Stronger regulation and policy intervention are needed to guard against under-investment in cyber security by financial institutions and prevent online attacks, the International Monetary Fund says.
"An increase in the incidence of attacks, rising losses and the recognition of the potential for serious disruption to the functioning of the financial system has elevated cyber risk from a concern of IT departments to a central risk management issue for all financial institutions and a risk to system-wide stability," the IMF said in a report released today.
With an increasing reliance on online financial services, the number of cyber attacks has tripled over the past decade and financial services continue to be the most targeted, officials said.
A recent Accenture study puts the average yearly cost of cyber crimes against larger organisations at $13 million, a 72 per cent increase over five years.
“The ability of attackers to undermine, disrupt and disable information and communication technology systems used by financial institutions is a threat to financial stability,” the IMF said.
Hacking tools are now cheaper, simpler and more powerful, allowing lower-skilled hackers to do more damage at a fraction of the previous cost.
The low risk of prosecution and expansion of mobile-based services have increased hacking activity globally.
And many national financial systems are not yet ready to manage cyber attacks, while international co-ordination is still weak.
The Washington-based lender said fighting cyber crime must be a shared undertaking across countries.
“The digitalisation of the financial sector has led to an even greater emphasis on cyber risk, which is now a priority for private financial institutions," IMF staff said in a blog post.
"Chief executives often cite this risk as among their top three concerns.
“Crucially, although financial institutions have clear incentives to invest in protection, [without] regulation and public policy intervention they will tend to underinvest.”
The IMF recommended six strategies to strengthen cyber security and improve financial stability worldwide.
The first is cyber mapping, which highlights key financial and technological connections between financial institutions and third-party technology and service providers.
This will provide a reference for supervisors to identify key vulnerabilities.
The lender also called for more internationally consistent regulations and supervision to reduce compliance costs and build a platform for stronger cross-border co-operation.
Highlighting the need for better response mechanisms to cyber attacks, and “response and recovery strategies are still incipient, particularly in low-income countries, which need support in developing them”, it said.
Barriers remain to sharing data, stemming from national security concerns and data protection laws, while financial institutions may also fear reputational risk from a cyber attack and be reluctant to share information on such incidents.
The fund called for greater information-sharing on threats, attacks and responses between the private and the public sectors.
“A globally agreed template for information, increased use of common information sharing platforms and expansion of trusted networks could all reduce barriers to sharing,” the IMF said in the blog post.
Calling for stronger deterrence, the fund said international efforts must be stepped up to prevent, disrupt and deter attackers to reduce the threat at its source.
Cyber attacks should become more expensive and riskier through effective measures to confiscate crime proceeds and prosecute criminals, the IMF said.
It said developing and emerging economies should build cybersecurity capacity to strengthen financial stability.
“Capacity development in developing economies must be a priority for international financial institutions and other providers,” it said.
To prepare better, financial institutions should perform stress tests, which can determine cyber risk and quantitative estimates of potential losses, the IMF said.
“Addressing all these gaps will require a collaborative effort from standard-setting bodies, national regulators, supervisors, industry associations, private sector, law enforcement, international organisations, and other capacity development providers and donors,” the IMF said.
Long cuts and compromised data integrity could lead to a loss of confidence in financial institutions, it said.
If a widespread attack paralyses critical operations for an extended period, it may eventually lead customers and market participants to lose confidence in the financial system, making them reluctant to extend liquidity or credit, according to the IMF.
The loss of a key service, without easy substitution by other service providers is another channel through which cyber attacks can affect financial stability.
Interconnectedness, within the financial system and across technology, also increases the financial stability risk arising from cyberattacks, the IMF said.