Many of us take for granted the ability to withdraw money from our bank account, wire it to family in another country, and pay bills online.Amid the global pandemic, we’ve seen how much digital connection matters to our everyday life. But what if a cyberattack takes the bank down and a remittance doesn’t go through?
As we become more reliant on digital banking and payments, the number of cyberattacks has tripled over the last decade, and financial services is the most targeted industry.
As we become increasingly reliant on digital financial services, the number of cyberattacks has tripled over the last decade, and financial services continue to be the most targeted industry. Cybersecurity has clearly become a threat to financial stability.
Given strong financial and technological interconnections, a successful attack on a major financial institution, or on a core system or service used by many, could quickly spread through the entire financial system causing widespread disruption and loss of confidence. Transactions could fail as liquidity is trapped, household and companies could lose access to deposits and payments. Under extreme scenarios, investors and depositors may demand their funds or try to cancel their accounts or other services and products they regularly use.
Hacking tools are now cheaper, simpler and more powerful, allowing lower-skilled hackers to do more damage at a fraction of the previous cost. The expansion of mobile-based services (the only technological platform available for many people), increases the opportunities for hackers. Attackers target large and small institutions, rich and poor countries, and operate without borders. Fighting cybercrime and reducing risk must therefore be a shared undertaking across and inside countries.
While the daily foundational risk management work — maintaining networks, updating software and enforcing strong ‘cyber hygiene’ — remains with financial institutions, there is also a need to address common challenges and recognize the spillovers and interconnections across the financial system. Individual firm incentives to invest in protection are not enough; regulation and public policy intervention is needed to guard against underinvestment and protect the broader financial system from the consequences of an attack.
In our view, many national financial systems are not yet ready to manage attacks, while international coordination is still weak. In new IMF staff research, we suggest six major strategies that would considerably strengthen cybersecurity and improve financial stability worldwide.
Cyber mapping and risk quantification
The global financial system’s interdependencies can be better understood by mapping key operational and technological interconnections and critical infrastructure. Better incorporating cyber risk into financial stability analysis will improve the ability to understand and mitigate system-wide risk. Quantifying the potential impact will help focus the response and promote stronger commitment to the issue. Work in this area is nascent—in part due to data shortcomings on the impact of cyber events and modelling challenges—but must be accelerated to reflect its growing importance.
More internationally consistent regulation and supervision will reduce compliance costs and build a platform for stronger cross-border cooperation. International bodies such as the Financial Stability Board, Committee on Payments and Market Infrastructure, and Basel Committee, have begun to strengthen coordination and foster convergence. National authorities need to work together on implementation.
Capacity to respond
As cyberattacks become increasingly common, the financial system has to be able to resume operations quickly even in the face of a successful attack, safeguarding stability. So-called response and recovery strategies are still incipient, particularly in low-income countries, which need support in developing them. International arrangements are necessary to support response and recovery in cross-border institutions and services.
Willingness to share
More information-sharing on threats, attacks, and responses across the private and the public sectors will enhance the ability to deter and respond effectively. Yet, serious barriers remain, often stemming from national security concerns and data protection laws. Supervisors and central banks need to develop information sharing protocols and practices that work effectively within these constraints. A globally agreed template for information sharing, increased use of common information platforms, and expansion of trusted networks could all reduce barriers.
Cyberattacks should become more expensive and riskier through effective measures to confiscate crime proceeds and prosecute criminals. Stepping up international efforts to prevent, disrupt and deter attackers would reduce the threat at its source. This requires strong co-operation between law enforcement agencies and national authorities responsible for critical infrastructure or security, across countries and agencies. Since hackers know no borders, global crime requires global enforcement.
Helping developing and emerging economies build cybersecurity capacity will strengthen financial stability and support financial inclusion. Low-income countries are particularly vulnerable to cyber risk. The COVID-19 crisis has highlighted the decisive role that connectivity plays in the developing world. Harnessing technology safely and securely will continue to be central to development and with it a need to ensure that cyber risk is addressed. As with any virus, the proliferation of cyber threats in any given country makes the rest of the world less safe.
Addressing all these gaps will require a collaborative effort from standard-setting bodies, national regulators, supervisors, industry associations, private sector, law enforcement, international organizations, and other capacity development providers and donors. The IMF is focusing its efforts on low-income countries, by providing capacity development to financial supervisors, and by bringing the issues and perspectives of these countries to the international bodies and policy discussions in which they are not adequately represented.