Information and cyber-security risks have increased during the pandemic, and the financial sector has reportedly been hit “relatively more often” by cyber-attacks than most other sectors. As just one example, data on attacks has highlighted a strong link between the prevalence of working-from-home arrangements and the incidence of cyber-attacks between the end of February and June 2020. Payment firms, insurers and credit unions are seen to have been “especially affected”.
In January 2021, the Bank for International Settlements (BIS) published a bulletin which served as a primer on cyber risk and presented initial findings on how the financial sector was meeting the challenges created by the pandemic. The bulletin also drew on new data to assess changes in the threat landscape for financial institutions brought about by the pandemic. It has not yet led to significant disruptions or a systemic impact, but in future there will be substantial risks from cyber attacks for financial institutions, their staff and their customers.
New opportunities for cyber-attacks
The financial sector was already a prime target for cyber-attacks before the pandemic. The BIS bulletin reiterated the concerns set out in December 2020 by the International Monetary Fund (IMF) that the number of cyber-attacks has tripled in the last decade, with financial services the most affected industry. Attackers now have access to cheaper, simpler and more powerful hacking tools, and the widespread availability of mobile banking services expands the opportunities for cyber-attacks.
Such interconnectedness could mean that a successful attack on a major financial institution, or on a core system or service used by many, spreads to the entire financial system, with potential consequences in terms of business continuity, reputation and, under extreme scenarios, liquidity and financial stability.
Another factor in play is cyber-enabled financial crime. A December 2020 update from the Financial Action Task Force (FATF) considered changes in behaviour as a result of the pandemic — whether the behaviour of individuals, companies or governments — which have in turn presented criminals with new, mainly cyber, opportunities to commit crimes and launder the proceeds.
As the world begins to emerge from the pandemic, information and cyber security need to remain a regular focus for boards. This need was underlined by the cyber-attack on Colonial Pipeline in the United States, which was reported as having been due to the theft of a single password.
All companies are vulnerable to attack online. Operational resilience and good customer outcomes — both of which are board-level concerns for financial services firms — will be under threat in the event of a failure of cyber hygiene.
The challenges posed by cyber-attacks are worldwide. In an April 2021 Reuters Newsmaker, Christine Lagarde, chair of the European Central Bank (ECB), said that the greatest economic threat is that of cyber, a point which was echoed by Wayne Byres, chair of the Australian Prudential Regulation Authority, in a speech to the Committee for the Economic Development of Australia.
“Of the three areas I’ve covered, cyber presents arguably the most difficult prudential threat: unlike GCRA [governance, culture, remuneration and accountability] or climate risk, it’s driven by malicious and adaptive adversaries who are intent on causing damage. Cyclones and bushfires can be devastating, but they’re not doing it on purpose,” Byres said.
As part of the continuing regulatory response, in October 2021, the European Insurance and Occupational Pensions Authority (EIOPA) published an update on cyber risks and their impact on the insurance industry, noting that cyber risks are considered as a top risk for the financial sector and for the economy as a whole. Specifically, “the type of ICT risks to which the undertakings are exposed have not changed in the past years; however, the frequency of incidents and the magnitude of their impact on financial entities has increased”, the update said. This issue was also highlighted in the European supervisory authorities’ joint report on risks and vulnerabilities in the EU financial system.
Also in October 2021, the German Federal Financial Supervisory Authority (BaFin) published a new version (note that the underlying source document in only available in German) of the “BAIT”, the supervisory requirements for IT in financial institutions, in which BaFin sets out the overall conditions it now expects for secure information processing and information technology. BaFin did not impose any fundamentally new requirements, but rather clarified existing requirements.
Even though there were no fundamental changes, some parts of the BAIT were expanded and adapted. In the new “operational information security” chapter, for example, BaFin has set out requirements for testing the effectiveness of controls governing information security measures, including gap analysis, vulnerability scans, penetration tests and simulated attacks, which are all seen as essential elements of any effective, sustainable information security management system.
BaFin is also placing responsibility for cyber and information security with boards, by widening the requirements from simply “IT security” to “information security”. IT security is traditionally limited to the field of information technology, whereas information security aims to protect relevant information, regardless of the form it takes. Information security therefore encompasses everything related to information processing.
In the context of information security and information risk management, it is now spelled out more clearly that the business processes concerned must take effect across the entire organisation, and that it is not enough to provide adequate resources to IT operations and application development alone.
Given the complexity of cyber threats, the BAIT now expressly emphasises how important it is for firms to keep themselves informed about external and internal threats and vulnerabilities, and to notify the management board about the risk analysis and changes in the risk situation.
Guidance, toolkits and upskilling
There are numerous resources and sources of information on cyber and information security risk for firms and their boards. One of the most comprehensive is the UK’s National Cyber Security Centre (NCSC), which has developed specific cyber security guidance for boards and a practical toolkit. As part of the toolkit, the NCSC suggests that a board asks itself four questions which could form part of a regular agenda item:
- Do we understand how cyber security impacts upon our individual and collective responsibilities?
- How do we assure ourselves that the organisation’s approach to cyber security is effective?
- Who currently has responsibility for cyber security?
- Do we have a process that ensures cyber risk is integrated with business risk?
Information and cyber security have always been very real regulatory risks but the pandemic and associated digital transformation have amplified that risk. Firms and their boards need to identify, manage and, whenever feasible, offset cyber and information security risks. Specifically, boards must ensure that information security and cyber risks are expressly included in the range of risks considered, and that they are capable of discussing the actions needed to embed cyber resilience throughout the firm. Firms may need to invest in specific technological skills to ensure they can meet the growing regulatory expectations.