Cyber ​​threat scenarios, financial system and systemic risk assessment (2023)

Abstract

Cyber ​​risk has become a major concern for stakeholders in the financial system. However, its properties are not yet well characterized and understood. To help you better understand, we discuss the characteristics of cyber risk and categorize different cyber risk scenarios. Additionally, we present a country-specific conceptual framework for assessing systemic cyber threats. This includes cyber vulnerability analysis, assessment of cyber security and preparedness capabilities, and identification of available security reserves to deal with shocks from cyber threats.

Entrance

Internet usage is growing rapidly around the world.According to the International Telecommunication Union (ITU), 1.5 billion new users accessed the Internet between 2010 and 2016.¹While Internet access promotes digital, social and financial inclusion, the ever-increasing digitization of life creates more and more opportunities for adversaries. These opportunities range from criminals who commit financial fraud and information theft to sophisticated hackers who carry out destructive and even destructive cyber attacks.

Assessing and managing systemic cyber risk remains a challenge.The financial system has so far withstood large-scale cyberattacks, but some say it has not been tested for a truly systemic event.²As the interconnections of cyberspace with the real economy intensify, in the face of widely expected further increases in interdependence, interconnectedness and complexity, an external shock is more likely to affect the financial system and become a systemic event.³Additionally, the inherent lack of transparency in highly integrated operations and interdependencies complicates the ex ante assessment and quantification of systemic cyber threats. Data is limited and cyber risks are rarely measured in terms of economic costs. Finally, modeling techniques for both idiosyncratic and systemic cyber threats are less sophisticated than for other insurance risks, and more work appears to be needed to put them on a solid footing.

While companies are increasingly aware of the need to prevent cyber breaches, the concept of systemic cyber risk remains largely abstract.Some view cyber risk as a mere operational risk – a cost component of doing business in a connected world – and do not consider systemic cyber risk in their risk analysis. Others present Armageddon-style scenarios of a massive cyberattack that would bring our modern economic and social system to its knees, though rarely in a way that is useful for risk management. To better understand how cyber risk can manifest, we present a systematization of potential cyber risk events ranging from narrow, specific scenarios to common systemic scenarios.

The purpose of this document is to enhance understanding and awareness of systemic cyber threats among financial system stakeholders.We first discuss the characteristics of cyber risk, including risk concentration and the different dimensions of cyber risk. To make cyber risk less abstract, we present different scenarios ranging from company-specific operational risks to mining infrastructure outages and external shocks. By reading about possible scenarios, decision makers can gain a more complete picture of how cyber threats can manifest. Second, we describe a country-level framework for assessing systemic cyber threats based on cyber exposure, cyber preparedness, and shock resilience.

Cyber ​​Risk Properties

Complexity and aggregation of risks

Especially in the last fifteen years, the number of users and devices connected to the Internet has increased tremendously. This trend is mainly due to the widespread use of mobile phones around the world. According to Cisco, the number of Internet-connected devices worldwide grew from 500 million in 2003 to 12.5 billion in 2010, an average annual increase of 35%.⁴The number of Internet of Things (IoT) devices – electronic devices that can connect to the Internet or local area networks, including smart TVs and refrigerators – is estimated to have grown from around 20 billion in 2017 to 31 billion in 2018.⁵As with other technical devices and software, many of these IoT devices are believed (or known) to have technological vulnerabilities that are often undetected by both manufacturers and owners.

Software bugs expose users to cybersecurity risks.Many software problems only become apparent when the products are used by a large enough network of people. As software matures (Figure 1, left graph), products become more secure. However, there are also financial incentives for software vendors to bring products to market faster than the competition and to resolve security issues quickly.⁶Software vendors may choose to invest less in security so their services can compete at lower prices.⁷Using third-party software or networks necessarily exposes you to non-differentiable risk (ie, that part of cyber risk that cannot be differentiated, regardless of individual cyber hygiene; Figure 1, right graph). No matter how careful network participants are (that is, how well they manage their specific risks), simply using third-party software or the Internet exposes them to risks that cannot be differentiated.⁸Information asymmetries and misaligned incentives can cause chronic underinvestment in cyber security, causing negative externalities for other network participants.

Hackers exploit security vulnerabilities and compromise vulnerable devices to launch cyber attacks.Threat modeling can help overcome the lack of reliable cyber risk data. Information about the type of hacker responsible for a cyberattack helps to narrow down the relevant scenarios: the motivations and capabilities to carry out attacks vary according to the type of cybercriminals (Table 1).⁹

• Criminals, hacktivists and insiders are simple and sophisticated.While some criminal groups demonstrate a high level of sophistication, a major cyber event damaging the financial industry is inconsistent with their motivation to make money with minimal risk. A possible systemic scenario assumes that the number of successful cybercrimes will reach such a high level that consumer confidence in the financial sector will be disrupted. In fact, cybercriminals are called leeches that accidentally kill their host.
• Proxy entities typically conduct offensive cyber operations on behalf of the beneficiary, which may be a competitor, a national government, or a group of individuals. While the activities of proxies are usually considered espionage, they also carry out other types of cyberattacks, including those that are logically and physically destructive.
• Nation-states engage in long-term espionage and offensive cyber operations that support geopolitical and strategic policy objectives.Many countries have increased their cyber-attack capabilities, including destructive military-style cyber-attacks. In 2018, the US intelligence community identified more than 30 countries with the potential to launch devastating military-level cyberattacks.¹⁰

The financial sector and the economy in general can be potential targets in the event of war.The increasingly aggressive posture of state militaries in cyberspace,¹¹transition to hybrid warfare¹²or unlimited war¹³the past twenty years and recent changes in the tone of military leadership¹⁴they highlight the fact that the economy, and in particular the financial sector, are increasingly viewed as potential targets. Attacks on a country's economy may involve destroying, degrading, or disrupting a specific company or group of companies (eg, large banks) or important functions such as pricing and settlement of transactions.

