Cyber risk to stability
Financial regulators need to be vigilant
Financial stability risks can emanate from a variety of sources. The state of macroeconomic policies, the health of the banking and financial system, financial sector regulations, or a shock like a pandemic could disturb financial stability. Sudden policy changes in systemically important countries, such as a significant increase in policy interest rates by the US Federal Reserve, could also pose risks, as was observed during the recent monetary policy tightening. But most of these risks are well understood by policymakers and efforts are made to minimise them. The International Monetary Fund (IMF) this week released an analytical chapter from its forthcoming Global Financial Stability report, highlighting the cyber risk to macrofinancial stability. Since this is a relatively new source of risk and falls outside the traditional framework of managing financial risks, governments and financial market regulators need to understand it better.
As the IMF highlighted, cyber-related risks have increased significantly since 2020. This can perhaps be explained by the increased adoption of digital means by both individuals and businesses. Financial institutions in advanced economies, particularly the US, have been more exposed to cyber incidents. JP Morgan Chase, the largest bank in the US, recently reported “45 billion cyber events per day” and is spending about $15 billion per year on technology. There could be various reasons for cyberattacks on a country's financial institutions, including geopolitical tensions. Although direct financial losses due to cyberattacks have been limited thus far, there are various ways in which they could render the system vulnerable.
Such attacks on banks can disrupt payments and affect economic activity. They could also lead to sudden withdrawals, as depositors may begin to doubt a bank’s ability to meet payment demands, potentially triggering a run on banks. Besides banks, disturbances in financial market infrastructure providers, such as stock exchanges, could have a variety of consequences and lead to loss of investor confidence. The study notes that the use of common software and hardware by financial entities could also be a source of risk. More than 50 per cent of information technology service providers to systemically important banks globally are reported to be servicing two or more systemically important institutions. In addition, the very high level of interconnectedness among financial institutions across the globe also increases risks.
Given that the risk has increased in recent years, it is unlikely to be contained in the near term. While banks and financial institutions are aware of such risks, their perception and estimates may be limited to the potential risk to the institution alone. It is thus important for financial market regulators to push institutions to become cyber-safe. In this context, a survey of central banks and supervisory authorities of 74 emerging market and developing economies by the IMF in 2021 revealed that only 47 per cent had a national and financial sector-focused cybersecurity strategy. The Reserve Bank of India issued comprehensive directions to regulated entities in this context in November 2023. Nonetheless, since the level and nature of cyber risks are likely to continue evolving, both financial entities and regulators need to remain vigilant. International cooperation will also be critical in this regard as it will help regulators and financial authorities better understand the risks and develop safety nets.