In an era where digitalization has become intertwined with the very fabric of our financial systems, the specter of cyber threats looms larger than ever before. The escalation of geopolitical tensions only serves to heighten this risk, casting a long shadow over the stability of our global economic infrastructures.
The Digital Battlefield Intensifies
Since the onset of the pandemic, the frequency of cyber-attacks has more than doubled, a sobering reminder of the vulnerabilities that accompany our increasingly interconnected world. While the direct losses from such attacks have been relatively contained for businesses in the past, the potential for systemic consequences grows ever more tangible. The Equifax data breach of 2017, which affected approximately 150 million consumers and resulted in over a billion dollars in fines, stands as a stark testament to the severity of these incidents.
As delineated in a chapter of the April 2024 Global Financial Stability Report, the risk of extreme losses from cybersecurity events is on the rise. Such losses could precipitate liquidity crises for businesses, even threatening their solvency. Since 2017, the magnitude of these extreme losses has tripled, now exceeding $2.5 billion. Indirect losses, such as those from reputational damage or expenditures on security system upgrades, are considerably higher.
The Financial Sector: A Prime Target
The financial sector, in particular, is acutely susceptible to cyber risks. Financial firms process vast amounts of sensitive data and transactions, making them prime targets for criminals seeking to siphon funds or disrupt economic activities. Attacks against financial entities account for nearly one-fifth of all cyber incidents, with banks bearing the brunt of the impact.
Cybersecurity events within the financial sector that undermine public confidence, disrupt critical services, or cause spillover effects to other institutions, pose a grave threat to financial and economic stability.
For instance, a severe cybersecurity event at a financial institution could erode trust in the financial system, potentially triggering market sell-offs or bank runs in extreme cases. While no significant “cyber run” has occurred to date, our analysis indicates that some small banks in the United States have experienced sustained deposit outflows following cyber-attacks.
Cyber incidents that disrupt critical services, such as payment networks, can also have a severe impact on economic activity. A recent cyber-attack on the central bank of Lesotho, which caused a disruption in the national payment system and halted transactions among domestic banks, underscores this point.
Another factor is the growing reliance of financial firms on third-party IT service providers and the increasing role of artificial intelligence, which could amplify this dependency. These external providers can enhance operational resilience in the financial industry but also expose it to systemic shocks. For example, a ransomware attack on a cloud IT service provider in the United States in 2023 led to simultaneous system outages at 60 credit unions.
Policy and Governance Frameworks Must Evolve
As the chapter describes, with the rise in digitalization and geopolitical tensions, the global financial system faces increasingly severe cyber risks, necessitating that policy and corporate governance frameworks keep pace with the evolving landscape.
Public intervention may be necessary, as private incentives may not suffice to address cyber risks—firms might not fully account for the systemic impacts of cybersecurity events. However, according to an IMF survey of central banks and regulatory authorities, cybersecurity policy frameworks, particularly in emerging markets and developing economies, often remain inadequate. For example, only about half of the surveyed countries have established national cybersecurity strategies or specific regulations focused on the financial sector.
To bolster the resilience of the financial sector, authorities should:
- Conduct regular assessments of the cybersecurity landscape, identifying potential systemic risks from interconnectedness and concentration, including those from third-party service providers.
- Encourage financial sector firms to elevate their cyber “maturity,” including enhancing the cybersecurity expertise of board members. As our analysis shows, improved cyber-related governance can reduce cyber risks.
- Improve corporate cyber hygiene, i.e., online security and system health (such as anti-malware and multi-factor authentication), and strengthen training and cybersecurity awareness.
- Prioritize the reporting and collection of data on cybersecurity events and promote information sharing among financial sector participants to heighten their collective defenses.
Given that cyber-attacks often originate from beyond the borders of the financial firms’ home countries, and the proceeds can be transferred cross-border, international cooperation is crucial for effectively addressing cyber risks.
Despite the inevitability of cybersecurity incidents, the financial sector must be capable of continuing to provide critical business services during disruptions. Financial firms should develop and test response and recovery procedures, and national authorities should establish effective contingency plans and crisis management frameworks.
The IMF actively assists member countries in strengthening their cybersecurity frameworks through policy advice, such as financial sector assessment programs and capacity-building activities.