The Global Cyber Threat | Cybersecurity Series

Cyber risks to the financial system are escalating, and the global community must unite to defend it

In February 2016, hackers attacked the central bank of Bangladesh and exploited weaknesses in SWIFT, the global financial system’s major electronic payment messaging system, aiming to steal $1 billion. While most transactions were halted, $101 million still disappeared. The robbery was a wake-up call for the banking sector that systemic cyber dangers in the financial system had been significantly underestimated.

Today, the opinion that a large cyberattack presents a danger to financial stability is axiomatic— not a matter of if, but when. Yet the world’s governments and corporations continue to battle to limit the danger since it remains unclear who is accountable for securing the system. Increasingly worried, prominent voices are ringing the alarm.

In February 2020, Christine Lagarde, president of the European Central Bank and former head of the International Monetary Fund, warned that a cyberattack might precipitate a catastrophic financial catastrophe. In April 2020, the Financial Stability Board (FSB) warned that “a severe cyber catastrophe, if not successfully handled, may substantially impair financial systems, particularly essential financial infrastructure, leading to wider financial stability implications.” The potential economic consequences of such occurrences may be vast and the harm to public trust and confidence considerable.

Two continuous phenomena heighten this danger. First, the global financial sector is going through an unprecedented digital transition, which is being hastened by the COVID-19 epidemic. Banks compete with technology businesses; technology companies compete with banks. Meanwhile, the epidemic has heightened demand for online financial services and made work-from-home arrangements the norm. Central banks across the world are contemplating putting their weight behind digital currencies and upgrading payment systems. In this period of transition, when an event might easily erode confidence and sabotage such advancements, cybersecurity is more vital than ever.

Second, bad actors are taking advantage of this digital change and constitute a rising danger to the global financial system, financial stability, and trust in the integrity of the system. The epidemic has even given new targets for hackers. The financial industry is witnessing the second-largest percentage of COVID-19–related cyberattacks, behind only the health sector, according to the Bank for International Settlements.

Who is behind the threat?

More hazardous assaults and consequent shocks should be predicted in the future. Most alarming are occurrences that compromise the integrity of financial data, such as records, algorithms, and transactions; few technological solutions are now available for such assaults, which have the potential to destroy trust and confidence more generally.

The malevolent actors driving these assaults include not only more audacious criminals—such as the Carbanak organisation, which targeted financial institutions to steal more than $1 billion from 2013–18—but also states and state-sponsored attackers (see table) (see table). North Korea, for example, has stolen about $2 billion from at least 38 nations in the previous five years.

This is a worldwide concern. While cyberattacks in high-income nations tend to generate headlines, less attention is devoted to the rising number of assaults against softer targets in low- and lower-middle-income countries.

Yet it is in such nations that the drive for greater financial inclusion has been most strong, pushing many to jump to digital financial services such as mobile payment systems. Although they do increase financial inclusion, digital financial services also create a target-rich environment for hackers. The October 2020 attack of Uganda’s leading mobile money networks, MTN and Airtel, for example, led in a severe four-day suspension of service transactions.

The responsibility gap

Despite the global financial system’s growing dependence on digital infrastructure, it remains unclear who is accountable for securing the system from cyberattacks. In part, this is because the environment is changing so swiftly. Without determined action, the global financial system will only grow more susceptible as innovation, competition, and the pandemic further drive the digital revolution.

Although many threat actors are focused on making money, the number of purely disruptive and destructive attacks has been increasing; furthermore, those who learn how to steal also learn about the financial system’s networks and operations, which allows them to launch more disruptive or destructive attacks in the future (or sell such knowledge and capabilities to others). This fast change of the risk environment is stressing the response of an otherwise mature and well-regulated institution.

Without determined action, the global financial system will only grow more susceptible as innovation, competition, and the pandemic further drive the digital revolution.

Better securing the global financial system is essentially an organisational task. Efforts to strengthen defences and toughen regulation are vital but are not adequate to outrun the mounting hazards.

Unlike many industries, much of the financial services community does not lack resources or the expertise to deploy technology solutions. The key challenge is a collective action problem: how best to structure the system’s protection across governments, financial agencies, and industry and how to use these resources effectively and efficiently.

The existing dispersion among stakeholders and activities partially arises from the unique elements and growing nature of cyber risk. Different communities work in silos and approach the problem via their particular missions.

The financial supervisory community concentrates on resilience, diplomats on norms of state conduct, national security agencies on seeking to dissuade harmful activities, and industry executives on firm-specific rather than sector-specific threats. As barriers between financial services corporations and internet companies grow ever more blurry, the lines of accountability for security are also becoming muddled.

