The International Monetary Fund releases a report each year identifying near-term financial stability risks.
Its latest Global Financial Stability Report, released in April, covers many of the usual topics—including strains in commercial real estate and corporate credit, disinflation surprises, and debt vulnerabilities. However, it also had a surprise entry: the risk of cybersecurity threats.
This was the first time that the IMF formally acknowledged that the use of technology in the financial sector, combined with increasing geopolitical tensions, could destabilize the entire global financial system.
It’s also worth noting that the organization—which aims to achieve sustainable economic growth and prosperity for nearly 200 countries—experienced a cyber attack against its own systems earlier in the year.
While the IMF has long covered cybersecurity in its policy advice and assessments, the new financial stability report was the first time the fund provided a detailed analysis of the potential impact of cyber risks that the global financial system has to face.
The number of cyber threats are growing in volume and intensity. The US financial sector has lost over $12 billion as a result of cyber incidents, mainly against banks, since 2004. Even relatively minor hacks can have serious repercussions.
The entire financial sector is an attractive target for hackers that want to steal data or disrupt services. DDoS (denial-of-service) attacks against financial institutions in order to disrupt online apps and websites grew by 154% in 2023, according to a report by the Financial Services Information Sharing and Analysis Center.
Notable incidents in recent years included:
The IMF has said that they would like to spend more time researching cyber risks, but finds itself impeded by a lack of data as many countries do not require disclosure after a cyber attack.
The IMF report highlighted a number of key issues around cybersecurity, including:
The large amounts of sensitive data and transactions that financial firms handle make them attractive targets. The IMF found that banks are especially vulnerable, accounting for nearly half of all cyberattacks within the financial industry. These attacks can erode trust, disrupt critical services, and even cause financial instability.
According to the report, many of the existing cybersecurity policies and overseers aren’t able to address emerging cyber threats. They also highlighted the need for cybersecurity professionals to have a seat at the boardroom table; companies with board members who have cybersecurity knowledge are better equipped to prevent attacks.
Their researchers have found that businesses that easily enabled their employees to work remotely before the pandemic were better prepared against cyber attacks as they likely had more cyber expertise in place at a board level and more robust cybersecurity policies in place.
Considering that cyberattacks have roughly doubled since the pandemic, businesses must make corporate security governance a priority.
The report paints a dire picture, not only emphasizing the growing financial burden that cyberattacks place on individual financial institutions but also the risk to the industry as a whole.
Cyber incidents could lead to a loss of confidence in the financial system, potentially causing bank runs or market meltdowns. Attacks could disrupt essential services like payment networks, hindering economic activity.
An attack on the Central Bank of Lesotho in 2023, for instance, disrupted the entire national payment system and prevented domestic bank transactions.
Many financial institutions rely on third-party IT providers to improve operations but may expose the entire industry to system-wide disruptions.
A ransomware attack on a cloud IT provider in 2023 saw outages at 60 credit unions within the US.
As firms continue to digitize and globalize, it’s important that cybersecurity frameworks adapt to the changing cybersecurity landscape. Private incentives may not be sufficient to shift their mindset, which is why public intervention and pressure may be required.
The IMF ends the portion of the report with several recommendations, including:
The IMF report once again highlights the fact that cyberattacks cannot be taken lightly by the financial or global business sectors. Ensuring that your business can withstand an attack isn’t just part of your fiduciary duty to the company; it’s a shared global responsibility all of us share.
Avoiding cyberattacks begins with strong prevention, and Coro can help.