Appendix I. Financial Market Infrastructures (FMIs)
1. Successful cyberattacks on FMIs27 have the potential to transmit shocks to direct participants, other FMIs and their customers, and markets. FMIs are key nodes in the financial system, often connected to most participants, responsible for a large volume of transactions daily and highly dependent on technology—making them a serious cyber risk concern. Possible scenarios related to successful attacks relate to confidentiality, service availability, and integrity.28 A successful cyberattack on a systemically important payment system that processes large-value and time-critical transactions could transmit disruption to the entire financial system (across borders as well as domestically) with system, institutional, and environmental interdependencies (Figure 6).29
Cyberattack on Payment Systems and Possible Transmission Paths
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A999
Source: IMF staff.Cyberattack on Payment Systems and Possible Transmission Paths
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A999
Source: IMF staff.Cyberattack on Payment Systems and Possible Transmission Paths
Citation: Staff Discussion Notes 2020, 007; 10.5089/9781513512297.006.A999
Source: IMF staff.2. Cyberattacks against systemic banks can result in significant spillovers in the wholesale payment network. According to a recent Federal Reserve System study (Eisenbach, Kovner, and Lee 2020) the impairment of any of the five most active US banks can affect as much as 38 percent of the network. Using a reverse stress test, the authors also found that interruptions originating in some banks with less than $10 billion in assets may be sufficient to impair a significant proportion of the system.
3. FMIs have been identified as critical infrastructures in some jurisdictions, requiring incident reporting and regulatory cooperation with the national cybersecurity agency. FMIs are highly concentrated, connected, and systemic, and because of their unique role and characteristics, cyber threats to FMIs are increasingly considered a key risk to financial stability.
4. Global efforts have aimed to further secure the core and peripheral parts of FMIs. At the core, FMIs are normally required to have comprehensive information security policies, standards, practices, and controls as part of their operational risk-management framework.30 FMI critical service providers (CSPs) such as IT and messaging services are also expected to meet the same standards on information security to ensure continuous and adequate performance.31 Further guidance focuses on governance, risk management frameworks, settlement finality, operational risks, and FMI links.32 At the periphery, enhancing endpoint security at banks, FMIs, and nonbank financial institutions is aimed at reducing the risk of wholesale payment fraud.33
5. Some central banks have moved swiftly to strengthen the governance and cyber resilience of payment systems since the issuance of international guidance. This includes establishing a cyber resiliency framework that comprises critical infrastructure such as central-bank-operated FMIs. Efforts to manage potential operational risks stemming from cyber risks have also been made, including expanding surveillance coverage, reinforcing protection capabilities, reducing time to recover, and developing cyber competencies. An approach developed by the European Central Bank to operationalize the CPMI-IOSCO guidance outlines five primary risk management categories and three overarching components that should be addressed.34 The risk management categories include (1) governance, (2) identification, (3) protection, (4) detection, and (5) response and recovery. The overarching components cover (1) testing, (2) situational awareness, and (3) learning and evolving. Although the approach was designed in the European Union, it could also be used by other authorities and FMIs.
