersecurity regulatory requirements that differ slightly but in essence reflect the same control concept. Different industries within the financial sector—for example, insurance and securities—can also be subject to different requirements, which further complicates compliance for large entities active in several industries. Enhanced consistency and convergence among the approaches nationally and internationally would free up resources that could be spent more effectively on managing and responding to risk.
21. Efforts to address fragmentation and promote harmonization are underway, but convergence is a slow process, and smaller jurisdictions may be left behind. The Group of Seven (G7), Financial Stability Board (FSB), and Committee on Payments and Market Infrastructure–International Organization of Securities Commissions (CPMI-IOSCO) have published well-known high-level principles. The Basel Committee on Banking Supervision is working on additional principles on operational resilience. In practice, these guidelines have formed the basis for development of national standards for most of the larger and more sophisticated jurisdictions. For jurisdictions that do not participate in these formal standard-setting bodies, however, progress has been more limited, and many jurisdictions have yet to finalize the drafting and implementation of cybersecurity regulations. Lack of technical capacity and experience in transposing high-level principles to suit local circumstances is the most common challenge.
C. Response and Recovery—Cyber Resilience
22. Cyber resilience15 has emerged as an important concept in cybersecurity. While strong cyber hygiene and preventative actions remain important, past assumptions that cyberattacks can be repelled or are relatively rare have given way to the reality that such attacks are a continuous threat and that many will have a degree of success. As the sheer number of incidents rises, both industry and supervisors have refocused from zero tolerance of successful breaches of institutions’ systems toward a more pragmatic approach that concentrates on containing the problem and maintaining operations.
23. Industry and regulators are enhancing their capabilities to take action after a detected cybersecurity incident (response function) and to restore any impaired systems or services (recovery function). Financial institutions are strengthening internal response and recovery protocols that help maintain critical business functions during disruptions; such preparations also reduce incentives for those seeking to disrupt operations. Adding to this, supervisors have started developing protocols that take an industry-wide view of critical financial services to ensure that operations are maintained or can recover quickly to avoid undue disruption.16 Supervisors play a key coordination role in response—they are uniquely positioned to identify and observe incidents across financial institutions, are able to share information broadly across the sector in a timely manner, and have a critical role in restoring and maintaining public confidence, including through communication. Emerging market and developing economy countries face challenges in this process, however (Box 1).
Cyber Resilience in Emerging Market and Developing Economy Countries
Cyber resilience requires an ongoing effort for all countries, but for developing economies the challenges are particularly daunting. Some of the most high-profile cyberattacks have been in developing and emerging economies—for example, the attacks on the Bangladesh Bank and on banks in Chile and a malware attack on Boleto Bancário, a money order payment system in Brazil. The global cybersecurity skill shortage in both the private and public sectors is rising—there were more than 4 million unfilled positions globally in 2019, up from just less than 3 million in 2018. Per capita, the shortage is most acute in low- and middle-income countries,1 because of a lack of specialized university courses, less competitive salary structures, and limited access to international expertise. In addition, these countries may have small budgets for advanced cybersecurity technologies that can help identify, protect, detect, recover from, and respond to cyberattacks. Further, there is a risk that, as advanced economy countries become more resilient, attackers will target small and vulnerable nations.
Successful cyberattacks can have far-reaching consequences for developing economies. Outages can have profound effects on the functioning of the financial sector and financing of the real economy, and developing economies are less able to weather such storms. Without the ability to respond and recover, a developing economy is more likely to have a prolonged outage, with potential damage to confidence in the financial system more broadly. International programs, such as the SWIFT Customer Security Program,2 aim to help participants achieve a cybersecurity baseline. However, given generally limited resources, further initiatives, such as expanded technical assistance, are needed to address the widening cyber resilience gap between higher- and lower-income countries.3
Facing these challenges will demand resources from financial institutions and the official sector alike. In the wake of the Bangladesh attack, SWIFT (the international financial messaging system that was fraudulently used in the attack) developed a set of cyber hygiene standards and implemented them globally. The Carnegie Endowment for International Peace developed an online toolkit designed for low-capacity environments. The UK Foreign and Commonwealth Office sponsored an exercise for crisis-management testing with African central banks, and the Bank of France has instituted workshops on cybersecurity for more than 80 countries. The IMF, the World Bank, and the Inter-American Development Bank now have capacity development programs, including an annual global workshop at the IMF for low‑income countries supplemented by regional workshops and bilateral assistance. But needs continue to grow in this area, especially as low-income countries try to close the digital gap within their societies and provide greater access to payment services and other financial technologies. It will be important to support cyber risk mitigation as a means of ensuring continued financial stability and integrity, to protect assets in economies less able to absorb loss, and to underpin confidence in new and emerging technologies. Since one of the major causes of inadequate cybersecurity is the dearth of qualified expertise, a promising approach is to encourage and support formal education and professional certification in cybersecurity.
