Cyber attack could cost bank half of its profits, warns IMF

Cyber attack could cost bank half of its profits, warns IMF

Cyber risk has emerged as a significant threat to the financial system, according to a new report from the International Monetary Fund (IMF).

Although hardly a day goes by without another report warning of the dangers of cyber attacks, a new IMF modelling exercise has estimated that financial institutions’ average annual losses from cyber-attacks could reach “a few hundred billion dollars a year”, eroding their profits and threatening financial stability.

In the worst-case scenario modelled by staff at the institution, losses could reach as high as 50 percent of a bank’s net income.

Real-world problems

While no large-scale attacks against a bank’s daily operations have been successful to date – as far as we know – recent cases show that the threat is real, according to the IMF.

Successful hacks of numerous organisations, from LinkedIn and Adobe to Dixons Carphone, have resulted in large-scale breaches of confidential data. Fraud and theft are rife too, including in the supposed alternative financial system – the recent theft of $500 million from the Coincheck cryptocurrency exchange being just one example.

Last week, South Korean crypto exchange Bithumb was also hacked, with attackers reportedly looting about 35 billion won ($32 million).

There is also a risk that a targeted institution could be left unable to operate by a massive or sophisticated attack, added the IMF.

Financial sector vulnerability

The scale of technology challenges facing banks should not be underestimated. A number of financial services companies have recently been impacted by internal technology problems. For example, a fault left many Visa chip-and-PIN card users experiencing difficulties paying for items earlier this month, while in April, an internal IT meltdown at TSB prevented many customers from accessing their accounts for a week, after a failed back-end system migration.

An external attack on financial systems could cause equal or greater problems, which would not only include financial losses, but also damaged trust and reputation.

According to the IMF, the financial sector is particularly vulnerable to cyber attacks, because of its crucial role in intermediating funds. Meanwhile, many banks still use older systems that might not be resilient to cyber attacks, some of which could spread throughout the interconnected financial network.

Despite this, quantitative analysis of cyber risk is still at an early stage in financial services, said the IMF, due to the lack of data on the actual cost of attacks, and the difficulties of modelling cyber risk.

New model banking

The IMF’s new modelling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses. It requires an assessment of the frequency of cyber attacks on financial institutions and an idea of the distribution of losses from these events, said the organisation. Numerical simulations can then be used to estimate the distribution of aggregate cyber attack losses.

“We illustrate our framework using a data set covering recent losses due to cyber attacks in 50 countries,” said the IMF. “This provides an example of how potential losses for financial institutions could be estimated.

“The exercise is difficult, and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber attack on the financial system.

“Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to nine percent of banks’ net income globally, or around $100 billion.

“In a severe scenario – in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion – losses could be two-and-a-half to three-and-a-half times as high as this, or $270 billion to $350 billion.”

The framework can also be used to examine extreme risk scenarios involving massive attacks, said the IMF, which warned, “The distribution of the data we have collected suggests that in such scenarios – representing the worst five percent of cases – average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.”

A knock-on problem is that these estimated losses are several orders of magnitude greater than the current size of the cyber insurance market, explained the IMF, with most financial institutions not having such insurance policies in place.

The way ahead

So what can be done about these problems?

There is considerable scope to improve risk assessments – and GDPR will help, according to the IMF. “Government collection of more granular, consistent, and complete data on the frequency and impact of cyber attacks would help assess risk for the financial sector,” it said.

“Requirements to report breaches – such as those considered under the EU’s General Data Protection Regulation – should improve knowledge of cyber attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber attacks could spread.”

Further work is also needed to understand how to strengthen the resilience of financial institutions and infrastructures, added the IMF, both to reduce the odds of a successful attack, and to facilitate smooth and rapid recovery.

Internet of Business says

A timely and welcome report, which ignores one thing: the low reputation of the financial services sector in general (regardless of its cybersecurity), coupled with low trust in all organisations’ ability to secure citizens’ and customers’ data (according to multiple reports this year – see Internet of Business, passim).

Hopefully, banks will see pursuing better cybersecurity as a means to help restore customers’ trust, as many citizens and businesses continue to live in the shadow of the 2008-09 crash, recession, and resulting austerity policies.

Since then, billions of dollars’ worth of fraud and market rigging have involved many of banking’s biggest names in scandals such as Libor, Euribor, and others.

For example, in 2012, banks including UBS and Barclays were fined a total of $22 billion for rigging the London Interbank Lending Rate (Libor). In 2014, US and UK regulators fined several banks, including HSBC, UBS, JP Morgan, and Citibank, $2.6 billion for conspiring to manipulate foreign exchange rates.

Since 2015, banks in the UK are thought to have paid out £22 billion ($30 billion) in compensation for mis-selling payment protection insurance (PPI) – a scandal that affected over 1.5 million people.

And since 2008, there have also been multimillion-dollar fines for, among other things, banks laundering Iranian money, and running illegal interest-hedging schemes. In the latter case, HSBC, Barclays, Lloyds, and RBS were among the banks involved in a scandal that affected thousands of small businesses.

These are just a handful of the scandals involving banks in recent years, most of which were bailed out by the taxpayer during the recession, to the tune of hundreds of billions of dollars.

Last month, another report said that banks’ experimental use of new technologies, such as blockchain, AI, and cloud computing, could itself pose an systemic threat to the financial sector.

However, many banks and financial services companies have been investing in AI and machine learning to help detect and prevent fraud, as these recent Internet of Business reports revealed: