The ransomware attack on the Industrial and Commercial Bank of China, which resulted in a disrupted US Treasury market in November, provides yet another example of the issues the financial sector faces when dealing with cyberattacks.
Cyberattacks pose substantive risks to individual institutions and the financial system at large. Attacks – from state actors, criminal groups or individual hackers – can take the form of cash theft, data corruption, payment disruption and leakage of the often highly sensitive information financial institutions hold.
The transmission of such cyberattacks into threats to financial stability primarily occurs through a breakdown of trust. A loss of confidence in financial markets and the economy poses liquidity risks, spurring bank runs, capital flight and broad market panic. Such a contagion could create losses and significant price fluctuations.
Yet there are additional transmission risks that are under-discussed. Chief among them is the issue of financial market concentration. Many emerging markets are digitalising their financial sectors without adequate protection against cybercrime. If developed markets can more adequately protect their financial system from attacks, this might spur a movement of activity towards those markets and their local currencies.
At an individual bank level, the mechanism is the same. Banks with worse cybersecurity protections may see their demand fall in favour of those with better records. This may kindle trends observed in the US, where smaller regional banks have teetered as major institutions experience an influx of demand. These shifts were similarly spurred by a loss of confidence in smaller, more risk-prone banks.
The irony is that this concentration – at both the bank and individual country market level – poses new risks. Although it may be harder to attack larger and better-resourced institutions and markets, the impact of a hacker successfully doing so would be far more damaging, especially amid higher concentration.
Financial firms are investing heavily in cybersecurity. Yet artificial intelligence-enabled malware and hacking tools can be a leveller. Amid a rapidly changing technological landscape, there is a risk that banks will not adequately anticipate the methods of attack that hackers will use.
Cybercrime risk mitigation can involve a cocktail of encryption, multi-factor authentication, hardware security modules, collaboration with cybersecurity consultants or exports and the use of the cloud. Though it is difficult to draw neat comparisons, many central banks appear to be lagging in the development of these sorts of rigorous cybersecurity provisions. However, there is a lot of variation across institutions, markets and regions. Some financial institutions additionally offer stress testing, which involves assessing how rapidly they could deploy liquidity, capital and key services in the event of a compromising cyberattack.
What should be done?
Cybersecurity should be included explicitly within assessments of financial stability risk. Engaging in cybersecurity stress testing is a good start, but more needs to be done to quantify the potential impact of a major attack. Better data and modelling techniques are likely to help since they allow institutions to understand the costs of attacks more effectively and determine how best to respond.
Relatedly, there is a need for greater regulatory convergence to create international co-operation and shore up the financial system in the face of growing attacks, which would hurt the global flow of capital and trade. Sharing information – between counties as well as between the private and public sectors – can help protect institutions from attacks. Overcoming barriers emerging from uneven regulation could involve smoothing out global national security and data protection laws.
Perhaps most important for financial firms and central banks is to seriously consider their response in the event of a successful attack. Complete deterrence of all cyberattacks may be impossible using existing technology. Yet financial institutions can help protect global financial stability in the face of such attacks by ensuring that they will always be able to resume operations quickly. Doing so can avert some of the risks associated with market panic and loss of confidence, as well as the implications for liquidity and capital flows. The importance of adopting such tests may be greatest for smaller markets where attacks could be more likely to succeed – due to more limited infrastructure – and spur capital flight.
Greater deterrence may help with this. Global efforts – such as identifying and disrupting cyberattackers – could make cybercrime riskier and more expensive.
AI could also be leveraged. Cyber criminals are using AI tools to bolster the effectiveness of cyberattacks. As these AI systems become more complex and robust, financial institutions may find that developing their AI-enabled cybersecurity system is the best way to combat attacks from weaker AIs. Given the speed and sophistication with which the most advanced AI systems can hack, it may be that the best police for an AI hacker is a more powerful AI.
Finally, blockchain-based initiatives theoretically could help protect financial institutions from cybercrime. Distributed ledger technology provides significant protections that other payment systems do not. Proposals such as Worldcoin – a cryptocurrency project – could greatly reduce fraud through biometric-based payment verification. Yet there are risks to the further deployment of blockchain-based solutions.
There is considerable heterogeneity across the financial system. Large banks tend to have highly advanced cybersecurity provisions, while smaller ones are likely to have ‘weaker’ systems because they have invested less in protections. Yet determining what counts as a ‘strong’ versus ‘weak’ system is not always obvious. There is similar variation across global central banks, with smaller market central banks having less robust cybersecurity.
Cybersecurity regulations and safety at the global and individual financial market levels remain underdeveloped. Over half of central banks or supervisory authorities do not have a national cyber strategy for the financial sector, and just under half have no cybercrime regulations. Regulatory harmonisation between countries remains weak. However, some global institutions – such as the Financial Stability Board, Committee on Payments and Market Infrastructure and Basel Committee – have begun to strengthen coordination and foster convergence in regulation.
Julian Jacobs is Senior Economist at OMFIF.