1(ISC)2 2019. 2See more details at https://www.swift.com/myswift/customer-security-programme-csp. 3An indicator of the widening gap is the increase in the relative incidence of successful attacks against financial institutions, including central banks, in lower-income jurisdictions, compared with those in advanced economies.24. Strengthening the cross-border aspects of response and recovery arrangements is a top priority. Financial institutions are often connected across borders—through parent institutions, subsidiaries, counterparties in other jurisdictions, correspondent banks, and FMIs—and their ability to respond to and recover from attacks may rely on conditions or actions taken across borders. Very little infrastructure is currently in place to allow for necessary cooperation and information sharing to plan and implement effective response and recovery internationally.
25. Cybersecurity exercises are very effective resilience assessment tools for financial institutions and supervisors alike. These exercises are planned events during which an organization simulates a cyberattack that disrupts operations and tests capabilities (for example, prevention, detection, mitigation, and response and recovery). An extension is “red-teaming,” which is designed to help entities test and improve their resilience against cyberattacks by employing actual hacker methods to breach or circumvent defenses. Cybersecurity exercises can identify gaps in operational resilience of institutions and of financial systems, helping to identify priorities that strengthen response and recovery capabilities. Exercises can also point to gaps in information sharing arrangements and support collective action to address them.
D. Information Sharing
26. Information is the lifeblood of risk mitigation and is the basis for risk management and supervisory frameworks. Pooling information on cyber risks can enhance situational awareness, help detect new risks, and build better responses. Sharing information also reduces the cost of collection for all participants, including the financial sector.
27. There are currently, however, significant barriers to sharing—most importantly regulatory barriers and concerns about liability. Limitations on information sharing, particularly across borders, can increase vulnerabilities because information silos can be exploited by cyberattackers, who are able to work across jurisdictions with ease.
28. Information sharing in the realm of cybersecurity includes the following:
Threat Intelligence Information—Information on the source and nature of threats, including which groups may be targeting a specific set of institutions, the technology being targeted or used, and the intention behind the attacks. Threat intelligence information can also include high-frequency alerts, risk analytics, indicators, threat assessments, and analysis. This information gives financial institutions and supervisors a basis for monitoring and addressing vulnerabilities. Such information varies in depth and specificity and is typically shared on a continuous basis between trusted sources.
Incident Reporting—information on the success of the incident and how it was addressed and may include loss information. Supervisors usually require reporting of incidents with an account of how the financial institution is managing the situation.
Good Practices—Information on how cyber incidents are reported and analyzed, what incident response has been taken, and what the consequences have been. Good practices also extend to how resilience is being built in institutions through the financial system or how the supervisor is addressing the risk.17
Defense Techniques—information on how an attack was prevented or contained, which may be shared at a technical level.
29. There are three broad channels of information sharing within the financial sector, and they are at different levels of maturity:18
Private Sector Institution to Private Sector Institution—The sharing of cybersecurity threat intelligence information between financial institutions within domestic financial sectors is well advanced in many financial systems, including among large global institutions. Sharing may be on an informal basis, such as through personal relationships between chief information security officers or on a more formal basis—for example, via multilateral platforms such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), which originated in the United States but now has global membership.19 Information is typically shared on a continuous basis in a trusted network and is highly valuable given its relevance to risk managers.
Private Sector Institution to Public Agency—Private financial institutions typically provide incident reports to their supervisors. Routine protocols for regulatory reporting, as well as the trusted relationship between supervisors and institutions, help support this exchange.
Public Sector to Public Sector Agencies—Financial supervisors may share incident reports and regulatory responses with other domestic agencies or with cross-border peers. Examples typically include sharing incident information between home and host supervisors.