Threat factors: motivation, influence, and meaning

Cyber ​​risk has long been viewed primarily as an information technology (IT) homeland security problem.Cyber ​​risk was perceived as a specific operational risk associated with doing business on networks (eg the Internet) and using software. Over time, this perspective has evolved to include operational risks associated with the company's direct business partners, including contractors and third parties. Internal risk management processes and controls have been extended to companies and customers directly related to the company's business activities. The actual concentration of risks goes far beyond individual institutions (Figure 2). Risks arising from upstream infrastructure (for example, electricity, telecommunications, financial market infrastructure) or technological externalities (for example, the introduction of new breakthrough technologies) are beyond the control of individual companies. Despite (usually extensive) contractual arrangements, monitoring cyber exposure, even of close business partners, remains a challenge. Risk can also arise from unexpected external shocks, such as natural disasters or armed conflicts that require government intervention.

There is much uncertainty about the potential economic impact of cyber events.While there is a relatively good understanding of the direct costs associated with cyber incidents (including, for example, court costs, legal assistance, customer reporting, post-breach customer security and credit protection), indirect costs are a less obvious term and others . it is difficult to calculate in advance.¹⁵These include negative impact on brand and customer relationships (reputational risk), infringement of intellectual property rights and higher ongoing operational and risk costs. Global cyber losses are estimated at $250 billion to $1 trillion annually.¹⁶

Systemic risk

Cyber ​​risk affects not only individual financial institutions, but also has a significant systemic dimension.The World Economic Forum (WEF) defines systemic cyber risk as “the risk that a cyber event (attack or other adverse event) on a single element of the critical infrastructure ecosystem will result in significant delay, denial, failure, disruption or loss . , in such a way that services are not only affected at the original element, but the effects are also transmitted to related (logical and/or geographical) elements of the ecosystem, causing significant adverse effects on public health or safety, economic security or national security ."¹⁷While cyber risk as an operational risk has been on the radar of risk managers for some time, until recently risk management in financial institutions was focused on a single company, largely ignoring the systemic nature of cyber risk arising from reliance on complex infrastructure or because it disrupts critical IT systems. The dominance of cyber risk assessment at the level of individual institutions has increased, but it increasingly reflects a relatively narrow view that often ignores or does not adequately consider the systemic dimension of cyber threats to systems and networks.

Structural challenges make assessing systemic cyber risk difficult.They come from experience with major cyber events. uncertainty about how shocks are transmitted; lack of comprehensive and consistent data about events; and uncertainty about the long-term effects of cyber breaches. The complex aggregation of cyber risks has proven particularly challenging when estimating the costs of past and future cyber events.¹⁸Furthermore, motivations focus on the victim's attitude, which does not reveal the extent or nature of cyberattacks.¹⁹

Systemic risk arises from risk concentration, risk correlation and shock amplification.The Bureau of Financial Research cites lack of substitutability, loss of trust and loss of data integrity as channels through which cyber events can threaten financial stability.²⁰The Columbia School of International and Public Affairs discusses “no economic substitutability, no IT substitutability, loss of trust, data integrity and interconnection”.²¹For example, some systems, including central clearing platforms (CCPs) and transfer systems such as SWIFT, are important hubs in the financial system.²²While they provide standardization and secure global financial services, they also carry concentration risk due to low external redundancy.²³Their services cannot easily be replaced by other institutions because while financial infrastructure systems are technically highly redundant, their operations are not. Outages or defaults can affect the payment, settlement and settlement of financial transactions, which can have negative externalities, exposing financial institutions, markets and participants to unexpected shocks.The interconnectedness throughout the financial system allows idiosyncratic shocks to spread widely and potentially become systemic.

The main sources of systemic risk in cyberspace are exposure to concentrations of risk arising from non-substitutability. loss of confidence and risk association; and complex interactions that reinforce outcomes.

