Planning for Risks and Repercussions of a Systemic Cyber Issue

  • Mark Caplan, President, Global Risk Institute
Close up of lock

Cyber intrusion and cyber resilience are topics receiving tremendous attention, discussion and action currently and for good reason. Financial firms fend off millions of cyber threats daily. Central Bank of Bangladesh, Equifax and others are recent examples of the vulnerability of large organizations and demonstrate the often severe consequences of falling victim.

Being cyber resilient as a financial institution is of paramount importance. Practiced, considered national arrangements are also critical to ensure that critical financial systems and networks can recover to serve their purpose in facilitating a vibrant economy. Given the global networked nature of wholesale finance, the potential impacts to retail confidence and functionality, and lessons learned in combating spreading systemic risk, there are also important international responses for which consideration and planning is also necessary.

This paper frames the learnings from the most recent efforts to combat global, systemic risk – the 2008 Global Financial Crisis. Important responses came at all three levels – institutional, national, and international. While many of these past efforts will prove beneficial when a systemic cyber event occurs, cyber crime and its potential impacts differs in important ways. As the cyber scenario contemplated in this paper shows, an attack can meaningfully impact the availability of financial institutions, networks, infrastructures, and markets. It could also undermine the integrity of data records which can severely impact the ability to recover and to maintain confidence in the system overall. Given much of global finance relies on critical 3rd parties both within and external to the financial system, the ability to contain risk to and control the resilience of financial networks could be quite different than crises past.

There is a clear need for international policy makers to consider these adverse possibilities and take steps to ensure systemic risk is met with targeted, considered response including:

  • Communications aimed at promoting and restoring confidence
  • Contingency planning to enable economies to function in the event of an outage
  • Considered responses to denigration of function in secured finance markets
  • Cooperation by entities tasked with ensuring response is executed in a contingency

Introduction

The Global Risk Institute in Financial Services conducted a series of Cyber Security roundtables with leading Canadian financial firms and policy makers in early 2018 with the intent of better understanding the risks and repercussions of a global, systemic cyber outage from the perspective of the Canadian financial services industry.
It is becoming widely accepted that not only must firms plan and prepare their perimeter defenses for a cyber attack, they must also ensure resiliency. Resiliency includes a thought out and practised response in the increasingly inevitable event that a successful cyber breach were to occur. Responsibility for planning and practice rest clearly with senior management and oversight of preparedness with boards of directors. Major financial firms in Canada are on their way to having robust defences including extensive contingency plans, regularly practiced cyber-threat simulations, frequent penetration testing, and coordinated industry technological response.At a national level in Canada, policy makers, regulators, and industry associations are coordinating cyber response:
  • In the most recently budget, the federal government announced in excess of $500mm directed toward cyber security including the creation of a Canadian Centre for Cyber Security which will include Public Safety Canada’s Canadian Cyber Incident Response Centre, the formation of a National Crime Coordination Unit, and monies specifically targeted to safeguard the protection of data held by the Canada Revenue Agency.
  • The Bank of Canada is supervising key Financial Market Infrastructures as well as driving forward a Joint Operational Resilience Management (JORM) Program.
  • An industry led not-for-profit – The Canadian Cyber Threat Exchange – has been formed and is aimed at sharing information and analyzing and advising on cyber threats.
This list is only a sample of some of the work that is occurring.[2] All good progress and clearly necessary.But is it sufficient?Given continuing advances in and reliance on technology, the propensity of criminal actors, and the need for coordination to resolve a systemic issue, the answer is likely not.

Footnotes

[1] The author would like to thank participants in the Global Risk Institute Cyber roundtable discussions for their insights

[2] See GRI’s piece “National Approach to Cyber Intrusion” comparing Canada and the UK.