6. Major efforts have also been made to improve CSP oversight and endpoint security. For example, for SWIFT, authorities committed to considering legal reviews to investigate how moral suasion could be combined with a regulatory backstop, broaden membership of the SWIFT Oversight Forum, and improve information sharing on SWIFT oversight and assurance reports. Authorities have also set oversight priorities to monitor the effectiveness of the SWIFT Customer Security Program.35
Appendix II. Outsourcing And Third-Party Risk
7. Third-party risk management—including of cyber risk—is gaining importance as the number and scope of outsourced services continue to grow. Financial institutions use a wide and increasing range of third-party providers, with some often servicing a large portion of the sector. Both the risks connected with the outsourcing itself and increasing concentration in a limited number of providers create challenges for regulators and supervisors because they are key contributors to financial stability risk. Cybersecurity failures in a major third-party provider could have a very serious impact on the sector as a whole. The use of third-party service providers is not new, so many jurisdictions have detailed policies in place. These are the key aspects typically covered:
A. Soundness of governance arrangements in the outsourcing institutions
B. Adequacy of pre-outsourcing risk analysis, due diligence, and contracting
C. Security of information and systems
D. Notification procedures for sub-outsourcing
E. Robustness of operational resilience arrangements
F. Right to access and audit the vendor (both by the outsourcing institutions and the supervisor)
G. Effectiveness of termination rights and exit strategies
8. International bodies have made progress issuing guidance regarding third-party cyber risks, yet supervision in practice continues to prove challenging. Examples are the G7 fundamental elements for third-party cyber risk management in the financial sector36 and the Financial Stability Board publication “Third-Party Dependencies in Cloud Services—Considerations on Financial Stability Implications.”37 Critical vendors are typically not subject to the same depth of supervision as regulated financial institutions. While there is consensus that the responsibility for cybersecurity ultimately rests with the financial institution, supervisors have begun to discuss new ways of supervising these organizations. One model suggests that critical providers should be intensively supervised in the same way as utilities (such as energy)—that is, by a dedicated agency in charge of all critical infrastructure. Another model would entail the use of a trusted independent certification program, through which an agreed-on third party would set or attest to security standards in service providers. Yet another model calls for direct supervision by the financial sector supervisory agencies. This is an area calling for global cooperation since dominant service providers are global in nature.
References
Accenture. 2019. Ninth Annual Cost of Cybercrime Study, conducted by Ponemon Institute, Traverse City, MI. https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50.
Adelmann, F., and T. Gaidosch. 2020. “Cybersecurity of Remote Work during the Pandemic.” IMF Special Series on COVID-19, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/covid19-special-notes/en-special-series-on-covid-19-cybersecurity-of-remote-work-during-pandemic.ashx.
Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach. 2020. “Operational and Cyber Risks in the Financial Sector.” Bank for International Settlements Working Paper 840, Basel. https://www.bis.org/publ/work840.pdf.
Bank for International Settlements (BIS). 2008. The Interdependencies of Payment and Settlement Systems. Basel. https://www.bis.org/cpmi/publ/d84.pdf.
Bank for International Settlements (BIS). 2018. “Cyber-resilience: Range of Practices”. Basel. https://www.bis.org/bcbs/publ/d454.pdf.
Bank for International Settlements (BIS) and International Organization of Securities Commissions (IOSCO). 2014. “Assessment Methodology for the Oversight Expectations Applicable to Critical Service Providers.” Basel. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD468.pdf.
Bank for International Settlements (BIS). 2016. “Guidance on Cyber Resilience for Financial Market Infrastructures.” Basel. https://www.bis.org/cpmi/publ/d146.pdf.
Barrett, B. 2019. “The Catch-22 That Broke the Internet.” Wired, June 7. https://www.wired.com/story/google-cloud-outage-catch-22/.
Boer, M., and J. Vasquez. 2017. “Cyber Security and Financial Stability: How Cyber-Attacks Could Materially Impact the Global Financial System.” Institute of International Finance, Washington, DC. https://www.iif.com/Portals/0/Files/IIF%20Cyber%20Financial%20Stability%20Paper%20Final%2009%2007%202017.pdf?ver=2019-02-19-150125-767.
Bouveret A. 2018. “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment.” IMF Working Paper 18/143, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/WP/2018/wp18143.ashx.
Carnegie Endowment for International Peace. 2017. “Timeline of Cyber Incidents Involving Financial Institutions.” Washington, DC. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline.
Committee on Payments and Market Infrastructures (CPMI). 2018. “Reducing the Risk of Wholesale Payments Fraud Related to Endpoint Security.” Bank for International Settlements, Basel. https://www.bis.org/cpmi/publ/d178.pdf.
Committee on Payment and Settlement Systems, Technical Committee of the International Organization of Securities Commissions (CPSS). 2012. “Principles for Financial Market Infrastructures.” Bank for International Settlements, Basel. https://www.bis.org/cpmi/publ/d101a.pdf.