• Concentration of risk and no substitutability: Risk is concentrated in a number of systemically important financial market infrastructures and financial institutions. However, systemic risk can also arise from technical concentration and concentration of IT, including operating systems and programs, cloud servers and electronic network nodes. These single points of failure are particularly important for the smooth functioning of the financial system, as large parts of the financial economy are directly affected by disturbances.
• Loss of confidence and risk association: Cyber ​​idiosyncratic shocks can cause a loss of confidence, which creates funding liquidity risk that can lead to market liquidity shocks, market risk, and ultimately solvency risk. The inability of an institution to meet its payment or settlement obligations can lead to a reputational crisis with negative consequences for funding liquidity. The default of cyber-affected institutions reveals counterparty credit risk. Other institutions that relied on the availability of these liquidity flows may also be at risk of a liquidity cascade. Liquidity shortages, in turn, could force institutions to sell assets through fire sales (increasing market liquidity risk), which would then affect asset pricing and spread to all market participants. market that invests or invests in that asset or class of assets for trading. Over time, losses due to liquidity risk absorb the capital of companies, potentially causing a solvency crisis.
• Complex interconnections that enhance the contagion effect: Close, direct connections through interbank and carry markets allow shocks to spread throughout the system. As digitization continues, the networks that make up our financial systems have seen a dramatic increase in interconnectedness and complexity. Shocks in one part of the system can affect other, perhaps distant, parts of the financial system through indirect linkages or the emergence of previously unknown dynamics with unexpected feedback.

Scenario

Scale and time

According to many experts, for a cyber event to have a significant impact on the economy, it must be large.Depending on the size of the event, the number of scripts, and the timing of their occurrence, an initial operational event can evolve into a system event. Figure 3 outlines several possible ways in which this could occur. For example, a systemic cyber incident may be triggered by a series of seemingly minor or specific cyber events that have cascading effects due to previously unknown connections and dependencies between affected organizations.

Time will play an important role in the realization of a systemic cyber event.Time affects an organization's ability to respond to events, the resources available to mitigate financial loss, and the ability to deal with reputational damage. Timing at the systemic or national level leads to more frequent (ie more critical) use of certain financial industry functions, increasing the impact of their loss or disruption. Since the timing and causes of financial crises are difficult to predict, financial system stability analysis focuses on identifying system vulnerabilities and building buffers that increase resilience to shocks.²⁸At certain times, the system is unable to do this, and if there is a shock at this point, it can have a significant impact on the economy. For example, listed companies are more at risk from quarterly reports and announcements of mergers, acquisitions or political payouts. CCPs that pool members' settlement failure risk are most exposed to risk at the time of settlement, when accrued liabilities are particularly high and the risk of using liquid assets and liquidity lines is generally high.²⁹

Analyzing hypothetical adverse scenarios can help companies and policy makers identify and implement the most effective mitigation factors.The scenario planning process requires identifying potential sources of risk, describing how the risk will affect business operations, and describing how shocks will propagate through the system. Such thought experiments are forward-looking, can incorporate the impact of future technologies, are dynamic (as systems transmit shocks), and are probabilistic to some degree. Scenario analysis can help institutions understand the potential risk, how it is transferred, where to invest and how best to respond in the event of a system breach.

Systematization of cyber threat scenarios

The starting point is a thorough risk analysis.Where does the risk come from: from the current realm of operational risk (ie an event that has a direct impact on the organization or is sourced from a third party), from the organization's mining infrastructure, or from an external shock? One of the great advantages of scenario analysis is that you can simulate not only past events, but also possible future events. With the rapidly evolving cybersecurity risk factor, past events are not necessarily good indicators of future patterns. Here is a list of current and future scenarios for the future, based on which analysts can make their own scenario selection. Using the taxonomy first proposed by the Atlantic Council, we discuss (more traditional) high-impact operational risk scenarios, mining infrastructure scenarios, and external shock scenarios (Figure 4).

High impact operational risk scenarios

Operational risk is the risk of loss due to unreliable or inadequate internal processes, people and systems, or external events affecting internal IT.

• Hypothetical Scenario #1 – A Malware or Ransomware Attack on a Financial Institution:A major bank suffers a ransomware attack that renders most of the bank's computers virtually useless, disrupting operations and customer service. For example, the Shamoon virus infected approximately 35,000 computers at the energy company Saudi Aramco.³⁰The attack destroyed 85 percent of the company's equipment and shut down the company for ten days.³¹Another well-known example of a ransomware attack is WannaCry, a crypto-ransomware that attacked over 200,000 computers in more than 150 countries.

• Hypothetical Scenario #2 - Major Transfer Fraud:A financial institution suffered a significant loss of money as a result of a fraudulent transfer resulting from a cyber attack. Criminals steal money with the help of an insider who facilitates the placement of malware in the environment. They perform effective internal social engineering to arrange large transfers from institutions to accounts controlled by criminals.
• Hypothetical Scenario #3 – Data Breach and Targeted Information Leaks:The credit rating agency is breached and the attackers steal sensitive data about rated companies and other financial institutions, as well as emails and other internal documents of the credit rating agency. After a failed blackmail attempt, the attackers publish incriminating emails, documents and selected information about the company. Incriminating emails question the authenticity of the agency's reviews, claiming quid pro quo offers for good reviews from the rated agencies.
• Hypothetical Scenario #4 – Planting Malware on Trading Systems:The malware causes extremely high transaction volumes that affect prices. A large asset management firm is compromised and malware causes multiple simultaneous high-dollar trades in a specific product. Trading destabilizes the market and causes large fluctuations in commodity prices. In addition, a cyber-attack on automated trading causes algorithmic programs to malfunction, exploiting the complexity and power of trading, disrupts markets and increases the risk of market misconduct, such as unsolicited information leaks and possible "dark pool" market manipulation (private exchanges). . A cyber attack can also make transactions impossible. Trading on the stock exchange is suspended after it is suspected that sharp movements in the share prices of several companies were the result of a security breach of the exchange's main trading platform.
• Hypothetical Scenario #5 - Large-Scale Cyber ​​Attack on a Global Financial Transaction Messaging Network:³²The global financial transaction messaging network has been hit by a series of continuous large-scale cyber attacks over four weeks. The exact nature of the events that forced the network to cease and desist service was never revealed. Multiple anonymous sources at various financial institutions have reported problems trying to send messages over the network. recipients never received the message or received a modified message.
• Hypothetical scenario No. 6 - simultaneous cyber-attacks on system-important institutions:At the same time, a number of major attacks on critical infrastructure are taking place. Attacks include the loss of millions in a systemically important bank robbery, followed by a major ransomware incident at a systemically important insurance company and a public data breach for a major regulatory authority. Although there is no evidence to definitively link these three separate attacks, experts believe that the timing of the attack is not coincidental and is causing serious negative shocks to the financial sector of the country and the region.

