Financial stability does not solely depend on the financial soundness of financial institutions. It also rests upon operational risk management and notably on cyber resilience. Indeed, the specific features of the financial sector makes it an attractive target to cyber criminals: a heavy IT dependence, a broad interconnectedness of players, a wide attack surface with large amounts of money and valuable data or assets at stake. A successful cyber-attack may, indeed, have large impacts, such as large financial losses, reputational negative effects and severe disruptions of markets.
A Cyber-attack is not anymore a potential risk but an actual threat. This has significantly changed the paradigm for addressing operational risk.
Primarily, what seems invulnerable now might not stay so. The multiplicity of threats dramatically increases the potential scenarios to consider. A system is as secure as its weakest link. Therefore, identifying assets, threats and vulnerabilities requires enlarging the scope of analysis to include some aspects that had thus far not been considered as critical.
Reaching a strong cyber security requires adapting data and information systems' protection with regard to their integrity, confidentiality and availability and adapting response measures, including contingency plans. However, the specificity of cyber threats emphasizes that it may not be sufficient to have back-up sites. Indeed, if contagion affects data, the capacity to resume operations without just spreading the contagion to other market players may raise complex issues.
An adequate response to cyber risk is not only of a technical nature but implies a governance framework able to protect critical information and recover accurate data in case of attack.
Aware of the stakes of cyber security, public authorities have engaged into a substantive work to promote and improve cyber resilience across the financial sector. At the international level, two major initiatives are the recent publication of the consultative CPMI / IOSCO report "Guidance on cyber resilience for financial market infrastructures" and the setup by the G7 of an expert group in the financial area.
An adequate response to cyber threats should promote notably the role of governance and cyber risk culture within organizations. A dedicated framework to manage cyber risks should foster the essential situational awareness underlying the implementation of protection mechanisms, speed up the detection of breaches and intrusions and therefore the reaction, including escalation processes to counter the attack, limit its impacts and help recover accurate data in good (manageable and adequate) conditions.
If cyber resilience calls for constant improvements, adopting good practices at the processes and software design stage is crucial. Like some climatic risks, these are per se unforeseeable and uneasy risks to identify quantify and model. Only regular and comprehensive training, penetration testing, so called "red team" set-up and testing, staff education could bring the necessary agility to early detection and ad hoc crisis management.
Lastly, information sharing among the various stakeholders, comprising financial institutions and market infrastructures, financial supervisors and national security agencies, is of utmost importance to avoid contagion phenomena and facilitate global resilience.
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.