Follow Us

Follow us on Twitter  Follow us on LinkedIn
 

18 November 2020

SUERF: Cyber risk in the financial sector


Cyber attacks on financial institutions and financial market infrastructures have become more frequent and sophisticated, prompting ever-larger investments and efforts.

This note explores causes, considers the specific vulnerabilities of the financial sector, examines costs and financial stability implications and outlines possible policy responses. International cooperation is key, as authorities face similar issues and cyber resilience is, fundamentally, a global public good.

 

1. Introduction

The financial sector has long been spearheading cyber security enhancements, with many regulatory and industry-wide initiatives. However, cyber attacks on financial institutions and financial market infrastructures (FMIs) have become more frequent and sophisticated, prompting ever-larger investments and efforts. In parallel, financial institutions, regulators, national governments and international groups have been working to improve overall operational resilience and ensure financial stability. The threat landscape has evolved further since the outbreak of the Covid-19 pandemic, not least due to the higher prevalence of work-from-home (WFH) arrangements and the associated demands on IT systems.

This note offers a taxonomy of cyber incidents. It explores causes, considers the specific vulnerabilities of the financial sector, examines costs and financial stability implications and outlines possible policy responses. International cooperation is key, as authorities face similar issues and cyber resilience is, fundamentally, a global public good (Carstens, 2019; Cœuré, 2019).


2. Cyber risk: taxonomy and specificity

Cyber risk is receiving growing attention. Graph 1 reports the number of online searches for “cyber risk” over the last decade and compares it with that for “operational risk”. Despite the fact that cyber risk is only a subset of a firm’s operational risk, worldwide search interest for the two terms is today almost on a par. Despite growing public concerns about cyber risk, there is still no commonly agreed definition.2 Broadly speaking, cyber risk is understood to be the risk of financial loss, disruption or reputational damage resulting from the failure of IT systems. Cyber attacks are one type of cyber risk.


 width=


Cyber incidents have a number of dimensions. Graph 2 provides a taxonomy, based on four categories: cause, actor, intent and consequence (Curti et al. 2019).

The causes can be very different, including both unintended incidents and intentional attacks. Examples of the former include accidental data disclosure as well as errors in implementation, configuration and processing in IT systems. The best known causes (methods) of cyber attacks are malware, cross-site scripting, phishing, password cracking, zero-day exploits, and denial-of-service and man-in-the-middle attacks.

The actors vary. They include outright criminal and terrorist organisations, industrial spies, “hacktivists” (such as the Anonymous group), or state and state-sponsored players. The damage they can cause depends on their sophistication and resources. For example, in 2016, hackers associated with North Korea carried out a notable attack by breaching the systems of Bangladesh Bank and using the SWIFT network to send fraudulent money transfer orders.3 The attack highlighted rising cyber risks for payment systems and associated infrastructures.4


 width=


Graph 3 shows the number of cyber incidents by types of external actor over the period 2005–19. Criminal organisations have been the most common threat actors. In 2016 and 2017, more incidents came from state actors, including the Bank Bangladesh attack. More recently, state actors are suspected to have initiated the WannaCry attacks5 and numerous hacks of crypto-asset trading platforms.

As regards intent, around 40% of cyber incidents are intentional and malicious, rather than accidental, ie they are “cyber attacks” (Aldasoro et al., 2020b). The ultimate purpose can be profit (eg ransomware, industrial spying), geopolitical (state-sponsored attacks on critical infrastructures) or general discontent (hacktivism).

The consequences of cyber incidents can be monetary and/or reputational. They can involve a loss of the confidentiality, integrity or availability of assets and services. Business disruptions and IT system failures can damage integrity and availability. Data breaches compromise confidentiality, with financial and reputational losses. Fraud and theft include the loss of funds or any information (eg intellectual property) that may or may not be personally identifiable. In some circumstances, cyber attacks could have systemic implications and cause serious economic dislocations.


 width=


The risks and consequences of cyber attacks differ from generic IT risks for at least three reasons. First, cyber attacks are malicious. Second, they are highly scalable, ie they can spread rapidly through copycat attacks or perhaps occur simultaneously due to common sources of vulnerability across IT systems and institutions. Third, they are constantly evolving, with threat actors responding to countermeasures.

The rapid evolution of the cyber attack landscape is challenging authorities’ ability to assess the threats adequately. In the past, sophisticated targeted intrusions were the exclusive domain of nation states, as they alone possessed the necessary motivation, resources and technical talent to penetrate well defended networks. However, this is no longer the case. Sophisticated exploit tools and software frameworks are widely available on the internet at no or little cost, lowering entry barriers. Crimeware as a service (CaaS) is a viable business model whereby criminal actors for hire utilise state-of-the-art attack tools and techniques against specified targets. Perhaps most worrisome are firms that conduct research to identify zero-day exploits,6 which are then offered for sale.

The operational disruptions of the Covid-19 pandemic may have opened up new possibilities for attacks. Evidence to date suggests that the causes, actors and intent of such attacks have been broadly similar to those pre-pandemic (CERT-EU, 2020). Yet there has been a sharp rise in Covid-related phishing, for instance e-mails or attachments that purport to hold information related to Covid-19 and in fact carry malware. Given the widespread use of WFH arrangements, threat actors are able to leverage operational uncertainty and the use of personal devices. For instance, the use of remote access technologies such as the Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) has increased by 41% and 33%, respectively, since the onset of the Covid-19 outbreak (ZDNet, 2020). Unless well managed, this may allow new opportunities for threat actors to penetrate IT systems and carry out cyber attacks (Crisanto and Prenio, 2020). WFH may also challenge business continuity plans and the response to an operational or cyber incident (CPMI, 2020).....

by Iñaki Aldasoro (BIS), Jon Frost (BIS), Leonardo Gambacorta (BIS),
Thomas Leach (University of Pavia) and David Whyte (BIS)1
more at SUERF



© SUERF


< Next Previous >
Key
 Hover over the blue highlighted text to view the acronym meaning
Hover over these icons for more information



Add new comment