Cyberattacks cost financial sector $12B in 20 years: IMF
Cyberattacks have more than doubled since the pandemic, and in the last 20 years, the financial sector has lost $12 billion as a result of more than 20,000 cases of cyberattacks, according to the latest report by the International Monetary Fund (IMF).
This rising trend in cyberattacks is attributed to a surge in digitalisation and geopolitical tensions. “Cyber incidents that disrupt critical services like payment networks could also severely affect economic activity. For example, a December attack at the Central Bank of Lesotho disrupted the national payment system, preventing transactions by domestic banks,” the authors of the report Fabio Natalucci, Mahvash Qureshi, and Felix Suntheim wrote.
Since the Covid-19 pandemic began, the incidences of cyberattacks reported by financial firms have doubled. The direct losses incurred by companies in this sector have reportedly increased. In particular, the losses have more than quadrupled since 2017 to $2.5 billion.
Notably, the IMF said, financial institutions are susceptible to the risk of cyberattacks due to the volume of sensitive data and transactions they handle. Banks alone are prime targets, accounting for a significant portion of cyberattacks. These attacks pose immediate financial threats and have the potential to erode confidence in the financial system, leading to market instability or bank runs. Besides that, the repercussions of cyber security violations could cause economic instability.
“While companies have historically suffered relatively modest direct losses from cyberattacks, some have experienced a much heavier toll. US credit reporting agency Equifax, for example, paid more than $1 billion in penalties after a major data breach in 2017 that affected about 150 million consumers,” said the report.
Increasing risk
The IMF warned that the risk of extreme losses from cyber incidents is increasing, leading to potentially cause funding problems for companies and even jeopardise their solvency. “The financial sector is uniquely exposed to cyber risk. Financial firms—given the large amounts of sensitive data and transactions they handle—are often targeted by criminals seeking to steal money or disrupt economic activity. Attacks on financial firms account for nearly one-fifth of the total, of which banks are the most exposed.”
So-called denial-of-service attacks against banks and other financial firms, typically lowlevel hacks that disrupt websites and online applications, grew by 154 per cent in 2023 compared with the year before, according to a report published last month by the Financial Services Information Sharing and Analysis Centre, a nonprofit that facilitates information sharing about cyber threats between financial firms, and cybersecurity company
IMF researchers want to work more on cyber risks to the financial sector but the lack of data is an impediment, said Mahvash Qureshi, division chief in the fund's monetary and capital markets department. Very few countries have laws requiring companies to disclose details about cyberattacks, and publicly available data about hacks is scarce, she said.
In December, new rules from the US Securities and Exchange Commission took effect, requiring publicly listed companies to disclose cyberattacks that have a material impact on their operations. The U.S. Cybersecurity and Infrastructure Security Agency is seeking public comment on draft rules published last month that will mandate critical-infrastructure companies to report cyberattacks to the government.
Companies with more cyber expertise on their boards tend to be better able to prevent successful cyberattacks, the IMF report said. The IMF researchers found that companies that more easily enabled employees to work remotely before the Covid-19 pandemic were less likely to be hacked after the pandemic compared with companies that weren't as prepared for the shift to remote work.