The IMF Warns of A Systemic Shock to the Financial Sector

Nearly one-fifth of all cybersecurity incidents in the past two decades have affected the financial sector, according to the International Monetary Fund’s 2024 Global Financial Stability Report, highlighting the growing vulnerability of the global financial system to cybersecurity risks.

In this context, the IMF emphasized that while the nature of cyber-attacks on the financial sector, “have generally been modest in the pasts", its likelihood should not be underestimated. While cyber-attacks have not yet compromised major financial institutions such as national central banks, their potential compromise poses a serious threat to macrofinancial stability. This threat arises from the potential loss of public confidence, disruption of critical services, and technological and financial interconnectedness.

According to recent data provided by the IMF, direct losses from cyber-attacks within the sector are relatively modest, averaging approximately US$500 thousand per incident. However, the risk of extreme losses, upwards of US$2.5 billion, has increased dramatically. 

“The maximum loss expected to occur in most years, has more than doubled since 2017 to US$141 million in 2021, equivalent to about 50[%] of the average firm’s operating income,” according to the report’s generalized extreme value distribution model.

Furthermore, social factors, including the accelerated digital connectivity resulting from the COVID-19 pandemic and the ongoing Russia-Ukraine conflict, have contributed to a doubling of cyber-attack rates in recent years. This escalation in both the scale and frequency of attacks underscores the pressing imperative for proactive measures to mitigate and address cyber threats.

Given their significance, the IMF underscored the absence of effective cybersecurity policies in several countries, highlighting it as an additional concern. While there have been noticeable advancements in cybersecurity policies in emerging and developing nations, the IMF report emphasizes the persistence of significant shortcomings. 

In response, the IMF advocates for a comprehensive approach, particularly within government agencies, urging the implementation of robust national cybersecurity strategies, the establishment of appropriate regulatory and supervisory frameworks, investment in staff training, and the enhancement of national and international information-sharing mechanisms.

Within the private sector, financial companies are strongly encouraged to enhance their reporting of cyber incidents to supervisory agencies. This approach will not only facilitate more accurate monitoring of cyber risks but will also enable a faster and more coordinated response to potential threats.

"The cyber resilience of the financial sector needs to be strengthened through the development of an appropriate national cybersecurity strategy, appropriate regulatory and supervisory frameworks, a skilled workforce, and national and international information-sharing arrangements," reads the IMF report.

In addition, it is critical that supervisors hold board members of financial institutions more accountable for managing cybersecurity. Promoting an appropriate risk culture, encouraging "cyber hygiene", and improving cyber training and awareness are critical steps to mitigate the risks associated with cyberattacks.

Given the presented outlook, the report expects both financial institutions and national authorities to develop and strengthen their response and recovery procedures to ensure the business continuity of national financial systems in the face of potential cyberattacks. The IMF also noted the need for effective response protocols and crisis management frameworks to deal with a major cyber crisis.