Scenarios for mining infrastructure

• Hypothetical scenario no. 1 - disturbances in the central clearance:A CCP is subject to coordinated cyber-attacks that disrupt its ability to perform its functions, resulting in the inability to complete transactions. The attack campaign lasted several months, causing many CCP customers to find alternative ways of reliable clearing and settlement.
• Hypothetical Scenario #2: Attack disrupts payment and processing gateways:The cyberattack caused periodic disruptions to the retail payment system over the course of a week, affecting tens of thousands of businesses and their customers in several countries.
• Hypothetical Scenario #3 - Massive Malware Infection:At the same time, millions of network routers around the world are starting to malfunction due to malware secretly installed at the factory. Much of the Internet traffic has been disrupted. Along with outages in other industries, payment processing is halted for several days as the supplier tries unsuccessfully to resolve the issue. The only immediate solution is to purchase routers from another vendor that is not affected by the malware. There are demand peaks and shortages, resulting in delayed economic recovery with significant economic consequences.
• Hypothetical Scenario #4 – Cloud Provisioning Failure:³³A major cloud solution provider suddenly goes bankrupt for unforeseen reasons. Supplier dependent companies can no longer operate. Companies that depend on products that will be on time are running out, which has an impact on the companies that depend on them. The consequences are felt by a large part of the economy and the consequences are felt in other countries as well. As a result, many companies are losing faith in the Internet as a way of doing business and are requiring vendors and third parties to provide redundancy.
• Hypothetical Scenario #5: Supply disruptions have a domino effect:Disruptions to mining infrastructure can have negative effects on the financial sector and the economy. The financial sector – like all other critical infrastructure sectors – depends on electricity, efficient communications provided by telecommunications and sound technology.³⁴Long-term disruptions in the functioning of these dependencies will affect the ability of the financial sector to provide services and operate.

External shocks and other scenarios

• Hypothetical Scenario #1 - Retaliatory Sanctions for a Cyber ​​Attack:In response to sanctions and as part of a broader domestic effort, the sanctioned country directly targets financial sector institutions in sanctioned countries using a combination of several cyberattacks. While the sanctions are mainly the responsibility of larger banks, the sanctioned country believes it can have a greater impact by targeting many small and medium-sized banks, as they are less well protected. Attacks include disruptive attacks that affect institutional connectivity. multiple data breaches and leaks of sensitive data from many small and medium-sized banks; public claims that data from larger institutions will be released; and multiple thefts at small and medium-sized banks. The protracted nature of the attacks has significantly eroded public confidence in the financial sector, leading to multiple defaults at smaller banks and the risk of liquidity disruptions spreading across the industry.
• Hypothetical scenario no. 2 - armed conflict:The state is involved in an armed conflict with a rival country. In the early stages of conflict, one country launches targeted attacks against its adversary's government cloud service providers, telecommunications infrastructure, and power distribution centers. The goal is to blind and delay the adversary's military response so that a narrow and limited objective is achieved before the adversary can mount a coordinated response. Attacks have secondary effects on the competitor's financial sector and on third-party financial sector service providers. The holidays cause several weeks of disruption to payments, claims, withdrawals, transactions and billing.

Assessment of systemic cyber threats at the national level

Each country has different vulnerabilities to systemic cyber threats.Assessing systemic cyber risk is a challenge, made even more difficult by the fact that each country has a different level of vulnerability to a major cyber event that shocks the financial system. When risk managers understand country differences, they are better equipped to help assess the risk of a systemic cyber incident in a particular country.

This section provides a conceptual framework for assessing systemic cyber threats at the national level(Figure 5). The first step is to assess the country's exposure to risk. In our assessment of the current and potential future cyber threats facing financial and government institutions, we consider: (1) the country's reliance on technology and (2) the degree of connectivity. For a country's financial system, exposure to systemic cyber risk depends on the adoption and use of electronic banking, payment and mobile money systems. The next step is to assess cyber security and state preparedness to manage cyber risks as the first line of defense against such threats. Finally, a country's resilience to financial sector shocks depends on the size of the buffers available to absorb the effects of a cyber attack. Safety buffers may include the institution's reserves, the stock and flow of liquid assets, the public safety net (if any) and interconnections within the financial system.