Doffman, Z. 2019. “Cybercrime: 25% of All Malware Targets Financial Services, Credit Card Fraud up 200%.” Forbes, April 29. https://www.forbes.com/sites/zakdoffman/2019/04/29/new-cyber-report-25-of-all-malware-hits-financial-services-card-fraud-up-200/#6e6a2fff7a47.
Eisenbach, M., A. Kovner, and M. J. Lee. 2020. Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis, Federal Reserve Bank of New York Staff Report 909. https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf.
European Central Bank (ECB). 2018. “Cyber Resilience Oversight Expectations for Financial Market Infrastructures”. Frankfurt. https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf.
Financial Stability Board (FSB). 2018. Cyber Lexicon. Basel. https://www.fsb.org/wp-content/uploads/P121118-1.pdf.
Financial Stability Board (FSB). 2019a. “Cyber Incident Response and Recovery.” Progress report to the G20 finance ministers and central bank governors meeting in Fukuoka, Japan, June 8–9, 2019. https://www.fsb.org/wp-content/uploads/P280519-1.pdf.
Financial Stability Board (FSB). 2019b. “Third-party Dependencies in Cloud Services: Considerations on Financial Stability Implications”. Basel. https://www.fsb.org/wp-content/uploads/P091219-2.pdf.
Financial Stability Board (FSB). 2020. “Effective Practices for Cyber Incident Response and Recovery: Consultative Document.” Basel. https://www.fsb.org/wp-content/uploads/P200420-1.pdf.
Gaidosch T., F. Adelmann, A. Morozova, and C. Wilson. 2019. “Cybersecurity Risk Supervision.” IMF Departmental Paper 19/15, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/DP/2019/English/CRSEA.ashx.
Goh, J., K. Heedon, Z. H. Koh, J. W. Lim, C. W. Ng, G. Sher, and C. Yao. 2020. “Cyber Risk Surveillance: A Case Study of Singapore.” IMF Working Paper 20/28, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/WP/2020/English/wpiea2020028-print-pdf.ashx.
Gray, A. 2017. “Credit Data Groups Face More Scrutiny after Equifax Hack.” Financial Times, October 11. https://www.ft.com/content/52f4e97a-ad45-11e7-aab9-abaa44b1e130.
Group of Seven (G7). 2016, “G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector.” Taormina, Italy. https://www.treasury.gov/resource-center/international/g7-g20/Documents/G7%20Fundamental%20Elements%20Oct%202016.pdf.
Heijmans, R., and F. Wendt. 2020. “Measuring the Impact of a Failing Participant in Payment Systems.” IMF Working Paper 20/81, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/WP/2020/English/wpiea2020081-print-pdf.ashx.
International Monetary Fund (IMF). 2020. Norway: Financial Sector Assessment Program–Technical Note–Cybersecurity Risk Supervision and Oversight. IMF Staff Country Report 2020/262, Washington, DC. https://www.imf.org/~/media/Files/Publications/CR/2020/English/1NOREA2020004.ashx.
(ISC)2. 2019. Cybersecurity Workforce Study. Clearwater, FL. https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=1827084508A24DD75C60655E243EAC59ECDD4482.
LaVito, A. 2017. “Equifax Security and Information Executives to Retire.” CNBC report, September 15. https://www.cnbc.com/2017/09/15/equifax-security-and-information-executives-to-retire-dj-reports.html.
Lipton, D. 2020. “Cybersecurity Threats Call for a Global Response.” Blog. International Monetary Fund, January 13. https://blogs.imf.org/2020/01/13/cybersecurity-threats-call-for-a-global-response/.
McGuire, M. 2018. Into the Web of Profit. Cupertino, CA: Bromium. https://www.bromium.com/wp-content/uploads/2018/05/Into-the-Web-of-Profit_Bromium.pdf.
