By Gyan Pathak
Cyber risk has emerged as a key threat to financial stability around the world. The recent trend of attacks on financial institutions indicates that aggregate losses for the financial sector across a variety of scenarios may be ranging from 10 to 30 per cent of the net income.
It is the gist of the analysis done in an IMF working paper titled “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment” by Antoine Bouveret. The paper analyzed the different types of cyber incidents like data breaches, fraud, and business disruption etc.
The share of cyber attacks by countries shows that India is the fifth most seriously affected country in the world which shares around 3 per cent of cyber attacks on its financial institutions. The highest number of attacks (around 39 per cent) was reported from the United States. The second most vulnerable country was UK, but much less than the US. Only around 7 per cent of attacks were reported from that country. The share of attacks on the financial institutions of Russia is around 6 per cent.
Among financial institutions, banks account for the bulk of the attacks (91 per cent), followed by insurance companies (7 per cent). Among banks, retail banking activities (39 per cent of the total) and credit cards services (25 per cent) were the main business lines targeted.
The International Telecommunication Unit (ITU)— an agency of the United Nations— provides a global cyber security index for the world. Their index (2017) shows the cross-country heterogeneity regarding cyber security, with most Advanced Economies and Emerging Markets having a high value of the cyber security index (above the median), while middle income and low-income countries tend to have lower values. India figures in the index among the countries with highest level of vulnerabilities.
Since there is no quantitative measure of cyber risk by country for the financial sector, the working paper has built an indirect measure using media coverage. An index is computed using the number of articles published between January 2014 and September 2017 referring to cyber risk by country, divided by the number of articles referring to risk in the financial sector. Almost all countries are covered. The index is highest in countries that recently suffered from cyber-attacks such as Bangladesh and the Baltic states having risk factor of above 5 per cent. The risk calculated for India ranges in between 1 to 2 per cent.
ORX News data on cyber events is the main source used in this paper. The data cover 341 cyber risk events that impacted financial institutions and reported over 2009-2017. Around one-third of the events provide loss data which amounts to USD 6.5 billion. Based on the limited dataset, advanced economies are the main targets of cyber-attacks but emerging and developing economies are also exposed to cyber risk. Five advanced economies account for 80 percent of successful attacks, mainly in the U.S. (39 per cent) and UK (7 per cent). Among emerging economies, the BRICS account for most of the attacks (17 per cent), mainly in Russia (6 per cent), China (4 per cent) and India (3 per cent). India has been classified among most vulnerable countries on the basis of number of attacks. Overall, financial institutions in more than 50 countries have been victims of cyber-attacks over the last few years, according to reports in the public media. The paper also mentions under reporting of cyber attack incidents.
Central banks in advanced and emerging economies have also been the victims of cyber-attacks. In advanced economies, attacks were either data breaches (U.S., Italy) or business disruptions (Norway, Sweden), while in emerging economies, most attacks were related to fraud, resulting in losses of USD 117 million.
Among cyber-attacks, fraud and data breaches are more prevalent, yet business disruption is also significant. In the ORX News dataset, fraud accounts for 43 percent of events, data breaches 34 percent and disruption 23 percent. While business disruptions are known immediately, the other types of cyber-attacks can take place for months or years before being noticed and reported, which could lead to a downward bias in the dataset.
Business disruption is associated with DDoS attacks, which typically impact the website of the target— when a very large number of requests are sent to the targeted servers, overloading the system and making it unable to operate. Data breaches are linked with credit card information, and fraud is associated with money transfers, and a loss amount — since around 80 percent of the events with loss data are cyber-related fraud.
Financial institutions are particularly exposed due to their reliance on critical infrastructures and their dependence on highly interconnected networks. A business disruption of a financial market infrastructure or a set of large financial institutions could have a significant impact due to risk concentration and the lack of substitutes in the case of Financial Market Infrastructures (FMIs). The disruption of material infrastructures such as power grids and IT infrastructures (Cloud providers or operating systems) could also have a large macroeconomic impact. Recent studies estimate that a disruption of part of the U.S power grid could lead to up to USD 1 trillion in losses and a disruption of IT infrastructures up to USD 53 billion. Lloyd’s 2018 report estimates that a disruption of the top cloud provider in the U.S. for 3 to 6 days could lead to losses of around USD 24 billion, with most losses occurring in the manufacturing and trade sectors, while losses for the financial sector would be limited to USD 450 million.
Cyber-attacks can also be used to undermine customers’ confidence in an institution, and can target multiple financial institutions to disrupt the financial sector. Several countries have been exposed to coordinated cyber-attacks on the banking sector using DDoS. Cyber criminals are increasingly indulging in frauds using SWIFT and other methods, such as committed on Union Bank of India in July 2016 with initial loss of USD 171 million, and City Union Bank (India) in January 2018 with initial loss of USD 2 million.
The increased level of sophistication of cyber criminals, along with the decline in the cost of launching cyber-attacks, makes institutions with legacy systems all the more vulnerable.