Analysts can adapt the conceptual framework to their case by applying it alternative solution z Additionally measures to identify risk exposure, the level of cyber security and the types and appropriate size of available security buffers.The idea is to adapt the conceptual framework to the specific case: types of financial institutions and infrastructures are exposed to risk differently. Technological dependence depends on time. Cybersecurity levels tend to increase over time. and the ability of the financial system to absorb shocks that change over time. These qualities require a flexible, personalized approach. We then define the elements of the methodology in more detail and provide a relatively simple specification of the framework for visualization.

Exposure to cyber threats

cyber threat level

Cyber ​​threat analysis typically involves gathering publicly available quantitative and qualitative information.In making such assessments, analysts study historical patterns of cyberattacks on a country and its financial sector, drawing on multiple sources. The analysis often indicates which threat actors have attacked a country's financial institutions, and thus indicates the likely magnitude of the threat. For example, major cyber incidents are more likely to be caused by nation states or their proxies. Countries most exposed to such actors are at greater risk of a major systemic event. One way to quantify this is to assign numerical values ​​to the entire threat spectrum (from low to high). Relative comparisons are facilitated by converting the values ​​to Z-scores. Table 2 describes the evaluation criteria for the Cyber ​​Threat Assessment.

Dependence on technology

The increasing use of technology and the rapid adoption of new technologies create more and more opportunities for adversaries. In cyber risk management, cyber technology exposure is summarized as an attack surface: a set of vulnerabilities that can be exploited to launch a cyber attack, including unauthorized access. The risk of vulnerability increases with increased connectivity, which means greater exposure to systemic cyber risk.

In this example (Figure 6), we use the percentage of the population using digital payments, converted to a Z-score, as a simple measure of both online activity and the financial sector's reliance on technology.³⁵This variable is strongly correlated with other measures of technological dependence.

Cyber ​​security and preparedness

Good cybersecurity practices can reduce national systemic exposure to cyber threats.Most of the financial system is privately owned, and the protection of individual institutions is primarily their responsibility. However, national government agencies play a key role in crisis prevention through appropriate laws and regulations and in rapidly responding to major cyber incidents before they escalate into a crisis. With the effective actions of a national computer incident response team (CERT) to respond to incidents, governments can help reduce the risk of a cyber incident to one or more widely distributed victim companies. Governments can use their unique position to help improve the cyber workforce through training programs and can increase business resilience by facilitating public-private cybersecurity information sharing. Governments that take these steps reduce the risk that their countries will take action in response to systemic cyber incidents.

INTRODUCTION Table 2

Criteria for assessing cyber threats

Measuring cyber security.The metric used here for illustrative purposes is the Global Cyber ​​Security Index (GCI).³⁶— study by the International Telecommunication Union (ITU), the United Nations Information and Communications Technology Organization. The index, which measures countries' commitment to strengthening cybersecurity, is quantified as a combination of quantitative and qualitative data. It consists of five pillars (legal, technical, organizational, capacity building and cooperation) and calculates indicator values ​​for each pillar.³⁷In 2017, the ITU conducted a survey to assess countries' cyber commitments, rating each participating country against five pillars (see Figure 7). We use this indicator as a measure of the country's level of cybersecurity.

shock resistance

The ability of a country's financial sector to absorb and mitigate shocks is a key part of its ability to deal with cyber shocks in particular.In the event of a systemic cyber event, financial firms will suffer losses (see previous sections) and their ability to absorb shocks depends on the size and quality of their buffers. For example, in Chart 8 we assess the regulatory capital buffers of the banking system in various countries, expressed as a percentage of weighted assets.

Cyberriskico index system

Finally, we combine the three individual indicators presented in this section into an aggregate cyber systemic risk indicator.³⁸Using historical data, we found that countries most vulnerable to systemic cyber risk have a high level of cyber threat and a low level of resilience to economic shocks. On the other hand, countries with the lowest level of systemic cyber risk have a low level of cyber threat and a high level of resilience to economic shocks. Their commitment to cyber security and their reliance on technology are often at odds: one is a positive and the other a negative. Overall, trends have shown that society's dependence on technology is growing rapidly – ​​usually faster than the rate of growth of their involvement in cybersecurity.

Dependence on technology plays a huge role in the likelihood of a cyber incident becoming systemic.But governments have little control over a country's reliance on technology, other than using regulations to force organizations to lay off. Dependence on technology is growing globally, albeit unevenly. As dependency grows, so does the cyber threat. It is likely that the increase in cyber exposure will exceed the compensating improvement in cyber security. This highlights the importance of resilience mechanisms such as capital buffers to prevent systemic cyber threats from becoming a financial stability event.

