$12 billion lost to cyberattacks in 20 years

According to a report released by the International Monetary Fund (IMF), financial institutions around the world have reported significant direct losses, totaling almost $12 billion from 2004 and $2.5 billion from 2020 from cyberattacks. The report titled, Global Financial Stability Report, April 2024, Chapter 3: “Cyber Risk: A Growing Concern for Macrofinancial Stability,” April 9, 2024 sumarized findings as:

• The frequency of cyberattacks has nearly doubled since prior to the COVID-19 pandemic.
• Most direct reported losses from cyberattacks are modest, around $0.5 million, but the potential for extreme losses—up to $2.5 billion—has risen.
• The financial sector is particularly vulnerable to cyber risks, with close to one-fifth of all incidents impacting financial institutions.
• While cyber incidents have not yet been widespread, severe events at major financial organizations could present a significant threat to macrofinancial stability due to loss of trust, disruption of essential services, and the interconnectedness of technology and finance.
• Implementing cyber regulations at the national level and enhancing cyber-related governance structures within firms can help decrease the occurrence of cyber incidents.
• A recent IMF survey indicates that cybersecurity policy frameworks have generally progressed in emerging markets and developing economies, but are still lacking in some countries.
  Policy Recommendations
• Strengthening the cyber resilience of the financial sector should involve creating a comprehensive national cybersecurity strategy, appropriate regulatory and supervisory frameworks, a skilled cybersecurity workforce, and both domestic and international information-sharing mechanisms.
• Enhancing the reporting of cyber incidents by financial institutions to supervisory bodies can improve the monitoring of cyber risks.
• Supervisors should hold board members accountable for overseeing the cybersecurity of financial institutions and fostering a risk-aware culture, good cyber practices, and cyber education and awareness.
• Financial institutions should establish and test response and recovery protocols to ensure operational continuity in the event of cyber incidents. National authorities should also establish effective response procedures and crisis management frameworks to address systemic cyber crises.

According to the report, cybersecurity breaches can result in significant financial burdens for companies. Since the year 2020, the total reported direct losses from cyber incidents have reached close to $28 billion (adjusted for inflation), with billions of records being stolen or compromised (as shown in Figure 3.1, panel 2). However, the overall costs, including both direct and indirect, are likely much higher according to Kamiya and others (2021). Estimates suggest that these costs could range from 1 to 10 percent of the global economy.

Nearly 20 percent of these attacks target financial institutions, with banks being the most vulnerable. Incidents within the financial sector have the potential to jeopardize financial and economic stability by undermining trust in the financial system, disrupting essential services, or causing ripple effects across other institutions.

Cyber incidents that disrupt crucial services such as payment networks can have a severe impact on economic activities. For instance, an attack on the Central Bank of Lesotho in December led to the disruption of the national payment system, halting transactions for domestic banks. Financial institutions in advanced economies, particularly in the United States, have faced a higher risk of cyber incidents compared to firms in emerging markets and developing economies.

Cyber incidents at financial institutions or critical infrastructure of a country can pose macro-financial stability risks through three main channels: loss of trust, absence of alternatives for the affected services, and interconnectivity. Although cyber incidents have not yet caused systemic issues, the continuous rapid digital transformation and technological advancements like artificial intelligence, along with heightened global geopolitical tensions, increase the risk.

Recent notable cyber incidents, such as the ransomware attack on the US branch of China’s largest bank, the Industrial and Commercial Bank of China, on November 8, 2023, which briefly disrupted trading in the US Treasury market, highlight the potential threat cyber incidents at major financial institutions pose to financial stability.