Skip Navigation
BlackBerry Blog

IMF: Cyber Attacks Could Cost Banks Half of Their Profits

FEATURE / 07.17.18 / Kim Crawley

In our capitalistic society, money rules. The financial services industry deals with our money, so what affects them affects us all, for better or for worse. And this news should get all of the multimillionaires and billionaires on financial corporation boards to stand at attention.

The International Monetary Fund (IMF) believes that cyberattacks could eventually cost banks up to half of their overall profits. That could be collective trillions of dollars - I cannot even grasp the magnitude of it.

There has yet to be a cyberattack which cripples a bank’s daily operations at a large scale. But there have been major attacks on cryptocurrency exchanges where funds have been stolen, such as the $32 million attack on Bithumb and the $500 million attack on Coincheck.

Data breaches are increasing in frequency, and banks risk leaking sensitive data, damaging their reputations as safe places to do business, and litigation from other parties which may be harmed.

The IMF speculates that there could soon be a massive or sophisticated cyberattack on a conventional financial institution which could cripple their operations at some point in the future. When banks can’t go about their usual business, that definitely results in a loss of revenue.

Because the financial sector plays a key role in intermediating funds, the IMF believes they’re at major risk of cyberattack. Money is one of the top motivations for cyberattacks, and banks are very, very powerful, so they are potentially lucrative targets.

The Financial Costs of a Cyberattack

What’s concerning is that it’s difficult to model the cyber risks that banks face. There isn’t enough clear data on the costs of financial sector cyberattacks. A lot of the costs can be difficult to measure - reputational damage isn’t usually something an accountant can put an exact figure on in a ledger. So, the quantitative analysis of financial services cyber risk is still at an early stage, and the road to improvement in that area could be rather bumpy indeed.

But the IMF is trying a new framework for modelling financial cyber risk. From an IMF statement:

“We illustrate our framework using a data set covering recent losses due to cyber attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated.

The exercise is difficult, and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to nine percent of banks’ net income globally, or around $100 billion.

In a severe scenario – in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion – losses could be two-and-a-half to three-and-a-half times as high as this, or $270 billion to $350 billion.”

Techniques from operational risk measurement and actuarial science are used to estimate aggregate losses. With an understanding of the frequency of financial cyberattacks and their distribution of losses, that data can be put into the model. Then the distribution of aggregate cyberattack losses is estimated with numerical simulations. It all sounds very nerdy and complicated to me.

According to the IMF, most financial institutions worldwide lack cyber insurance policies. Even for the institutions which do have cyber insurance, their policies won’t cover the losses that the IMF estimates, by several orders of magnitude. If I were to think like a writer for Forbes, I’d say that there’s a gaping void in the cyber insurance market. So major insurance firms could jump right into that and expect a growing market of financial clientele.

What Can Be Done to Protect Banks?

The IMF likes the EU’s new GDPR (whew, that’s a lot of acronyms!):

“Government collection of more granular, consistent, and complete data on the frequency and impact of cyberattacks would help assess risk for the financial sector. Requirements to report breaches – such as those considered under the EU’s General Data Protection Regulation – should improve knowledge of cyber attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber attacks could spread.”

Consumer trust in the financial sector doesn’t seem to be growing. Internet of Business’ Chris Middleton doesn’t think their publicized scandals help with consumer confidence at all:

“Hopefully, banks will see pursuing better cybersecurity as a means to help restore customers’ trust, as many citizens and businesses continue to live in the shadow of the 2008-09 crash, recession, and resulting austerity policies. Since then, billions of dollars’ worth of fraud and market rigging have involved many of banking’s biggest names in scandals such as Libor, Euribor, and others.”

Yeah, I personally don’t like government bailouts of banks either. I’m not looking forward to writing about the first cyberattack on a major bank that cripples their operations for a few days.

But it’s probably going to happen, and I’ll probably have to write about it. 

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.