Information and communication technology have become a central part of social, cultural and economic life for an increasing number of businesses and individuals. Banking and financial services have seen enormous innovations in recent years in the use of technology.
Technology has given birth to a new era in banking that brings efficiency gains for financial institutions, improved access to services by consumers and fosters financial inclusion. In the field of payments, services are increasingly instant, 24/7 and globally available. Non-bank participants, meanwhile, are disrupting traditional intermediation. Artificial intelligence and machine learning are just two of the innovations promising to revolutionise financial services.
However, revolution and evolution create a range of new and partially understood risks that evolve quickly, while not eliminating all the old ones. In a world that is rapidly becoming more digitalised, reliant on data and increasingly interconnected, a key concern for policymakers is the link between cyber risk and financial stability. The financial services sector has traditionally been a magnet for cyberattacks due to both the attractiveness of financial gain and access to confidential financial data.
The link between cyber risk and financial stability could be through a range of transmission channels such as interconnectedness, confidence and data integrity. There is even the potential dynamic of a cyber-triggered bank run.
Post-2008 and the Great Financial Crisis (GFC), regulatory reforms have focused on both individual firm safety and soundness as well as the potential impact that distress at global systemically important banks (G-SIFIs) imposes on financial stability or the global economy. More specifically, a key focus has been on (1) enhancing the resiliency of individual banks, especially G-SIFIs, to lower the probability of failure or inability to serve as an intermediary of critical services and (2) reducing the impact on the financial system or economy in the event of failure or material weakness.
Cyber Risk Complexities and Challenges
Within this context, cyber risk is viewed through the lens of operational resiliency, where a cyberattack threatens the ability of a firm to provide critical financial services. It takes into consideration the firm’s immediate business partners, including counterparties and third parties to which certain cyber-security activities, like threat monitoring or data storing, have been outsourced.
However, the true aggregation of risks related to cyberspace goes well beyond other operational shocks such as those related to natural events or human error. The issue of interconnected networks and the rapid concentration of third-party service providers introduces a new dimension to risk. For example, there are risks stemming from upstream infrastructure (e.g., electricity, water supply, financial market infrastructures) or technological externalities (e.g., the entry of disruptive new technologies) which are outside the control of individual firms.
While ransomware and malware such as the 2017 Wannacry and NotPetya attacks demonstrated the importance of restricting administrator privileges, they clearly show that the threat is getting ever more sophisticated. For example, NotPetya malware searched infected systems for common administrator tools which it could then take over. The attack also highlighted the need for firms to look at other forms of security like endpoint monitoring, network zoning and security intelligence platforms.
Cyberattacks, by definition, involve an intention to steal data rather than solely direct monetary theft. They are intended to disrupt business operations, or corrupt or destroy data. They are planned over longer periods, are targeted and are deliberate and intentional. In addition, during a cyber event, the adversary is likely to evolve and may even actively respond.
Cyber events are also driven by nation states, organised crime and political activists. In the case of state-sponsored cyberattacks, a bank may or may not be the intended target. To this end, cyber risk management or cybersecurity is not purely about protection but also about response and recovery.
One the key lessons learned from the 2017 NotPetya attack in Ukraine that crippled Maersk, the world’s largest container company by both fleet size and cargo capacity, for almost 14 days, was that business may not be the intended target in cyber warfare. However, they may be collateral damage. In fact, Mondelez, the maker of Oreos and Cadbury chocolate, has brought a $100 million lawsuit against Zurich Insurance Group for damages related to NotPetya. In June 2018, Zurich countered that NotPetya fell under an exclusion in the insurance policy covering “hostile or warlike action in time of peace or war,” which meant the insurer did not have to make good on the claim.
In banking and finance, data confidentiality, integrity and availability are paramount. Confidentiality is about making sure information is restricted, so it only reaches its targeted audience and does not fall into the wrong hands. Integrity involves maintaining the consistency, accuracy and trustworthiness of data. Availability is about making sure information is available to read and use whenever we want. In cases of cyberattacks that involve data corruption or destructive malware, a bank may be slow in its response or its recovery may be impaired, and this can have an immediate and devastating impact on public confidence. For example, the ability to respond and recover may be disrupted if there is data destruction or corruption in a scenario that is also likely to include considerable uncertainty.
How should banks protect themselves and respond to cyber threats and attacks?
An effective risk management framework with appropriate governance and controls is one way to mitigate cyber risks. Banks and financial institutions must ensure that systems, processes and people are in place to deal with the inevitable attack. As noted above, a key focus of post-GFC regulatory reforms is to promote financial stability and promote financial resilience. From this perspective, strong cyber governance and controls are seen as critical to promoting and supporting operational resilience. To this end, banks and other financial institutions are investing heavily in resource and management capabilities in terms of technology, process and personnel. According to the 2018 Thales Data Threat Report – Financial Services Edition, global spending on cybersecurity through 2021 is estimated as high as $1 trillion.
Cybersecurity is more than protection, prevention and detection. It includes a comprehensive process to assess cyber-related capabilities; identification of gaps in business resilience requirements such as recovery time objectives; risk monitoring and testing programs; and management reporting to facilitate appropriate prioritization. Moreover, bank resiliency increasingly depends on the resiliency of third-party service providers.
