Financial Sector Cyberattack Risks Growing

A new report from the International Monetary Fund (IMF) reveals that the pace of cyberattacks has almost doubled since before the COVID-19 pandemic, and that nearly one-fifth of all cyber incidents are affecting financial firms.

The report notes that the financial sector is “highly exposed to cyber risk,” with banks being the most frequent targets, followed by insurers and asset managers.

“JPMorgan Chase, for example, the largest US bank, recently reported experiencing 45 billion cyber events per day while spending $15 billion on technology every year and employing 62,000 technologists, many focused on cybersecurity,” the report says.

“Although cyber incidents have thus far not been systemic, severe incidents at major financial institutions could pose an acute threat to macrofinancial stability through a loss of confidence, the disruption of critical services, and because of technological and financial interconnectedness,” the report adds.

IMF found that although most reported losses from cyberattacks are small – about $0.5 million – the risk of extreme losses – greater than $2.5 billion – has increased.

Specifically, the maximum loss expected to occur in a country in a given year has more than doubled since 2017 – from $58 million to $141 million in 2021. Additionally, the report says that a cyber incident is expected to result in a $2.5 billion loss once every 10 years.

The estimated maximum losses in a year for financial firms are comparable – about $152 million in a median year and up to $2.2 billion once every 10 years.

The report notes that financial institutions are at an increased risk of cyber incidents due to certain characteristics, such as their increased dependence on common third-party IT providers.

“Although third-party IT providers can benefit financial institutions, such as with improved operational resilience, they also carry risks,” the report says. “If not properly managed, a high degree of overlap in the provision of third-party services could expose the financial system to common shocks, disrupt critical services in the event of cyber incidents, and pose significant risk to financial institutions and financial stability.”

The report offers several policy recommendations for governments, such as developing an adequate national cybersecurity strategy, putting in place appropriate regulatory and supervisory frameworks, creating a capable cybersecurity workforce, and building domestic and international information-sharing arrangements.

Additionally, it recommends that financial firms develop and test cyber incident response and recovery procedures. National authorities, it recommends, should also develop effective response protocols for systemic cyber crises.