National Bank of Belgium (NBB). 2018. “The Financial Market Infrastructures and Payment Services Report.” Brussels. https://www.nbb.be/doc/ts/publications/fmi-and-paymentservices/2018/fmi-report2018.pdf.
National Bank of Belgium (NBB). 2019. “The Financial Market Infrastructures and Payment Services Report.” Brussels. https://www.nbb.be/doc/ts/publications/fmi-and-paymentservices/2019/fmi-report2019.pdf.
Office of Financial Research. 2017. “Cybersecurity and Financial Stability: Risks and Resilience.” Washington, DC. https://www.financialresearch.gov/viewpoint-papers/files/OFRvp_17-01_Cybersecurity.pdf.
United Nations Human Rights Council (UN). 2019. “Report of the Special Rapporteur on the Rights to Freedom of Peaceful Assembly and of Association.” New York. https://www.ohchr.org/Documents/Issues/FAssociation/A_HRC_41_41_EN.docx.
World Bank (WB). 2019. “Cyber Resilience for Financial Market Infrastructures.” Washington, DC. http://pubdocs.worldbank.org/en/189821576699037673/FIGI-ECB-OperationalCyber-FinalWeb-12-13.pdf.
Additional Reading
Almansi, A., Y. C. Lee, and J. Lincoln. 2017. “Financial Sector’s Cybersecurity: A Regulatory Digest.” World Bank, Washington, DC. http://pubdocs.worldbank.org/en/524901513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf.
Carriere-Swallow, Y., and V. Haksar. 2019. “The Economics and Implications of Data: An Integrated Perspective.” IMF Departmental Paper 19/16, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/DP/2019/English/TEIDEA.ashx.
Curti F., J. Gerlach, S. Kazinnik, M. Lee, and A. Mihov. 2020. “Cyber Risk Definition and Classification for Financial Risk Management.” Federal Reserve Bank of Richmond, Richmond, VA. https://www.richmondfed.org/-/media/richmondfedorg/conferences_and_events/banking/2019/cyber_risk_classification_white_paper.pdf
Kashyap, A., and A. Wetherilt. 2018. “Some Principles for Regulating Cyber Risk.” AEA Papers and Proceedings 109:484–87.
Kopp E., L. Kaffenberger, and C. Wilson. 2017. “Cyber Risk, Market Failures, and Financial Stability.” IMF Working Paper 17/185, International Monetary Fund, Washington, DC. https://www.imf.org/~/media/Files/Publications/WP/2017/wp17185.ashx.
This note has benefited from help and input from colleagues Yan Carriere-Swallow, Attila Csajbok; Andrew Giddings, Vikram Haksar, Barend Jansen, Yan Liu, Aditya Narain, Oluwakemi Okutubo, Miguel Otero-Fernandez, and Mario Tamez and from comments received in rounds of internal review. The authors would like to thank Thais Ferreira for excellent administrative support. Frank Adelmann and Ibrahim Ergen co-authored the SDN while serving as members of IMF staff.
The terminology in this staff discussion note is drawn from the Financial Stability Board’s Cyber Lexicon (see FSB 2018). ”Cyber” relates to the interconnected infrastructure of information and communications systems, data, processes, and persons and their interactions. “Cybersecurity” means the preservation of confidentiality, integrity, and availability of this infrastructure; “cyber risk” is the probability and impact of events that jeopardize cybersecurity or violate security or acceptable use policies, whether resulting from malicious activity or not. We focus on malicious activity in this note. See also Carnegie Endowment for International Peace (2017).
The COVID-19 crisis has given rise to additional cyber risks as a result of greater reliance on remote working and mobile banking. See Adelmann and Gaidosch (2020) for a discussion and guidance on the challenges raised.
For example, Forbes reported in 2019 (see Doffman 2019) that more than 25 percent of all malware attacks hit banks and other financial services organizations, more than any other industry.
OFR Viewpoint 17-01 (Office of Financial Research 2017) identified the following three channels: loss of confidence, lack of substitutability, and loss of data integrity. However, loss of data integrity is a technical issue that leads to loss of confidence and thus is not a direct transmission channel.