Cybersecurity is also more than ensuring that a bank’s infrastructure is running up-to-date and fully patched systems. Banks should consider all critical systems required to keep their business operating as well as consider how to isolate systems that are compromised or may have been compromised in a cyber incident or fast-moving situation.
It also means having competent and qualified IT, cybersecurity, business and products personnel in place. Cyber security requires a different set of skills and abilities including systems development and acquisition lifecycles; general enterprise architecture and IT governance; and IT service management sub-disciplines such as asset management and configuration management. Even within the technology fields, cybersecurity efforts involve specialised disciplines that are not usually addressed by general IT experts related to perimeter defence, endpoint security and authentication. Acquiring and retaining the critical talent for these activities is a growing challenge. Banks should have well-trained staff who are not afraid to blow the whistle when they believe something will threaten the security of the business.
Cyber risk management requires banks to stay up to date with the latest types of attack. This requires investment in automated and intelligent cyber security management. Systems must be such that cybersecurity personnel and management are quickly alerted if there are any breaches in security within the first few minutes, or even hours. Systems must be responsive enough to effectively run during very fast-moving situation as well as provide a record of exactly how the incident unravels. This will allow banks to further improve defences and responses to the next incident.
Targets should always assume that an attack will get through eventually. To this end, systems should be properly and frequently backed up. Frequent fire drills should be conducted to practise restoring everything from back-ups. Banks should keep a log on how long it would take to get systems, and data, back up and running from those systems. In the case of Maersk’s, it took more than ten (10) days for the firm to return to normalcy as after the NotPetya attack because even back-up files were contaminated. In this regard, it is also imperative that banks and other financial institutions have an incident response plan and practise them. The plan should consider:
- Who will be involved?
- How they will communicate?
- Which partner companies can help in business restoration?
- What will be the impact of a firm’s failure on its business supply chain?
- How prepared are business partners if they get hit?
- Is there a need to talk to regulators or law enforcement?
Finally, protection is important but equally critical is a strong recovery process. For Maersk, recovery operation relied heavily on human resilience. Not all cyberattacks are targeted and banks may find themselves the unintended victims (collateral) of these events. Therefore, banks should not approach their cyber defences as if hackers will specifically target them.
While protecting networks and critical systems is the ultimate goal, equally important is having a data recovery plan in place. In the event of the worst happening and critical services being knocked out, banks should consider how they would continue to operate and carry on its banking business. To this end, banks’ management must have the ability to really understand their core business processes. They need to know everything about the systems and applications which run their operations.
Finally, they must have a good understanding of the criticality of all systems and applications and understand how to protect, secure and recover from cyber events. This requires more of a balance between the preventative and the recovery measures.
Useful Readings and Reference:
1. “A handful of cyber – five key issues for international cooperation”, speech by Mr Agustín Carstens, General Manager of the BIS, at the conference on “Cybersecurity: coordinating efforts to protect the financial sector in the global economy”, Paris, 10 May 2019. https://www.bis.org/speeches/sp190529.htm.
2. “Thoughts on cybersecurity from a supervisory perspective”, Remarks by Mr Kevin Stiroh, Executive Vice President of the Financial Institution Supervision Group of the Federal Reserve Bank of New York, at SIPA’s Cyber Risk to Financial Stability: State-of-the-Field Conference 2019, Federal Reserve Bank of New York, New York City, 12 April 2019. https://www.bis.org/review/r190430l.pdf
3. Bouveret, Antoine (2018), “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment”, IMF Working Paper WP/18/143. https://www.imf.org/~/media/Files/Publications/WP/2018/wp18143.ashx.
4. Grasshoff, Gerold, Bohmayr, Walter, Papritz, Marc, Leiendecker, Jannik, Dombard, Fabien and Bizimis, Ioannis (2018), “Banking’s Cybersecurity Blind Spot—and How to Fix It”. https://www.bcg.com/publications/2018/banking-cybersecurity-blind-spot-how-to-fix-it.aspx
5. Accenture (2017), “The Convergence of Operational Risk and Cyber Security”. https://www.accenture.com/t20170803T055319Z__w__/us-en/_acnmedia/PDF-7/Accenture-Cyber-Risk-Convergence-Of-Operational-Risk-And-Cyber-Security.pdf
6. Kopp, Emanuel, Kaffenberger, Lincoln and Wilson, Christopher (2017), “Cyber Risk, Market Failures, and Financial Stability”, IMF Working Paper WP/17/185. https://www.imf.org/~/media/Files/Publications/WP/2017/wp17185.ashx.
7. Institute of International Finance (2017), “Cyber Security & Financial Stability: How Cyber-Attacks could Materially impact the Global Financial System”, https://www.iif.com/Portals/0/Files/IIF%20Cyber%20Financial%20Stability%20Paper%20Final%2009%2007%202017.pdf?ver=2019-02-19-150125-767
Mark is a Senior Financial Sector Specialist in the Financial Stability, Supervision and Payments pillar at the SEACEN Centre.