Costs associated with cyber attacks against the financial services sector are on the rise, the International Monetary Fund (IMF) has warned, with the number of incidents having more than doubled since the beginning of the pandemic.
In its first financial risks report to assess cyber security, the IMF said attacks on financial firms account for nearly one-fifth of the world's total financial losses, with banks the most exposed.
Financial institutions have lost a total of $12 billion to cyber attacks in the last 20 years, the study found, with $2.5 billion lost between 2020 and 2024 alone.
The report warned that the number of 'extreme losses' has more than quadrupled since 2017, now amounting to $2.5 billion. US credit reporting agency Equifax, for example, paid more than $1 billion in penalties after a major data breach in 2017 that affected about 150 million consumers.
Similar attacks in future could cause major disruption, the IMF warned, prompting calls for financial services firms to bolster security capabilities.
"For example, a severe incident at a financial institution could undermine trust and, in extreme cases, lead to market sell offs or runs on banks," said authors Fabio Natalucci, Mahvash Qureshi, and Felix Suntheim.
"Cyber incidents that disrupt critical services like payment networks could also severely affect economic activity. For example, a December attack at the Central Bank of Lesotho disrupted the national payment system, preventing transactions by domestic banks."
The report also warned about the effects of financial firms' increasing reliance on third-party IT service providers - a trend that's accelerating with the emergence of AI.
"Such external providers can improve operational resilience, but also expose the financial industry to systemwide shocks. For example, a 2023 ransomware attack on a cloud IT service provider caused simultaneous outages at 60 US credit unions," the authors wrote.
With only half of countries having a national, financial sector-focused cyber security strategy or dedicated security regulation, the IMF called for governments to do more.
They should periodically assess the cyber security landscape and identify potential systemic risks, including those from third-party service providers.
Minimize downtime and boost the productivity of IT staff with software-defined infrastructure
They should encourage better cyber-related governance and improve the cyber hygiene of firms through training and awareness programs; and they should prioritize reporting and information-sharing.
"If a bank, or a group of banks, was to suffer a cyber attack where money, data, and systems were impacted, the IMF is right in saying this could erode confidence in the financial system. As a result, financial organizations have a duty to be at the forefront of defenses," said Ian Harragan, director and co-founder of security consultancy i-confidential.
To combat supply-chain attacks, financial organizations must ensure they address the fundamentals of security.
"This includes holding an inventory of all their suppliers, understanding the inherent risk of each supplier, assuring suppliers based on their classification or inherent risk and, where suppliers need to remediate issues, following up to ensure they do."
