Cyber attacks on financial institutions and financial market infrastructures have become more frequent and sophisticated, prompting ever-larger investments and efforts.
This note explores causes, considers
the specific vulnerabilities of the financial sector, examines costs
and financial stability implications and outlines possible policy
responses. International cooperation is key, as authorities face similar
issues and cyber resilience is, fundamentally, a global public good.
The financial sector has long been
spearheading cyber security enhancements, with many regulatory and
industry-wide initiatives. However, cyber attacks on financial
institutions and financial market infrastructures (FMIs) have become
more frequent and sophisticated, prompting ever-larger investments and
efforts. In parallel, financial institutions, regulators, national
governments and international groups have been working to improve
overall operational resilience and ensure financial stability. The
threat landscape has evolved further since the outbreak of the Covid-19
pandemic, not least due to the higher prevalence of work-from-home (WFH)
arrangements and the associated demands on IT systems.
This note offers a taxonomy of cyber
incidents. It explores causes, considers the specific vulnerabilities of
the financial sector, examines costs and financial stability
implications and outlines possible policy responses. International
cooperation is key, as authorities face similar issues and cyber
resilience is, fundamentally, a global public good (Carstens, 2019;
2. Cyber risk: taxonomy and specificity
Cyber risk is receiving growing
attention. Graph 1 reports the number of online searches for “cyber
risk” over the last decade and compares it with that for “operational
risk”. Despite the fact that cyber risk is only a subset of a firm’s
operational risk, worldwide search interest for the two terms is today
almost on a par. Despite growing public concerns about cyber risk, there
is still no commonly agreed definition.2
Broadly speaking, cyber risk is understood to be the risk of financial
loss, disruption or reputational damage resulting from the failure of IT
systems. Cyber attacks are one type of cyber risk.
Cyber incidents have a number of
dimensions. Graph 2 provides a taxonomy, based on four categories:
cause, actor, intent and consequence (Curti et al. 2019).
The causes can be very
different, including both unintended incidents and intentional attacks.
Examples of the former include accidental data disclosure as well as
errors in implementation, configuration and processing in IT systems.
The best known causes (methods) of cyber attacks are malware, cross-site
scripting, phishing, password cracking, zero-day exploits, and
denial-of-service and man-in-the-middle attacks.
The actors vary. They
include outright criminal and terrorist organisations, industrial spies,
“hacktivists” (such as the Anonymous group), or state and
state-sponsored players. The damage they can cause depends on their
sophistication and resources. For example, in 2016, hackers associated
with North Korea carried out a notable attack by breaching the systems
of Bangladesh Bank and using the SWIFT network to send fraudulent money
transfer orders.3 The attack highlighted rising cyber risks for payment systems and associated infrastructures.4
Graph 3 shows the number of cyber
incidents by types of external actor over the period 2005–19. Criminal
organisations have been the most common threat actors. In 2016 and 2017,
more incidents came from state actors, including the Bank Bangladesh
attack. More recently, state actors are suspected to have initiated the
WannaCry attacks5 and numerous hacks of crypto-asset trading platforms.
As regards intent,
around 40% of cyber incidents are intentional and malicious, rather than
accidental, ie they are “cyber attacks” (Aldasoro et al., 2020b). The
ultimate purpose can be profit (eg ransomware, industrial spying),
geopolitical (state-sponsored attacks on critical infrastructures) or
general discontent (hacktivism).
The consequences of cyber incidents can be monetary and/or reputational. They can involve a loss of the confidentiality, integrity or availability
of assets and services. Business disruptions and IT system failures can
damage integrity and availability. Data breaches compromise
confidentiality, with financial and reputational losses. Fraud and theft
include the loss of funds or any information (eg intellectual property)
that may or may not be personally identifiable. In some circumstances,
cyber attacks could have systemic implications and cause serious
The risks and consequences of cyber
attacks differ from generic IT risks for at least three reasons. First,
cyber attacks are malicious. Second, they are highly scalable, ie they
can spread rapidly through copycat attacks or perhaps occur
simultaneously due to common sources of vulnerability across IT systems
and institutions. Third, they are constantly evolving, with threat
actors responding to countermeasures.
The rapid evolution of the cyber attack
landscape is challenging authorities’ ability to assess the threats
adequately. In the past, sophisticated targeted intrusions were the
exclusive domain of nation states, as they alone possessed the necessary
motivation, resources and technical talent to penetrate well defended
networks. However, this is no longer the case. Sophisticated exploit
tools and software frameworks are widely available on the internet at no
or little cost, lowering entry barriers. Crimeware as a service (CaaS)
is a viable business model whereby criminal actors for hire utilise
state-of-the-art attack tools and techniques against specified targets.
Perhaps most worrisome are firms that conduct research to identify
zero-day exploits,6 which are then offered for sale.
The operational disruptions of the
Covid-19 pandemic may have opened up new possibilities for attacks.
Evidence to date suggests that the causes, actors and intent of such
attacks have been broadly similar to those pre-pandemic (CERT-EU, 2020).
Yet there has been a sharp rise in Covid-related phishing, for instance
e-mails or attachments that purport to hold information related to
Covid-19 and in fact carry malware. Given the widespread use of WFH
arrangements, threat actors are able to leverage operational uncertainty
and the use of personal devices. For instance, the use of remote access
technologies such as the Remote Desktop Protocol (RDP) and Virtual
Private Network (VPN) has increased by 41% and 33%, respectively, since
the onset of the Covid-19 outbreak (ZDNet, 2020). Unless well managed,
this may allow new opportunities for threat actors to penetrate IT
systems and carry out cyber attacks (Crisanto and Prenio, 2020). WFH may
also challenge business continuity plans and the response to an
operational or cyber incident (CPMI, 2020).....
by Iñaki Aldasoro (BIS), Jon Frost (BIS), Leonardo Gambacorta (BIS),
Thomas Leach (University of Pavia) and David Whyte (BIS)1
more at SUERF
Hover over the blue highlighted
text to view the acronym meaning
over these icons for more information
No Comments for this Article