30. Smooth sharing of information will require management of legal and reputational risks. Data are often protected by privacy regimes or national security frameworks, depending on the nature of the underlying information and the parties that are sharing. While most reporting regimes for cyber incidents provide some form of safe harbor for liability related to the incident itself, they generally do not protect the disclosing party from exposure of personal information, and it can be difficult to disentangle information on the incident from customer data, for example, which may entail some residual liability. Many aspects of information—in particular information that reveals vulnerabilities in an institution or information that is related to national security—can be sensitive and raise legal, security, and practical considerations. These sensitivities constrain information sharing between institutions, between financial institutions and national authorities, and, ultimately, international cooperation between national authorities. Financial institutions may also fear reputational risk arising from a successful cyberattack and may be reluctant to share information on any such incident.
31. The purpose of an information taxonomy for cybersecurity is to develop a structured approach to information and intelligence sharing. Once a taxonomy of cyber information is developed, other questions, such as “ why share, what to share, who to share with, how to share, and when to share” can be more effectively answered (Table 1).20
High-Level Categorization of Information Sharing
High-Level Categorization of Information Sharing
| Categories of Information | Examples |
|---|---|
| Information that cannot be shared | Information sensitive to national defense concerns—e.g., cyber warfare related |
| Personally identifiable information | |
| Information that could be shared | Details of cyber threats in near real time and approaches to defense; intelligence sharing |
| Information that should be shared | Situational awareness, risk management practices, technical vulnerabilities, patches, etc. |
High-Level Categorization of Information Sharing
| Categories of Information | Examples |
|---|---|
| Information that cannot be shared | Information sensitive to national defense concerns—e.g., cyber warfare related |
| Personally identifiable information | |
| Information that could be shared | Details of cyber threats in near real time and approaches to defense; intelligence sharing |
| Information that should be shared | Situational awareness, risk management practices, technical vulnerabilities, patches, etc. |
32. Promoting trusted information sharing among private and public institutions can help overcome resistance. Platforms where threat intelligence is shared on a continuous basis establish efficient and long-standing relationships that build trust. For example, the FS-ISAC has developed a network for central banks, regulators, and supervisory authorities (the CERES Forum)21 for members to receive timely, targeted information; tools and resources about cybersecurity threats; and threat mitigation strategies. Other examples of international arrangements for information sharing include those in place for SWIFT and the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB) Cyber Information and Intelligence Sharing Initiative.22 Data sharing also enhances quantitative financial stability analysis and stress testing whereby financial institutions can leverage existing data consortia platforms.23 If trusted networks between financial institutions are not already in place, central banks and supervisors can play a convening role to help promote such arrangements. Supervisory colleges can also be leveraged to share information and build trust.
33. Establishing a globally agreed template for cybersecurity information sharing using a common taxonomy would be helpful. While there is some convergence in definitions—such as what constitutes an incident that must be reported, what type of incident it was, and how to express the response—there is still a lack of commonality, which undermines effective sharing. A common taxonomy of cybersecurity information could support agreement and implementation of a standardized template for incident reporting. The development of a template could draw on the high-level categorization in this note (Table 1) and could make use of the FSB’s cyber lexicon, which comprises a set of core terms related to cybersecurity in the financial sector. The template could be used as a one-stop-shop mechanism so that firms report incidents to their “home” or “lead” supervisor or authority, which would then coordinate with other supervisors and authorities. The template could also help ensure two-way information sharing so that not only do financial institutions report incidents to supervisors but information also flows in the other direction, alerting institutions to emerging issues, threats, or counterthreat measures as soon as possible.24
E. Deterring Cyber Threats
34. Cyberattacks are a global phenomenon that presents significant challenges to law enforcement, especially at the international level. The constant, rapid evolution of hacking technologies makes policing, prosecution, and sanction and asset recovery work difficult, even though there has been some success. Indeed, there are recent examples of successful cross-border investigations, such as Operation Taiex in March 2019, which led to the arrest of the organizer behind the Carbanak and Cobalt malware attacks on over 100 financial institutions worldwide. This operation included multiple law enforcement agencies and national authorities as well as private cybersecurity companies. Investigators found out that attackers were operating in at least 15 countries.
