How can companies manage the increase in cyberthreats?

Mar 8, 2023

This article was originally published by the International Monetary Fund.

Many countries haven’t introduced cybersecurity regulations, the IMF says. Image: Unsplash/Philipp Katzenberger

Tobias Adrian

Senior Vice President, Federal Reserve Bank of New York

Caio Ferreira

Deputy Division Chief, Financial Supervision and Regulation Division of the Monetary and Capital Markets Department, IMF

Our Impact

What's the World Economic Forum doing to accelerate action on Cybersecurity?

The Big Picture

Explore and monitor how Cybersecurity is affecting economies, industries and global issues

A hand holding a looking glass by a lake

Crowdsource Innovation

Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:

Cybersecurity

More than half of central banks or supervisory authorities do not have a national cyber strategy for the financial sector, according to a recent IMF survey.
An escalation of geopolitical tensions has intensified cyberattacks, and greater vulnerabilities are to be expected in an increasingly digitalized world.
The IMF says financial institutions and regulators can prepare for heightened cyber threats by prioritizing 5 things, which are outlined in this article.

Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts?

Tight financial and technological interconnections within the financial sector can facilitate the quick spread of attacks through the entire system, potentially causing widespread disruption and loss of confidence. Cybersecurity is a clear a threat to financial stability.

Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or built resources to enforce them, according to a recent IMF survey of 51 countries.

We also found:

56 percent of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector.
42 percent lack a dedicated cybersecurity or technology risk-management regulation, and 68 percent lack a specialized risk unit as part of their supervision department.
64 percent do not mandate testing and exercising cyber security measures or provide further guidance.
54 percent lack a dedicated cyber incident reporting regime.
48 percent do not have cybercrime regulations.

Meanwhile, a Bank for International Settlements assessment of 29 jurisdictions identified shortcomings in the oversight of financial markets infrastructures.

More than half of central banks surveyed do not have a cyber strategy for the financial sector. Image: IMF

There are, however, defenses against these risks, including preparation and concerted regulatory action, as we discussed at our recent global cybersecurity workshop in Washington. It won’t be easy though, and comprehensive and collective responses are urgently needed.

Discover

How is the Forum tackling global cybersecurity challenges?

The World Economic Forum's Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

Proliferating threats

Just as rapid technological advances offer attackers tools that are cheaper and easier to use, so too do the changes give financial institutions greater ability to thwart them.

Even so, greater vulnerabilities are to be expected in an increasingly digitalized world. Targets proliferate as more systems and devices are connected. Fintech firms that rely heavily on new digital technologies can make the financial industry more efficient and inclusive, but also more vulnerable to cyber risks.

The escalation of geopolitical tensions has also intensified cyberattacks. Perpetrators and their motivation are often obscure, and the risks are not limited to regions of conflict. History shows that spill-over of disruptive malware can cause global damage. For instance, the NotPetya malware attack that first swamped the IT systems of Ukrainian organizations in 2017 quickly spread to several other countries and caused damages estimated at more than $10 billion.

Finally, reliance on common service providers means attacks have a higher probability of having systemic implications. The concentration of risks for commonly used services, including cloud computing, managed security services, and network operators, could impact entire sectors. Losses can be high and become macro critical.

While financial firms and regulators are becoming more aware of, and prepared for, attacks, gaps in the prudential framework remain substantial.

Neutralizing the threat

Financial institutions and regulators must prepare for heightened cyber threats and potential successful breaches by prioritizing five things:

Central banks, regulators, and financial firms must develop a cybersecurity strategy. Cyber risk is a multi-dimensional issue that requires sound security within authorities; robust oversight through regulation and supervision; collective action within the market; and efforts to build capacity and expertise.
Financial regulators and firms need to shift their focus from classic business continuity and disaster recovery planning, to delivering critical services even when attacks disrupt normal operations.Resilience requires buy-in from the top leaders of companies and financial regulators and their board members. Firms need to prepare for severe but plausible incidents that can have a systemic impact. Supervisors should require the industry to consider such adverse scenarios and test their contingency plans both individually and collectively.
Financial supervisors need to ensure that cyber regulation and supervision can effectively promote resilience. There is no one-size-fits-all approach, but many elements are common. An effective supervisory approach balances onsite and offsite activities, performed by a mix of security experts and generalist supervisors, who enforce regulation in a proportional manner.
Financial firms must strengthen cyber “hygiene,” secure-by-design systems, and response and recovery strategies. While many of today’s attacks are increasingly sophisticated and rely on social engineering to get a victim to provide sensitive information, most successful attacks are the result of routine lapses—such as failing to deploy patch updates or make the correct security configurations. In this context, habitual practices for ensuring the safe handling of critical data and for securing networks makes all the difference.
The international community must harmonize cyber incident reporting and effective information sharing to ensure authorities around the world can manage incidents effectively. The model for incident reporting and the common lexicon being developed by the Financial Stability Board are important steps forward.

Cross-jurisdictional risk

The strength of cyber defenses depends on the weakest link. With growing interconnections across the world, curbing risk requires an international effort. For its part, the IMF continues to help financial supervisors through capacity development initiatives aimed at designing and implementing international standards and best practices as an urgent priority.

Have you read?

Cybersecurity: Why we need to shift the narrative to build a cyber-ready workforce

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.