Cybersecurity practices may need to be improved and buffers strengthened to deal with cyber shocks(Figure 9). In general, advanced economies (A) are more exposed to systemic cyber risk due to high network connectivity. However, such countries tend to have better cyber security and higher buffers (capital and liquidity) in their financial systems. And that matters a lot. For example, an emerging country (E) in Sub-Saharan Africa (SSA), referred to in the figure as E-SSA, has essentially the same cyber exposure as the two advanced economies of Western Europe, A-W.EUR. However, in terms of systemic cyber risk, E-SSA performs poorly due to weaknesses in cybersecurity practices and weak safety buffers in the financial system. The other two countries are more committed to strengthening cybersecurity, and their financial institutions are better equipped to absorb shocks. Furthermore, the level of development does not necessarily mean weaker cyber security or smaller security reserves, as seen in the case of the emerging Asian developing country, E-EA. The country's exposure to cybersecurity risk is similar to that of an E-SSA country, but the high resilience of the financial system combined with strong cybersecurity practices indicate that the E-EA has taken significant steps to strengthen its cybersecurity and financial system has excellent safety reserves. Countries highly exposed to cyber risk, such as the Group of 7 (G7) country A-W.EUR (shown on the right of the box), despite very strict cyber security practices and decent security buffers, still perform poorly, which suggests that safety buffers in the financial system should be increased if the country is to improve its assessment of systemic cyber risk.

Another aspect of depicting the Cyber ​​Systemic Risk Index is proportionality.The emerging Latin American and Caribbean country E-LAC (shown on the left side of the box) is less committed to improving cyber security and lacks significant safety nets in its financial system. Despite this, the country's systemic cyber risk score is average. In other words, compared to the cyber risks to which the country is exposed, the level of cyber security seems quite high. However, it is clear that higher buffers or better security can help improve the index score.

Ways to reduce risk

Legal, technical and organizational measures can be taken, supported by capacity building and international cooperation.³⁹Comprehensive legislation covering both substantive and procedural law can make significant progress. Legislation must also be drafted in a technology-neutral manner⁴⁰so that the rules are relatively robust to inevitable technological changes (ie the rules should not be designed to apply only to specific technologies). In addition, national legislation should be consistent and, where possible, harmonized with international law to provide the basis for cross-border cooperation. The Budapest Convention on Cybercrime has become the starting point for the legal framework for cyber security in many countries.

Organizational and institutional structures can be strengthened.Currently, most countries already have a cyber security strategy or are in the process of formulating one. This often includes the cybersecurity dimension of national security. The institutional approach has become an effective means of coordinating and implementing cybersecurity strategies.⁴¹One or more specialized agencies approve plans, programs, reports, procedures, policies and standards. Organizations then ensure proper implementation and enforcement while promoting coordination.

To successfully mitigate systemic events, strong institutions that adapt quickly to the changing landscape are important.Governments that invest in institutions and make cyber security a priority not only make their governments more resilient but also more likely to be able to respond quickly to an emerging cyber crisis before it triggers an economic crisis. Likewise, strong government financial institutions support the nation's financial stability and reduce the likelihood of a major cyber event that could jeopardize that stability.⁴²

At the national level, preventive measures combining the public and private sectors have proven useful.An example is the national level cyber exercise, where a hypothetical systemic scenario is played out with both government agencies and private sector representatives. The exercises help both to improve resilience in specific scenarios and to improve the interaction and relationships needed to deal with those scenarios. Another example is the creation of mechanisms to share information about cyber threats between public and private sector organizations that directly improve the resilience of companies, especially those with fewer resources, to ensure their own security.

Government financial institutions play a key role in providing resilience to cyber shocks.Central banks and finance ministries have several options to mitigate the impact of the shock. Central banks can credit an institution or market where a victim organization has lost significant liquidity as a result of a large-scale malware fraud or in the event of a loss of liquidity due to a massive ransomware infection. Authorities can reassure the public that they will allay fear and prevent panic. Government agencies can provide emergency liquidation and settlement measures or provide grace periods if the victim company is unable to do so due to a cyber attack. If the power of these institutions could be quantified, it would be a useful addition to this framework.

Application

Cyber ​​threats – especially their systemic nature – are poorly understood and poorly addressed. An important part is understanding systemic cyber risk exposure at the country level. To this end, we proposed a new framework for assessing a country's level of systemic cyber risk and provided an indicative indicator of what could be done if a more thorough assessment based on more reliable data was conducted.

By conducting this in-depth and thoughtful assessment of systemic cyber risk, individual organizations will be able to better understand their exposure to systemic risk and thus take action to reduce risk to an acceptable level. In addition, governments could use this methodology (or a modified version of it) to improve laws and policies, strengthen institutions, and create, implement, and test plans that improve national resilience to systemic disasters. cyber threats.

Above the writers

Lincoln Kaffenbergerworks as an information security specialist in the financial sector. He is also the co-author of a ground-breaking IMF paper on cyber risk ("Cyber ​​Risk, Market Failures and Financial Stability", 2017). He has over a decade of experience helping organizations understand the threats they face and make informed risk-based decisions.

Emanuel Koppis a senior economist at the International Monetary Fund. His research interests include macroeconomic risk, financial stability and regulation, investment and macroeconomic forecasting. Before joining the IMF, Kopp was a university lecturer in finance and a central banker.

Comments

¹International Telecommunications Union (ITU), "Global Cybersecurity Index (GCI) 2017", 2017,https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf.