The divergence between the finance, the national security, and the diplomatic groups is especially acute. Financial authorities confront specific dangers from cyber attacks, but their partnerships with national security agencies, whose cooperation is crucial to properly combat such threats, remain shaky. This accountability gap and persistent confusion regarding duties and mandates to safeguard the global financial system drive risks.

Part of this uncertainty is related to the present geopolitical atmosphere and high levels of distrust, which inhibit cooperation among the international community. Cooperation on cybersecurity has been impeded, fragmented, and frequently confined to the narrowest circles of trust since it touches on sensitive national security issues. International and multi-stakeholder collaboration is not a “nice-to-have” but a “need-to-have.”

An international strategy

To achieve more effective security of the global financial system against cyber attacks, the Carnegie Endowment for International Peace produced a paper in November 2020 titled “International Strategy to Better Protect the Global Financial System from Cyber Threats.” Developed in partnership with the World Economic Forum, the research offers specific initiatives to minimise fragmentation by promoting greater collaboration, both globally and within government agencies, financial corporations, and digital enterprises.

The plan is built on four principles: first, better clarity regarding roles and duties is essential. Only a few of nations have created efficient internal partnerships among their financial regulators, law enforcement, diplomats, other key government players, and business. Existing fragmentation inhibits international collaboration and diminishes the international system’s collective resilience, recovery, and reaction capacities.

Second, international cooperation is required and urgent. Given the extent of the danger and the system’s internationally linked structure, individual governments, financial organisations, and tech businesses cannot successfully guard against cyber attacks if they act alone.

Third, minimising fragmentation will free up capacity to handle the issue. Many measures are underway to better secure financial institutions, but they remain isolated. Some of these attempts replicate one other, raising transaction costs. Several of these programmes are mature enough to be shared, better coordinated, and more internationalised.

Fourth, preserving the international financial system may be a paradigm for other industries. The financial system is one of the few arenas in which nations have a clear common interest in cooperating, even when geopolitical tensions are high. Focusing on the financial sector offers a starting point and might pave the door to stronger protection of other industries in the future.

Among initiatives for boosting cyber resilience, the study suggests that the FSB build a baseline framework for overseeing cyber risk management at financial institutions. Governments and business should boost security by exchanging information on threats and by developing financial computer emergency response teams (CERTs), patterned on Israel’s FinCERT.

Financial regulators should also prioritise enhancing the financial sector’s resilience against assaults targeting data and algorithms. This should feature safe, encrypted data vaulting that enables members to securely back up client account data overnight. Regular exercises to mimic cyberattacks should be conducted to discover flaws and establish response measures.

To enhance international standards, the study advises that countries make explicit how they would apply international law to cyberspace and establish rules to defend the integrity of the financial system. The governments of Australia, The Netherlands, and the United Kingdom have already taken a first step with comments stating that cyberattacks from outside may be seen as unlawful use of force or meddling in the internal affairs of another state.

Cyber resilience and enhanced international rules may permit collective response via law enforcement operations or multilateral responses with industry. Responses might include punishments, arrests, and asset confiscation.

Governments may help these efforts by forming organisations to aid in identifying dangers and coordinating responses. Material collection should include a focus on dangers to the financial system, and governments should share such intelligence with friends and like-minded nations.

Building capacity

The complete plan proposed in the Carnegie study hinges in turn on developing the cybersecurity workforce, boosting the financial sector’s cybersecurity capabilities, and protecting advances in financial inclusion that have emerged from the digital revolution.

Elevated unemployment owing to the pandemic gives a significant opportunity for training and employing skilled individuals to enhance the cybersecurity workforce. Financial services organisations should engage in efforts to improve the talent pipeline, including high school, apprenticeship, and university programmes.

Building cybersecurity capability requires concentrating on delivering support where it is required. The IMF and other international institutions received several requests for cybersecurity help from member governments, notably after the 2016 Bangladesh incident. G20 nations and central banks should construct an international system to improve cybersecurity capabilities for the financial sector, with an international organisation such as the IMF assigned to manage the effort. The Organisation for Economic Co-operation and Development and international financial institutions should include cybersecurity capacity building an aspect of development aid packages and should greatly enhance support to nations in need.

Finally, preserving success in financial inclusion involves increasing ties between financial inclusion and cybersecurity. This is especially essential in Africa, with several nations on the continent facing a dramatic transition of their financial sectors as they increase financial inclusion and migrate to digital financial services. A network of professionals should be developed to concentrate exclusively on cybersecurity in Africa.

The moment has come for the international community—including governments, central banks, regulators, industry, and other key stakeholders—to work together to confront this critical and crucial matter. A well-thought-out plan, such as the one above, gives a roadmap for translating words into action.

Happy Investing! 😉