35. International agreement on addressing cyberattacks is a politically sensitive topic. The 2001 Budapest Convention is the only binding multilateral agreement aimed at combating cybercrime.25 Offenses under the convention include (1) offenses against the confidentiality, integrity, and availability of computer data and systems; (2) computer-related offenses; (3) content-related offenses; and (4) criminal copyright infringement. In November 2019 a United Nations cybercrime resolution set up a drafting group to establish terms of reference for a new global cybercrime treaty. The international constituency is divided, however, over fears of criminalizing ordinary online activities of individuals and organizations through cybercrime laws.26
36. Cyberattacks generate a significant amount of illegal proceeds every year in advanced and developing economies alike. Although cyberattacks may be committed for a range of motives (for example, political, competition, cyber war), many are profit-driven: some studies estimate that ransomware incidents alone generate some $1 billion in illegal proceeds every year (McGuire 2018). Developing economies face huge challenges as attackers exploit underinvestment in defenses and may even use these economies as testing grounds for new techniques. The proliferation of digital currencies that, when unregulated, provide anonymity and make it difficult, if not impossible, to trace the beneficiary owner or end receiver of funds makes it easier to generate and launder the proceeds of crime. In this context, the effective implementation of a comprehensive anti–money laundering and combating the financing of terrorism (AML/CFT) framework in all countries is crucial. In particular, requirements that private sector firms, such as banks, identify their customers, maintain relevant records, monitor transactions, and report suspicious transactions to the relevant authority are essential to prevent and combat cybercrime and the laundering of its proceeds. Sound AML/CFT frameworks also help with the recovery of the illegal proceeds of cybercrime.
37. Cyberattacks should be made both expensive and risky through effective measures to seize and confiscate the proceeds of crime, as well as to identify and sanction bad actors. Success in this respect is predicated on effective international cooperation; that is, information sharing and formal mutual legal assistance—otherwise cybercriminals simply shift operations to jurisdictions that do not cooperate effectively.
International Organizations and Cyber Risk in the Financial Sector
The international standard-setting bodies—the Financial Stability Board (FSB), Basel Committee for Banking Supervision (BCBS), Committee on Payments and Market Infrastructures (CPMI), and International Organization of Securities Commissions (IOSCO), among others—including the G7—have focused on developing a common language and approach to the regulation and supervision of cyber risk management in financial institutions. These efforts include the FSB Cyber Lexicon (FSB 2018) and Cyber Incident Response and Recovery toolkit (FSB 2020), the BCBS Cyber Resilience Range of Practices (BIS 2018), the CPMI/IOSCO principles for financial market infrastructures (CPSS 2012), and associated guidance on cyber resilience (BIS CPMI and IOSCO 2016) and form the foundation of global regulatory and supervisory standards to support consistency.
International financial institutions, including the World Bank, Inter-American Development Bank, and IMF, are focused on capacity development efforts. The IMF has concentrated on financial supervisors in low-income countries (Gaidosch and others 2019), incorporating cyber risk into financial sector surveillance and developing analytical tools to assist capacity development and surveillance and engagement in international policy discussions and regulatory initiatives to support member countries (Lipton 2020). An annual workshop for supervisors in low-income countries was launched in 2017, providing a forum for the sharing of experience by authorities at the forefront of addressing cyber risks. Workshops through the IMF’s regional technical assistance centers are targeted to the particular needs of the region, and bilateral technical assistance has focused on improving national regulatory and supervisory frameworks. Initial efforts are working on the incorporation of cyber stress testing and cyber risk supervision in the Financial Sector Assessment Program (FSAP) and addressing analytical gaps.1 A pilot exercise on the supervision of cyber risk as part of an FSAP is underway—with the first completed in Norway in 2020.2
The World Economic Forum and the Carnegie Endowment for International Peace, among other international groups, engage in public-private-sector work on cyber risk aimed at developing common standards and practices across the financial industry. Private sector and nonprofit organizations such as the Global Cyber Alliance, Cyber Defence Alliance, Financial Services Information Sharing and Analysis Center, and the Cyber Risk Institute promote information sharing and work with public sector entities to reduce inconsistencies and promote information sharing and cooperation between institutions.