²Phil Warren, Kim Kaivanto and Dan Prince, "Can a cyber attack cause systemic impact in the financial sector?", Bank of England, Quarterly Bulletin, 2018,https://www.bankofengland.co.uk/-/media/boe/files/quarely-bulletin/2018/could%20a%20cyber%20attack%20cause%20a%20systemic%20impact%20final%20web.

³Tom Bergin, “SWIFT says bank hacks will continue to rise,” Reuters, September 26, 2016,http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11W1XY.

⁴Calsoft, "Internet of Things (IoT) 2018: Market Insights, Use Cases and Trends", 2018,https://calsoftinc.com/resources/ebooks/internet-of-things-iot-2018-market-statistics-use-cases-and-trends/.

⁵IHS Markit, "IoT Trendwatch 2017", 2017,https://cdn.ihs.com/www/pdf/IoT-trend-watch-2017.pdf; el IHS Markit, "IoT Trend Watch 2018", 2018, https://cdn.ihs.com/www/pdf/IoT-Trend-Watch-eBook.pdf.

⁶While ex ante regulation can help enforce minimum standards, the extent to which software developers should be held ex post facto for damages caused by a defective product has yet to be assessed.

⁷R. Böhme, "Security metrics and Security Investment models", vAdvances in information and computer security, eds I. Echizen, N. Kunihiro, R. Sasaki, IWSEC 2010, Lecture Notes in Computer Science, Vol. 6434 (Berlin and Heidelberg: Springer, 2010).

⁸Emanuel Kopp, Lincoln Kaffenberger και Christopher Wilson, "Cyber​​Risk, Market Failures, and Financial Stability", International Monetary Fund Working Paper WP/17/185, 2017,https://www.imf.org/en/Publications/WP/Issues/2017/08/07/Cyber-Risk-Market-Failures-and-Financial-Stability-45104.

⁹Atlantic Council, "Beyond Data Breaches: Global Interconnections of Cyber ​​Risk", Zurich Insurance Group, Risk Nexus, April 2014. World Economic Forum (WEF), "Understanding Systemic Cyber ​​Risk", Global Agenda Council Risk and Resilience, Witboek, October 2016.

¹⁰Daniel Coats, "US Intelligence Community Global Threat Assessment," 2018,https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Uclassified-SSCI.pdf.

¹¹Lyu Jinghua, "A Chinese Perspective on the Pentagon's Cyber ​​Strategy: From Active Cyber ​​Defense to Forward Defense," Lawfare, 2018,https://www.lawfareblog.com/chinese-perspective-pentagons-cyber-strategy-active-cyber-defense-defending-forward.

¹²Damian Van Puyvelde, "Hybrid Warfare: Does It Exist?" NATO Review Magazine, 2015,https://www.nato.int/DOCU/review/2015/Also-in-2015/hybrid-modern-future-warfare-russia-ukraine/EN/index.htm

¹³David Barno and Nora Bensael, "The New Generation of Unlimited War"War on the Rocks, 2016,https://warontherocks.com/2016/04/a-new-generation-of-unrestricted-warfare/-.

¹⁴See TASS, "General Staff: The use of robots and space devices will be a feature of future conflicts",https://tass.ru/armiya-i-opk/5062463.

¹⁵Atlantic Council, "Beyond Data Breaches: Global Interconnections of Cyber ​​Risk", Zurich Insurance Group, Risk Nexus, April 2014. Atlantic Council, "Hypernics from Cyber ​​Risk? Economic Benefits and Costs of Alternative Cyberfutures”, Zurich Insurance Group, Risk Nexus, 2015.

¹⁶Antoine Bouveret, “Cyber ​​Risk to the Financial Sector: A Framework for Quantitative Assessment,” International Monetary Fund Working Paper WP/18/143, 2018. McAffe, “Net Losses: Estimating the Global Cost of Cybercrime,” 2014; OECD, "Cyber ​​​​Security Policymaking at Turing Point", 2012. See also Atlantic Council, "Overcome by Cyber ​​​​Risks? Economic Benefits and Costs of Alternative Cyberfutures", Zurich Insurance Group, Risk Nexus, 2015.

¹⁷World Economic Forum (WEF), “Understanding Systemic Risk in Cyberspace”, Global Risk and Resilience Agenda Council, Witboek, October 2016.

¹⁸Rada Atlantycka, «Beyond Data Breaches: Global Interconnections of Cyber​​​Risk», Zurich Insurance Group, Risk Nexus, kwiecień 2014 r.

¹⁹Emanuel Kopp, Lincoln Kaffenberger και Christopher Wilson, "Cyber​​Risk, Market Failures, and Financial Stability", International Monetary Fund Working Paper WP/17/185, 2017,https://www.imf.org/en/Publications/WP/Issues/2017/08/07/Cyber-Risk-Market-Failures-and-Financial-Stability-45104.

²⁰Office of Financial Research (OFR), "Cybersecurity and Financial Stability: Risk and Resilience", OFR Viewpoint 17-01, 2017.

²¹Columbia SIPA School of International and Public Affairs, «The Ties That Bind: A Framework to Assess the Link Between Cyber​​Risks and Financial Stability», grudzień 2018 r.

²²For an overview of CCPs, see F. Wendt, "Central Counterparties: Addressing Their Too Valid to Fail Nature", IMF Working Paper WP/15/21, 2015.

