Cyber security fears are suddenly being expressed at the highest levels of the financial system, in urgent tones.
Australia’s central bank just released its most recent review of systemic financial risks, and used the document to make prominent warnings about devastating cyberattacks.
Banks, stock markets and other financial sector players could be taken down by cyberattacks, and the effects could spiral into a serious financial crisis with economic consequences, the Reserve Bank warns.
“Cyberattacks have become more frequent and more sophisticated in recent years and it is highly probable that at some point in time the defences of a significant financial institution will be breached,” the RBA said in its most recent Financial Stability Review.
“This would not only create problems for the institution concerned but could also undermine confidence in the broader financial system.”
The risks to financial stability exist because the sector relies profoundly on confidence. But who would want to leave money in a bank where account balance data was unstable?
And who would buy stocks on an exchange with long outages that meant you couldn’t trade when you wanted?
The RBA has become increasingly concerned about cyber security as a major threat to domestic and global financial stability.
References to “cyber” have been on the rise over the last six years (excepting a hiatus in the pandemic) as the below chart shows, primarily in the context of cyber attacks and cyber risks.
In the last three editions of the Financial Stability Review, however, the intensity has changed.
Cyber attacks have been elevated into the section of the review devoted to the most serious risks to systemic financial stability.
Then, in the most recent edition, use of the term “cyber” hit a record level thanks to a multi-page discussion of cyber risks and their destructive power.
In some ways, the RBA is just catching up.
In April 2021, the chairman of the US Federal Reserve – the RBA’s American equivalent – told media, “the risk that we keep our eyes on the most now is cyber risk.”
But the RBA is emphasising cyber risk now because the world has become more dangerous, even in the last year.
Thanks to the current international environment of war and sanction, the RBA says cyber risks “are currently judged to be elevated.”
State actors (they don’t say it, but principally China) pose the biggest threat.
“Cyberattacks are more likely than other types of incidents to be systemic: a well-resourced and sophisticated adversary seeking to cause widespread distress will actively exploit cyber vulnerabilities to maximise the impact of their attack (including by affecting multiple institutions),” the RBA says.
“Cyberattackers could be motivated by financial gain or a desire to disrupt – the latter is more concerning because it is harder to defend against such attacks.”
We need to fix our defences. But who will do the work? One challenge for Australia’s financial industry will be in finding the skills to protect the financial infrastructure we all rely on.
According to the 2021 (ISC)² Cybersecurity Workforce Study, the world has a cybersecurity workforce gap of 2.7 million people.
And the shallow pool of professionals in Australia is being spread thin not only by huge corporate investments in cyber security, but government too, including the $9.9 billion in the federal budget under the acronym REDSPICE.
The cyber resilience of Australia’s financial system has already been tested and found wanting – not only by data breaches and system outages – but buy a recent pilot for a simulated cyberattack arranged by the Council of Financial regulators.
That pilot simulation recently concluded with the “red team” finding some strengths, but also “weaknesses that could present a risk to the integrity and stability of Australian financial institutions.”
The so-called red team is a group of expert outsiders who work over months to plan and execute an attack that targets actual weaknesses in financial sector systems, including vectors the financial sector had not planned for, and mimics the attack approach of known adversaries.