1Examples of publications in this field include Goh and other (2020) and Bouveret (2018). 2See IMF (2020). Findings provided insight into avenues for improvement in Norway and allowed the FSAP to connect channels of contagion to an overall assessment of cyber risk. In addition, the 2019 Singapore FSAP assessed cyber risk as a key part of financial stability analysis and stress testing, investigated an institutional framework for cybersecurity, and proposed two (out of eight) key recommendations: one on developing a cyber network map and the other on enhancing the cyber resiliency of the central bank and the real-time gross settlement system.Areas for Future Work
38. As we have seen, cyber risk is a global financial stability issue that demands a unified global effort. Financial sector supervisors are working to improve and enhance regulatory frameworks and supervisory practices to address the risks from cybersecurity threats, but this work demands additional international focus to tackle gaps and inefficiencies and to ensure that emerging market and developing economies do not fall further behind. Our analysis suggests the following priority areas for further work:
Improving Cyber Risk Analysis and Integration into Financial Stability Analysis
39. Use of tools such as cyber mapping, stress testing, and improvements to the quantification of the potential impact of cyber incidents would enhance financial stability analysis, provide additional focus for the mitigation of cyber risks, and support the efficient allocation of resources. This work is being pioneered in central banks in many countries as well as by international financial institutions, including the IMF. Additional and sustained effort could produce significant gains in understanding the nature of the threat and appropriate avenues of response.
Greater Consistency in Regulatory Frameworks
40. Financial supervisors could develop and promote greater consistency in the design and implementation of national cybersecurity regulatory frameworks. Building on work by the FSB to introduce a cyber lexicon and effective practices in recovery and response, international standard setters across the financial sector could further improve the consistency of regulatory frameworks. This would support efforts to enhance information sharing, foster greater cooperation in response and recovery, and reduce the compliance burden on institutions. Outreach by international standard-setting bodies and others and capacity development by international financial institutions and other providers, as well as through public-private partnerships, could promote the broad use of international standards, building quality and consistency and establishing a global basis for information sharing and cooperation.
Enhancing Operational Resilience, Response, and Recovery
41. Development and testing of national and cross-border response protocols would significantly improve the ability of authorities to successfully respond to cyber incidents. Supervisors could require that financial institutions develop and test response and recovery procedures to ensure that firms remain operational even in the event of a major incident. National authorities could also work on developing clear and effective response protocols to potential crisis scenarios that may spill over to the entire financial sector and ensure that the financial system can continue to function. These would be tested regularly. Regional and international protocols for cross-border crisis management could be developed and regularly tested; for example, via national and international cyber crisis exercises.
Strengthening Information Sharing
42. Addressing obstacles to the exchange of cybersecurity-related information is instrumental in promoting cybersecurity. Obstacles to sharing should be identified and addressed cooperatively by financial institutions and supervisors. Working together, private and public sector actors could agree on what to share, when to share, how to share, and who to share with. Central banks, policymakers, and supervisors would actively encourage and support financial institutions’ establishing and utilizing information sharing platforms that build trust. A commonly agreed on and internationally used template for information sharing built on a clear lexicon would also greatly reduce barriers to sharing.
Intensify the Defense against Cyberattacks
43. Building strong domestic capabilities and enhanced cross-border coordination of investigation and enforcement against cyberattacks would strengthen deterrence. Law enforcement agencies are working together across the globe, but this must be intensified and barriers to information sharing reduced. More effective implementation of sound domestic AML/CFT frameworks would strengthen the prevention of cybercrimes and the laundering of their proceeds, bolster law enforcement action when attacks do occur, provide channels for information sharing, facilitate the recovery of their proceeds, and ultimately reduce opportunities for cybercrimes.
Capacity Development
44. Building skills, resources, and operational capacity in all countries would have a global impact. Cyber risk affects both advanced economies and low-income countries. Countries that fall behind in their ability to resist and respond to attacks will suffer disproportionately as other countries build stronger defenses. At the same time, attacks on countries strongly linked to the global financial system could spill over to others and endanger global financial stability. The international community has various programs in place to assist low-income countries with the development of technical skills and resources, but additional attention to capacity and global financial stability concerns would have benefits for the global community as a whole. International financial institutions, including the IMF, have an important role to play in supporting capacity building and delivering technical assistance to financial supervisors and central banks in developing economies to help them in their efforts to identify, measure, monitor, and address the risks to financial stability posed by cyber risks. This is imperative in an environment where the increasing digitalization of financial services delivery and the entry of many new providers may present new vulnerabilities.