On August 26, 2020, a large distributed denial of service (DDoS) attack affected the New Zealand stock exchange (NZX) network connectivity, and the NZX decided to halt the market in order to maintain market integrity. See https://www.nzx.com/.
While not a result of a cyberattack, the Google Cloud outage in 2019 is an example of how an operational risk incident can affect wide swaths of the digital economy (see Barrett 2019).
See Gaidosch and others (2019), Appendix 2, for more details.
Formerly, only banks that adopted the advanced measurement approach had to collect operational loss data.
The study covered 355 companies with a minimum of 5,000 employees in 16 industries across 11 jurisdictions.
There are many broadly accepted standards for the technical aspects of cybersecurity that can and should be relied on by regulators. The standards most accepted and used globally include International Organization for Standardization (ISO) series (that is, ISO 270xx series); National Institute of Standards and Technology series (NIST—that is, NIST 800 series); Control Objectives for Information and Related Technology (COBIT); and sections of the Information Technology Infrastructure Library (ITIL). These standards are used across all industries. Most financial institutions use a mix-and-match approach by deriving internal policies and procedures from a range of international standards and national regulatory requirements (themselves often derivatives of these global standards) to best address their risk profile and risk tolerance.
Cyber resilience is an organization’s ability to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents.
To this end, the FSB’s work on cyber incident response and recovery can provide a common baseline of effective practices for the industry and regulators alike. See FSB (2019a) or the more recent FSB (2020).
It is recognized that regulated entities have broad and extensive reporting and information sharing responsibilities and requirements in both business-as-usual circumstances and during periods of stress; for example, in relation to cybersecurity events such as a breach. The discussion focuses specifically on information sharing as it relates to cybersecurity.
This is an oversimplified presentation of information flows in the financial sector. In reality, there are many more channels, such as national security agencies, domestic critical infrastructure providers, third-party service providers, cybercrime agencies (domestic and international), and so on. Nonetheless, for simplicity the discussion has been significantly narrowed to support more concrete policy recommendations for financial sector agencies.
The FS-ISAC is a private sector information sharing platform that offers intelligence, resiliency resources, and a trusted peer-to-peer network of experts to anticipate, mitigate, and respond to cybersecurity threats.
The Federal Reserve Bank of Richmond organized a cyber risk workshop in 2019 to provide an open forum for discussion of the “Cyber Risk Definition and Classification for Financial Risk Management” white paper (the paper was subsequently updated in 2020). The white paper aims to define and classify cyber risk for the purpose of financial risk management. For more information on the event see https://www.richmondfed.org/conferences_and_events/banking/2019/20191120_cyber_risk_workshop.
The CERES Forum is an FS-ISAC group serving the needs of central banks, regulators, and supervisory entities. Information sharing among CERES Forum members occurs through a secure portal, coordinated conference calls, live events, and focused email distribution lists. For more information see https://www.fsisac.com/ceresforum.
SWIFT established the SWIFT Information Sharing and Analysis Centre (SWIFT ISAC) as a global portal available to the SWIFT community. The ECRB Cyber Information and Intelligence Sharing Initiative is an information and intelligence sharing initiative among ECRB member volunteers.
For example, Bouveret (2018) conducted analysis to estimate the potential loss to financial institutions from cyber threats using data obtained from the Operational Risk Exchange consortium.
The evolving nature of the cyber threat landscape and risk management techniques calls for a simple, agreed process to update information sharing platforms and templates.
An additional convention protocol was adopted in 2003.
The UN special rapporteur on the rights to freedom of peaceful assembly and of association noted in May 2019 that “A surge in legislation and policies aimed at combating cybercrime has also opened the door to punishing and surveilling activists and protesters in many countries around the world.” (UN 2019, 2)
FMIs refer to systemically important payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories. For further information see BIS and IOSCO (2016).
NBB (2018) and NBB (2019).