²³European and US regulators reached an agreement in 2016 linking CCPs across the Atlantic, increasing redundancies and reducing systemic risk through product standardization.

²⁴Jack Stubbs, Pavel Polityuk και Dustin Volz, "Cyber ​​Attack Sweeps World, Investigators See Link "WannaCry"," Reuters World News, 27 Ιουνίου 2017,https://www.reuters.com/article/uk-cyber-attack/cyber-attack-sweeps-globe-researchers-see-wannacry-link-idUKKBN19I1TF.

²⁵Andy Greenberg, "The Untold Story of NotPetya, the Most Devastating Cyber ​​Attack in History," Wired - Security, 22 Αυγούστου 2018,https://www.wired.com/story/notpetya-cyber-attack-ukraine-russia-code-crashed-the-world/.

²⁶Wavestone, "Cyber ​​​​– Resilience", Risk Insight, 2019, https://www.wavestone.com/app/uploads/2018/01/2019-RiskInsight-VE.pdf.

²⁷Marsh, "NotPetya Was Not a Cyber' War", Marsh and McLennan Companies, sierpień 2018 r.,http://www.mmc.com/content/dam/marsh/Documents/PDF/pl/NotPetya-Was-Not-Cyber-War-08-2018.pdf.

²⁸Jason Healey, Patricia Mosser, Katheryn Rosen i Adriana Tache, "The Future of Financial Stability and Cyber's Risk", Brookings Cybersecurity Project, The Brookings Institution, październik 2018 r.

²⁹Bank voor Internationale Betalingen (BIS), "Central Clearing: Trends and Current Issues", BIS Quarterly Review, grudzień 2015,https://www.bis.org/publ/qtrpdf/r_qt1512g.htmhighlights that the interactions between CCPs and the rest of the financial system are not yet fully understood.

³⁰Jose Pagliery, "The Story of the Greatest Hack Ever", CNN Business News, 5 Αυγούστου 2015.

³¹Zu-rich Insurance Group, "Cyber ​​​​Risk Scenario for Business: Counting the Costs of Amplifying Societal Risks", 18 Δεκεμβρίου 2017,https://www.zurich.com/en/knowledge/articles/2017/12/global-risks-2017-cyber-risks-business-scenariusz.

³²World Economic Forum (WEF), “Understanding Systemic Risk in Cyberspace”, Global Risk and Resilience Agenda Council, Witboek, October 2016.

³³This scenario was proposed in the Atlantic Council, "Beyond Data Baches: Global Interconnections of Cyber​Risk", Zurich Insurance Group, Risk Nexus, April 2014.

³⁴Robert Knake, "A Cyberattack on the U.S. Electricity Grid: Contingency Planning Memorandum No. 31," Council on Foreign Relations, 2017,https://www.cfr.org/report/cyberattack-us-power-grid.

³⁵The World Bank's FINDEX global database (retrieved 2019).

³⁶The GCI is published by the International Telecommunication Union (ITU), the information and communications technology agency of the United Nations. In the study, 134 countries responded to the questionnaire. A panel of experts then reviewed the questions and compiled an index. Countries that did not respond to the survey had the opportunity to check the ITU's own estimates of countries' commitment to strengthening cyber security.

³⁷International Telecommunications Union (ITU), "Global Cybersecurity Index (GCI) 2017", 2017, σσ.9-11,https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf.

³⁸The data in this indicative index showed that 112 countries have data for all four areas. Countries with missing data in one of the four domains were excluded.

³⁹International Telecommunications Union (ITU), "Global Cybersecurity Index (GCI) 2017", 2017,https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf.

⁴⁰International Telecommunication Union (ITU), “Understanding Cybercrime: Phenomena, Challenges and Legal Responses”, September 2012,https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CybcrimeE.pdf.

⁴¹Group of Seven (G7), "Cybersecurity Essentials for the Financial Sector", 2016,https://www.ecb.europa.eu/paym/pol/shared/pdf/G7_Fundamental_Elements_Oct_2016.pdf; and Emanuel Kopp, Lincoln Kaffenberger, and Christopher Wilson, “Cyber ​​Risk, Market Failures, and Financial Stability,” International Monetary Fund Working Paper WP/17/185, 2017;https://www.imf.org/en/Publications/WP/Issues/2017/08/07/Cyber-Risk-Market-Failures-and-Financial-Stability-45104.

⁴²That's what happened in Chile, when the second-largest bank fell victim to a major cyberattack in which cybercriminals stole $10 million and crashed thousands of computers, disrupting banking operations for several days. The event, while important, did not cause panic in the country, largely thanks to the country's strong institutions that prevented the event from turning into a financial stability event.

⁴³United Nations, “Developments in information and telecommunications in the context of international security”, United Nations General Assembly A/70/174, 2015.

⁴⁴Carnegie Endowment for International Peace, "Cybersecurity and the Financial System", 2019,
https://carnegieendowment.org/fincyber/.

⁴⁵Microsoft, "A Genewa Digital Convention to Protect Cyberspace", 2017,https://www.microsoft.com/en-us/cybersecurity/content-hub/a-digital-geneva-convention-to-protect-cyberspace.