Could a cyber attack trigger the next financial crisis?

Published on the 21/09/2018 | Written by Jonathan Cotton


cyber attack trigger next financial crisis

Just how safe is the global financial system from the bad guys?…

Individually, we already spend a lot on cyber – US$1 trillion will be spent by private companies trying to project their systems by 2022 according to one reckoning – but from a systemic perspective, it may be all for naught. There are some who are growing increasingly concerned that the financial system itself may be vulnerable to attack.

It seems like a rational enough concern. After all, with an economic system increasingly predicated on digital – and the growing hordes of hacktivists, terrorists and hostile state actors – just how safe is the global financial system?

It’s an uncomfortable idea Deloitte has been exploring for some time.

“Financial institutions struggle to design cyber risk programs that are coherent and robust across jurisdictions.”

The group’s 2017 Deloitte Cyber Regulation in Asia Pacific report casts doubt on the ability of regulators and institutions to withstand an organised assault on the systems which support the global financial system.

“The financial system relies on confidentiality of data, protection of deposits, and provision of critical services, and all of this has come under threat in recent years as the frequency of cyber attacks has increased,” says Kevin Nixon, Asia-Pacific leader at Deloitte’s Centre for Regulatory Strategy.

“Cyber risks are only set to increase as financial institutions become more data-driven digital businesses, and as more financial services are delivered online.”

“If cyber risks and responses are not well managed, it could even threaten the stability of the financial system. Only those financial institutions who have robust cybersecurity and cyber risk management will be able to retain customers, maintain trust and enhance their competitive edge.”

One of the key issues according to Deloitte is the isolated approaches to system security being used by institutions – and governments – both here and further abroad. This lack of harmonisation creates key vulnerabilities says the group, and Australia leads the list of economies vulnerable to cyber attacks – nine times more vulnerable than other Asian economies, according to the research.

“Although cyber threats cut across borders, regulatory approaches to cyber risk in Asia Pacific are varied and localised, with no significant steps taken yet toward harmonised standards across the region,” says the report.

“Financial institutions struggle to understand the regulatory differences at a country level, to be aware of emerging threats and to design cyber risk programs that are coherent and robust across jurisdictions.”

Untangling regulatory issues across borders and cultures is no mean feat, but where there’s a digital harmonisation issue, there’s usually someone promoting a blockchain solution, right?

That’s one option currently being floated by Microsoft. The company recently released its whitepaper, Advancing Blockchain Cybersecurity: Technical and Policy Considerations for the Financial Services Industry, which examines the pros and cons of financial services organisations using blockchain-based platforms to improve security.

That report says blockchain’s distributed architecture could improve the resiliency of networks from being exposed to compromise, especially from a single access point or point of failure.

“One of blockchain’s benefits is its inherent resiliency in mitigating cyber risks and attacks, particularly those directed at financial institutions,” says Erin English, senior security strategist at Microsoft.

“While not immune to all forms of cyber risk, blockchain’s unique structure provides cybersecurity capabilities not present in other legacy technologies.”

English points to blockchain’s apparent transparency which makes it more difficult to corrupt blockchains through malware or manipulative actions than traditional architectures.

“Moreover, blockchains may contain multiple layers of security,” says English, “both at the network level and installed at the level of each individual participant.”

But, alas, if there is a magic bullet solution, blockchain is not it, as despite transparency and multiple tiered security benefits, the technology, like any other, remains at the mercy of its all too human operators.

Says English: “Many risks involve a human element, such as maintaining the confidentiality, integrity, and availability of private keys; human coding errors that can introduce cybersecurity risk from off-chain applications; unsecure data that can be ingested from external sources; identity-based attacks intended to corrupt a blockchain’s consensus mechanism; and advanced threats that can corrupt the decision-making processes of the blockchain.”

So if even emerging distributed ledger tech is vulnerable to human interference, just what is the path to securing the seemingly insecurable?

We may simply be asking the wrong questions, says the London School of Economics. The group says that while cyber attacks are indeed clear and present danger to the integrity of individual financial institutions, the threat of a real McCoy global systemic failure may be less likely than it first appears.

The university says that, all things being equal, the likelihood of a cyber attack triggering a global failure of financial systems is highly unlikely.

“We do not see how cyber risk could be the root cause of a systemic crisis because there is no direct connection between the failure of computer systems, no matter how severe, and the behaviour of those economic agents which ultimately culminates in a systemic crisis.”

Furthermore, the group reckons that the only actors with the ability to launch attacks widespread and coordinate enough to produce systemic failure would be nation states, who would have easier ways and means of achieving complete chaos, if they so desired.

Such actors, says the university, can spend years developing and deploying attacks, keeping them hidden until, in a coordinated fashion, it attacks multiple IT systems, however “even in this case, a cyber attack would not be sufficient unless it was on a colossal scale, involving multiple computer systems and their backup mechanisms.”

“It might be just as easy to manufacture the necessary uncertainty through financial means by, for example, making credible threats to world trade, the sequestration of foreign assets, or by the repudiation of international liabilities.

“If carried out on a sufficiently large scale, in our highly connected world these could easily lead to a repeat of the experiences of 1914. All these attacks require is enough international connectedness to allow trust in domestic institutions to be destroyed by a foreign actor.”

The solution then? While cold comfort for some, it comes back to regulation say the researchers.

“To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.”

“From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue.”

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MORE NEWS:

Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere