Making finance cybersecure to ensure an inclusive recovery

When did you last pay for your coffee with cash instead of contactless? Have you stepped into a bank branch in the past six months or, like many, done all your banking while sitting at your laptop? The coronavirus pandemic has changed our habits, perhaps permanently, and accelerated digital transformation across the global financial system.

Payments are going cashless, most of our banking has moved online, a revolution in FinTech has multiplied the number of finance companies we interact with, even cross-border trade finance is increasingly digitized through blockchain platforms like Contour.

This digital dividend of the COVID pandemic is fragile. A cyber incident could easily undermine trust and derail socially valuable innovations, making cybersecurity more essential than ever.

In April 2020, the Financial Stability Board (FSB) cautioned that “cyber incidents pose a threat to the stability of the global financial system.” It said: “In recent years, there have been a number of major cyber incidents that have significantly impacted financial institutions and the ecosystems in which they operate. A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”

In June 2020, the Forum’s Platform for Cybersecurity and Digital Trust raised the prospect of a cyber pandemic, as an inevitability for which the world should prepare. In scale and the potential to disrupt economies, the coronavirus pandemic has real similarities to mass uncontrolled cyber incidents like the 2017 WannaCry ransomware attack. This spread quickly and uncontrollably to impact banks, telecom providers and healthcare providers, causing medical procedures to be cancelled and reportedly ambulances to be rerouted while trying to deliver patients to hospitals.

The world’s financial system is uniquely vulnerable to cyber attacks. It’s obvious that financial services firms are where the money is kept, but they are also a key part of the critical infrastructure that keeps economies and our lives moving. The financial system is a prime target for cybercriminals motivated by profit. Increasingly, national financial systems are viewed as a legitimate target for attacks between adversarial states.

This is a global problem. Malign actors are targeting not only financial institutions in North America, Europe, and other high-income countries; many are also hitting less protected soft targets in low and lower-middle income countries.

Although fintech is a buzzword worldwide, the trend toward digital financial services has been particularly pronounced in low and lower-middle income countries, where providing access to financial services to the unbanked is a top priority. The past decade’s push toward greater financial inclusion, driven by a massive G20 investment, has led many countries to leapfrog to digital financial services. Although they do advance financial inclusion, digital services also offer a target-rich environment for malicious hackers and present new money laundering risks, providing fertile ground for the full range of transnational criminal activity.

The cost of protecting organisations from cyber attacks is high and responses are fragmented across borders and industry sub-sectors. The threat posed by cyber attackers, whatever their origin, creates shared risks across the financial system and must be managed collaboratively between public bodies and the private sector.

Protecting us from cyber attacks: whose job is it anyway?

"There is a critical need to reduce fragmentation and improve collaboration on cybersecurity across government organizations, including national security, law enforcement and regulatory bodies, as well as with industry, academia and NGOs. As cybersecurity risk continues to intensify, we cannot take our foot off the pedal when it comes to improving and sustaining cyber resiliency. I look forward to continuing this important work to implement the recommendations of the International Strategy to Better Protect the Global Financial System from Cyber Threats."

– Cheri F. McGuire, Non-resident Scholar, Carnegie Endowment for International Peace and Former Group Chief Information Security Officer at Standard Chartered PLC

The ‘International Strategy to Better Protect the Global Financial System from Cyber Threats’ is a first of its kind framework and road map looking holistically at the protection of the global financial system across the following strategic priority areas:

1. Strategic imperative

Clarify roles and responsibilities and create more connective tissue among the various silos and relevant stakeholders.

2. Core recommendations

Cyber resilience: Strengthen operational cyber resilience and collective defence to shield the financial sector against cyber threats.

International norms: Reinforce international norms relevant to the financial sector at the United Nations and through other relevant processes to clarify what is considered inappropriate behaviour – that is, when malicious activity has crossed a line – and hold actors accountable for violations to avoid norms being eroded by impunity.

Collective response: Facilitate collective response to disrupt malicious actors and more effectively deter future attacks against financial institutions.

Enhanced collective intelligence sharing brings particular value in this area. Brett Lancaster, Head of the Customer Security Programme at SWIFT, an organization that forms the backbone infrastucture for global banking payments, says: “Relevant and timely intelligence is crucial for organizations to protect themselves against attacks from cybercriminals. This information helps in the fight against threat actors every day and is a true testament to the strength of community collaboration – identifying new tactics, sharing information, building new defences in real-time to fortify the financial services industry.”

3. Supporting actions

Cybersecurity workforce: Build the cybersecurity workforce required to turn ambitions into actions by assessing and expanding effective models for addressing workforce challenges including limited pipelines and a lack of diversity.

Capacity building: Align and expand capacity-building efforts across all three core pillars for financial institutions seeking assistance.

Digital transformation/financial inclusion: Safeguard financial inclusion and the G20’s achievements of the past decade in this area.

Despite the global financial system’s increasing reliance on digital infrastructure, it is unclear who is responsible for protecting the system against cyber attacks.

Central banks have responded by beefing up cross-industry and cross-border collaboration to identify risks. The Bank of England’s CBEST intelligence-led testing framework and the European Union’s Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework are two examples showing that cyber risk can be identified and mitigated when the public and private sectors work together for mutual protection.

The financial services sector has joined together to ease implementation of effective cybersecurity controls, through the Cyber Risk Institute’s Financial Service Cybersecurity Profile. Industry alliances such as Cyber Defence Alliance, the Cyber Threat Alliance, the World Economic Forum’s Partnership Against Cybercrime and FS-ISAC aim to enhance collaboration to counter cyber threats, as well as to enhance public-private collaboration that raises the costs to cyber criminals.

Existing initiatives are holding the system together but responsibility for national cybersecurity is often spread across a kaleidoscope of public agencies. Industry-led initiatives also remain fragmented. This creates gaps through which cyber attackers can and do squeeze.

A networked response to a network threat

The disconnect between the financial, national security, and diplomatic communities is particularly pronounced. The continued uncertainty about roles and mandates to protect the global financial system creates a responsibility gap that fuels risks and increases the potential real world damage from cyber attacks on the financial system. Part of this uncertainty is due to the current geopolitical climate and high levels of mistrust, which hinder collaboration among the international community.

Better protecting the global financial system requires international collaboration and creative thinking. To achieve more effective protection of the global financial system against cyber threats, this report released on 18 November, “International Strategy to Better Protect the Global Financial System Against Cyber Threats,” makes recommendations with supporting actions to be implemented in the 2021–2024 timeframe.

This report is based on consultations with more than 200 key stakeholders in government, the central bank and financial supervisory community, industry, and other relevant organizations. It also incorporates insights gained through a cyber war game convened by the Carnegie Endowment for International Peace at the 2020 Munich Security Conference simulating a cyber attack against the financial system, and a high-level roundtable co-hosted with the IMF for central bank governors focusing on cybersecurity and the financial system.

Action is needed now and this blueprint provides a route to clarity about roles and responsibilities to protect the financial system; steps to facilitate international collaboration; and recommendations to reduce the fragmentation of initiatives, so that capacity can be freed up to tackle the risk from cyber attacks.

If we are to ensure an equitable and inclusive economic recovery in 2021, then protecting the global financial system against cyber attacks matters. Collaboration here can be a model for other critical sectors such as healthcare and critical national infrastructure.