a new analysis addressing the risks of cyber-attacks and their threat to the stability of global financial systems. As the pace of digital transformation in financial services has accelerated in recent years, cyber-attacks have quickly proliferated across financial systems, resulting in potential destabilization and disruption to both banks and their customers. These attacks have also been identified as one of the most serious threats to the world in the upcoming future. According to the World Economic Forum report entitled “Global Risks in 2023”, cybersecurity risks ranked eighth among the top risks afflicting the world, and fourth among the risks threatening the business environment.
A study conducted by the Carnegie Endowment for International Peace in 2020 showed that the number of cyberattacks on financial institutions has quadrupled on an annual basis, with an average cost of $5.72 million in 2021. Data security has become a major challenge and foremost priority for the financial services sector, according to data acquired from IBM and Ponemon Institute. Despite these impending challenges though, most financial institutions have not yet taken corrective steps to improve their cybersecurity and defense infrastructure.
In its analysis, the IDSC identified a major cybersecurity skills gap in the financial system. Despite recent interest in and awareness of cyber risks, many countries have yet to take the necessary precautionary measures to prevent and mitigate the impacts of these attacks. According to data from an International Monetary Fund survey of 51 countries in 2023, most financial officials in developing countries are yet to issue cybersecurity regulations or take decisive steps to enforce them.
Some telling statistics from the survey were as follows:
- 56% of central banks or supervisory authorities globally lack a national cyber strategy for the financial sector
- 42% lack a system dedicated to cybersecurity and technology risk management
- 68% lack a specialized risk unit
- Nearly 64% did not conduct cybersecurity exams
- 54% did not have a dedicated system for reporting cyber incidents
- 48% did not have cybercrime regulations
Given the relative lack of cyber-defense capabilities, cyber-attacks on organizations have increased dramatically. According to a Deloitte survey conducted in 2022, 34.5% of executives surveyed reported that attackers targeted their organizations’ accounting and financial data. In addition, 22% of this group experienced at least one data breach, with 12.5% experiencing multiple breaches. Most notably, approximately 48.8% of CEOs and other executives anticipated an increase in the size and number of cyber-attacks targeting their organizations’ accounting and financial data this year. Only 20.3% expected their company’s accounting and finance systems’ cybersecurity to perform well and consistently in comparison to their peers.
According to the IDSC, cybersecurity has long been a source of concern for the financial sector. Attempts to breach the IT systems of banks or other financial institutions carry a direct risk to bribery, espionage, geopolitical challenges, and terrorism. Lone actors may launch attacks to fraudulently embezzle money from individual bank accounts. Rival states and ideological opponents can also seek confidential data, disrupt financial systems, and instill fear among citizens.
Digital transformation processes in industries continue to accelerate and open up new opportunities in the post-COVID-19 era. On the other hand, they create new risks as groundbreaking technological advancement is linked to an exponential increase in risk factors and vulnerabilities within IT infrastructure. The IDSC’s analysis addressed the most serious cybersecurity threats to the financial sector and its stability in 2022, including state-sponsored attacks, ransomware, unencrypted data, and third-party software vulnerabilities.
Underinvestment in security software and reliance on multiple supply chain partners exacerbates the instability of IT systems. Every component of third-party software integrated into an enterprise environment introduces vulnerabilities that can be exploited, resulting in the theft of sensitive data, corruption or deletion of data, social engineering, and insider threats.
The Center presented a set of recommendations to improve financial institution cybersecurity within the analysis, noting that the rapid development of technology exposes greater IT vulnerabilities and makes tools for attackers cheaper and easier to obtain. In turn, this adds to the size of the challenges faced by financial institutions. While some financial institutions and regulators have become more aware of and prepared for cyber-attacks, cyber vulnerabilities continue to be a significant headwind for organizations. Consequently, financial institutions and regulators must prepare for these threats by prioritizing the development of a cybersecurity strategy for central banks, regulators, and financial firms. The cyber risk is multifaceted and necessitates stringent security within authority bodies, strong oversight through regulation, supervision, and market collaboration, as well as efforts to build capacity and expertise.
Furthermore, financial officials and businesses must shift their focus from traditional business continuity planning and disaster recovery to the development of resilient methods and innovative services in the event that attacks disrupt organizational operations. This flexibility necessitates the unanimous participation of senior corporate executives, financial regulators, and Board teams. In particular, regulators need to place a greater emphasis on the consideration of such adverse scenarios and the development of contingency plans when evaluating institutional operations.
Financial institutions must also work to promote resilient, secure systems as attacks grow more sophisticated and leverage social engineering to convince victims to provide sensitive information. Moreover, the majority of successful attacks are the result of routine errors, such as a failure to deploy patch updates or perform proper security configurations. In this context, standard practices for secure data handling and network security are critical and make a significant difference for businesses.
The international community must report cyber incidents and actively share information in order to improve the authorities’ ability to manage incidents globally. The Financial Stability Board’s incident reporting and knowledge sharing model is an important step towards improving cyber security.
Enhancing cyber security must also be prioritized at the senior leadership level in banks. Accordingly, banks should allocate resources and investments required to strengthen their cyber defenses, such as protecting web and mobile applications, identifying vulnerabilities, and reviewing existing cyber defenses on an ongoing basis to bridge gaps and course-correct on deficiencies.