Throughout history, the job of the nation state has been to protect citizens from a range of threats, be that disease, famine, or foreign invasion. In an analogue world, these threats were physical in nature and, as a result, mostly localised.
The threat landscape is radically different in a connected, digital world. Critical infrastructures, from smart metres to payment systems, are no longer constrained by geography. Personal digital assets, such as identity and online behaviour data, are increasingly globalised. Threats to these aren’t nearly as easy to monitor or defend against – and governments’ ability to deal with them is being eroded.
Industries and businesses are now finding themselves on the front line, safeguarding the digital economy against a series of emerging systemic risks – most notably cyber.
In its 2018 Risk Report, the World Economic Forum cited cyber security as the biggest source of technology risk facing businesses worldwide, while the Centre for Strategic and International Studies put the economic cost of cyber crime worldwide at $600bn – equivalent to a 14 per cent tax on the digital economy.
Financial services are first in the firing line. Professional criminals seek high-value targets, such as banks, while state-sponsored activities are now adding to the growing array of cyber threats.
At the same time, supply chains in financial services are outgrowing firms’ and regulators’ oversight, introducing substantial cyber risks through third and fourth parties.
Adding to the financial sector’s vulnerability, the systematic importance of large financial institutions and critical market infrastructures also amplifies the macro-stability implications of any cyber breach.
Regulatory scrutiny has rightly ramped up in recent years: 41 out of the 56 existing cyber-related supervisory documents have been introduced since 2016. A further 72 per cent of G20 jurisdictions have reported plans to issue new regulations, guidance, or supervisory practices that address cyber security in the financial sector over the coming year.
In October, the Financial Conduct Authority issued its first ever fine for cyber failings – £16.4m on Tesco Bank for its cyber breach in 2016. In its statement, the regulator was clear about its “no tolerance” for firms’ failing to protect customers from “foreseeable” risks.
This should be a warning to all banks to make cyber security a central priority. The UK regulators have been a leading force in treating this as an integral part of operational resilience – a supervisory priority no less important than financial stability. The introduction of a new, designated Senior Manager Function by the Prudential Regulation Authority last year further reinforced the view of cyber security as a board-level responsibility.
Analysis by Parker Fitzgerald suggests that the world’s largest 30 banks spent $6.3bn on cyber security in 2017. However, some financial institutions still see cyber as a matter for the IT department, rather than business-critical. This is a mistake: as an expanding part of operational risk, cyber will attract greater prudential scrutiny and potential capital charges.
In addition, promoting the effectiveness of any cyber investment requires the cohesion between cyber and business strategies. The introduction of new digital products, systems and platforms, as well as the continued trend towards IT outsourcing, will introduce additional cyber risks that must be contained within firms’ risk appetite.
This calls for the mitigation of cyber risks to be driven by an organisation’s business strategy. Cyber must be incorporated as a key consideration in the enterprise risk management framework, with the potential for benefits such as optimised capital allocation.
To safeguard financial institutions and systems from cyber threats, firms need to change their mindset and view cyber resilience not as a necessary evil, but an enabler for growth in the era of digital finance.