Financial institutions could lose $350 billion from cyber attacks in a “severe scenario,” a new report from the International Monetary Fund (IMF) said.
On average, the annual hit could be about $100 billion, or nine percent of banks’ net income worldwide, the 189 nation organization said in its Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment. The report was generated from modeling the IMF conducted in 50 countries to build a data set covering cyber attack losses particularly among financial institutions.
Commercial and investment banks, insurance companies, brokerages and the like are lucrative targets, owing to their role as intermediaries in moving funds, the IMF’s report said.
"A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system," eroding bank profits, threatening financial stability and potentially dealing a crippling blow to an institution, wrote Christine Lagarde, IMF managing director and chair, in a blog post. “Many institutions still use older systems that might not be resilient to cyber attacks,” she said. “And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.”
Banks account for the bulk of the attacks at 91 percent, followed by insurance companies at seven percent. Among banks, retail banking activities (39 percent of the total) and credit cards services (25 percent) are the main business lines targeted by attackers, according to the report. In financial institution hacks, the target’s size doesn’t matter -- smaller institutions have so far born the brunt of the storms, probably due to lower investment in IT security, the report suggested.
The risk could get far worse, the Fund said, warning that “quantitative analysis of cyber risk is still at an early stage.” From its vantage point, there’s not enough data yet on the cost of cyber attacks, making it difficult for the IMF to accurately model the risk. In other words, no one yet knows what to make of it.
That, incidentally, is also the position of Warren Buffett, the billionaire investor and CEO of conglomerate Berkshire Hathaway. While Buffett believes that cybersecurity risk for insurance underwriters can only get worse, the problem is no one knows how much worse. “I think anybody who tells you now that they think they know in some actuarial way what the general experience is likely to be in the future or what the worst case would be, is getting ahead of themselves,” he recently said.
One substantive reason is data on cyber risk is “notoriously scarce,” lacking a common standard to record incidents and no incentives or benefits for firms to report them, the IMF report said. In its research, the IMF pored over some 4,000 annual 10-K reports for U.S. companies in 2017 and found that only seven percent referenced cyber risk, and those were primarily in the finance and services sectors. By contrast, in Europe the General Data Protection Regulation (GDPR) requires firms to report breaches within 72 hours or face a significant fine.
Because most financial institutions don’t carry cyber insurance, potential losses from damage by bad actors are largely unrecoverable. At this point, the estimated hit to the financial sector dwarfs the size of the cyber insurance market, which took in about $3 billion in premiums last year.
Updating the regulatory and supervisory frameworks for cyber risk, including developing the ability to assess key vulnerabilities, is needed, the report suggested. In addition, enlisting the public to help design possible contingency plans, if a major attack were to occur, should be considered.