Editor’s Note: This article has been edited from its original version. It was originally published in its entirety in the International Monetary Fund’s Spring 2021 issue of Finance & Development magazine. Tim Maurer is the former director of the Cyber Policy Initiative and a senior fellow in the Carnegie Institute of International Peace’s Technology and International Affairs Program. Arthur Nelson is a research analyst for the Carnegie Endowment for International Peace’s Cyber Policy Initiative. The opinions expressed in this commentary are their own.
Today, the assessment that a major cyber attack poses a threat to financial stability is axiomatic— not a question of if, but when. Yet the world’s governments and companies continue to struggle to contain the threat because it remains unclear who is responsible for protecting the system.
Increasingly concerned, key voices are sounding the alarm. In February 2020, Christine Lagarde, president of the European Central Bank and former head of the International Monetary Fund, warned that a cyber attack could trigger a serious financial crisis. In April 2020, the Financial Stability Board (FSB) warned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.” The potential economic costs of such events can be immense and the damage to public trust and confidence significant.
Two ongoing trends exacerbate this risk. First, the global financial system is going through an unprecedented digital transformation, which is being accelerated by the Covid-19 pandemic. Banks compete with technology companies; technology companies compete with banks. Meanwhile, the pandemic has heightened demand for online financial services and made work-from-home arrangements the norm. Central banks around the globe are considering throwing their weight behind digital currencies and modernizing payment systems.
Second, malicious actors are taking advantage of this digital transformation and pose a growing threat to the global financial system, financial stability and confidence in the integrity of the system. The pandemic has even supplied fresh targets for hackers. The financial sector is experiencing the second-largest share of Covid-19-related cyber attacks, behind only the health sector, according to the Bank for International Settlements.
Who is behind the threat?
The malicious actors behind these attacks include not only increasingly daring criminals — such as the Carbanak group, which targeted financial institutions to steal more than $1 billion during 2013-2018 — but also states and state-sponsored attackers. North Korea, for example, has stolen some $2 billion from at least 38 countries in the past five years.
This is a global problem. While cyber attacks in high-income countries tend to make headlines, less attention is paid to the growing number of attacks on softer targets in low- and lower-middle-income countries. Yet it is in those countries where the push toward greater financial inclusion has been most pronounced, leading many to leapfrog to digital financial services such as mobile payment systems. Although they do advance financial inclusion, digital financial services also offer a target-rich environment for hackers.
An international strategy
To achieve more effective protection of the global financial system against cyber threats, the Carnegie Endowment for International Peace released a report in November 2020 titled “International Strategy to Better Protect the Global Financial System against Cyber Threats.”
Developed in collaboration with the World Economic Forum, the report recommends specific actions to reduce fragmentation by fostering more collaboration, both internationally and among government agencies, financial firms and tech companies. The strategy is based on four principles:
Greater clarity about roles and responsibilities is required. Only a handful of countries have built effective domestic relationships among their financial authorities, law enforcement, diplomats, other relevant government actors and industry. Existing fragmentation hampers international cooperation and weakens the international system’s collective resilience, recovery and response capabilities.
International collaboration is necessary and urgent. Given the scale of the threat and the system’s globally interdependent nature, individual governments, financial firms and tech companies cannot effectively protect against cyber threats if they work alone.
Reducing fragmentation will free up capacity to tackle the problem. Many initiatives are underway to better protect financial institutions, but they remain siloed. Some of these efforts duplicate each other, increasing transaction costs. Several of these initiatives are mature enough to be shared, better coordinated and further internationalized.
Protecting the international financial system can be a model for other sectors. The financial system is one of the few areas in which countries have a clear shared interest in cooperation, even when geopolitical tensions are high. Focusing on the financial sector provides a starting point and could pave the way to better protection of other sectors in the future.
Among actions for strengthening cyber resilience, the report recommends that the FSB develop a basic framework for supervising cyber risk management at financial institutions. Governments and industry should strengthen security by sharing information on threats and by creating financial computer emergency response teams (CERTs), modeled on Israel’s FinCERT.
Financial authorities should also prioritize increasing the financial sector’s resilience against attacks targeting data and algorithms. This should include secure, encrypted data vaulting that allows members to securely back up customer account data overnight. Regular exercises to simulate cyber attacks should be employed to identify weaknesses and develop action plans.
To reinforce international norms, the report recommends that governments make clear how they will apply international law to cyberspace and strengthen norms to protect the integrity of the financial system. Responses can include sanctions, arrests and asset seizures.
Governments can support these efforts by establishing entities to assist in assessing threats and coordinating responses. Intelligence gathering should include a focus on threats to the financial system, and governments should share such intelligence with allies and like-minded countries.
The comprehensive strategy outlined in the Carnegie report depends in turn on building the cybersecurity workforce, expanding the financial sector’s cybersecurity capacity and safeguarding gains in financial inclusion that have resulted from the digital transformation.
Elevated unemployment due to the pandemic provides an important opportunity for training and hiring talented people to strengthen the cybersecurity workforce. Financial services firms should invest in initiatives to build the talent pipeline, including high school, apprenticeship and university programs.
Building cybersecurity capacity also means focusing on providing assistance where it is needed. The IMF and other international organizations have received many requests for cybersecurity assistance from member states. G20 governments and central banks could create an international mechanism to build cybersecurity capacity for the financial sector, with an international agency such as the IMF designated to coordinate the effort. The Organisation for Economic Co-operation and Development and international financial institutions should make cybersecurity capacity-building an element of development assistance packages and should significantly increase assistance to countries in need.
Finally, maintaining progress in financial inclusion requires strengthening cybersecurity. This is particularly urgent in Africa, with many countries on the continent experiencing a significant transformation of their financial sectors as they extend financial inclusion and move to digital financial services. A network of experts should be created to focus specifically on cybersecurity in Africa.
The time has come for the international community — including governments, central banks, supervisors, industry and other relevant stakeholders — to come together to address this urgent and important challenge. A well-thought-out strategy, such as the one above, provides a blueprint for turning words into action.