 Cyber attacks. Maybe you know someone who's been the victim of one. Maybe you've been the victim of one yourself. Attacks can paralyze an entire company's operations. They can even knock out essential parts of our daily lives, like transport or health services. Cyber attacks are on the rise and they're getting more severe. They're also relevant for companies, for banks and for other financial institutions. And today we'll uncover what cyber risks can mean for financial stability. Relatively new territory for us here at the ECB. How much does the financial sector have to worry about cyber attacks and how do they threaten financial stability? You're listening to the ECB podcast bringing you insights into the world of economics and central banking. My name is Katie Ranger and joined by John Fell from our financial stability department here at the ECB. Now John unfortunately COVID has kept us apart so you're in the podcast studio. I'm at home but nevertheless it's really nice to be able to speak to you. Great to be back again Katie. Now John, as you just said, great to be back. You're back with us for our second episode about financial stability and that's because in our recent financial stability review you co-authored a section looking at cyber attacks and the risks that they hold for our financial system. Of course listeners will drop a link to that in the show notes. John, let's cut to the chase and talk about what you found. What does cyber attacks mean for the financial sector and are they a threat to financial stability? As we're speaking mostly about crime here Katie, maybe it's useful to think about cyber crime in the same way a criminal detective would. Think of your favorite crime show where the crime sleut usually gathers evidence to prove that a suspect had the means, the motive and the opportunity to commit the crime. We can think of drivers of cyber attacks in the exact same way and all of them the means, the motives and the opportunities are on the rise. So if I start with the means and by this I mean the how so the tools and the know-how that would be attackers would have at their disposal. Criminal gangs are nation states intent on committing cyber attacks will always find ways but now literally anyone who wanted to could procure them fairly easily. Just think about the tools, the computers, the software and so on. These have become a lot cheaper over time and nowadays the know-how is actually freely available. So just try a quick Google search of how to become a hacker and it will produce a staggering number of hits. YouTube videos with step-by-step guides are now freely available. To be fair now many of the courses on offer are aimed at aspiring ethical hackers so these are the people who seek out vulnerabilities in IT systems with the intention of fixing them but it's not clear that all of them are. So we can be fairly sure the population of potential hackers is growing. Okay so the means are more easily available it's kind of easier to become a hacker if you want to. What about the motive the why? And why should the financial sector worry? Well the banks are where the money is so that alone makes them attractive targets. Beyond that financial institutions offer multiple avenues for ill-gotten gains be it through extortion through theft or through fraud. There can be other motives too for cyber attackers who are either nation states intent on causing economic damage or hacktivists. So groups or individuals at motives to promote political agendas are social change. For either of these perpetrator types targeting the financial sector can offer considerable leverage because a functioning economy relies on the financial system performing a range of key financial intermediation functions without them business and economic activities would soon be paralyzed. Okay so I think the key word here is leverage right so a hacker targeting the financial system knows that he or she is in the stronger negotiating position. Exactly and then last but certainly not least there is the opportunity. In principle the more digitalized business processes are the greater is the risk of cyber attacks and the financial sector is one of the most digitalized sectors in the economy. Think of all the services the financial sector provides from online banking to payment services to securities trading settlement services and so on. These processes are largely digitalized and that creates vulnerabilities and vulnerabilities make enticing targets for cyber attacks. Now we should also be mindful that the technological progress has been changing the nature of these vulnerabilities over time. So up until a few years ago everything I said about means motives and opportunities would have been caused for concern about attacks on individual financial institutions. But now with widespread adoption of cloud technologies for instance the risks are becoming more systemic in nature and that's because the centralization of information and data storage facilitated by these technologies is also creating interdependence among financial institutions through greater network traffic. And it's the number of routes available to launch cyber attack increases it becomes easier to envisage scenarios where trust in the financial system is eroded and that could eventually lead to systemic crisis. And when something becomes systemic that's that's when we think about risks to financial stability right so the stability of the whole financial system. Right and there is one other very important reason to have concerns. All of what I just said concerned direct attacks on entities within the financial system. But cyber attacks need not necessarily target the financial sector itself to cause a financial crisis. From the point of view of a cyber attacker so just think of a nation state intent on causing maximum economic damage. There could be serendipity. Now by this I mean a cyber attack targeted at a critical economic activity imagine a power grid or a supply chain that could trigger domino effects intended or not whereby swathes of non financial firms fail. And such a scenario banks would be confronted with ways of loan defaults for which by definition they would be totally unprepared. So there are many ways in which cyber attacks could lead to financial instability. Now John it's the first time that we're looking at this topic in detail in our financial stability review. Why are we looking at now is there something that's kind of prompted this analysis. So that's a great question. We had actually been debating among ourselves for some time whether the Rubicon had been crossed from a point where we saw cyber attacks as being mainly idiosyncratic to one where they are potentially systemic or from being largely random to having identifiable drivers. I can think of at least three reasons for why we thought the time was right to do some work on this now. So first we saw a surge of cyber attacks during the pandemic. In our special feature we documented doubling of the number of cyber attacks reported in 2021 when you compare it with late 2019 just before the pandemic. And we think this can be traced to the greater opportunity social distancing measures opened up for would be attackers. As we know many businesses, activities and services went online and so cyber attack vulnerabilities increased. And at the same time, the switch to remote working also meant increased exposure to cyber attacks as people were using more vulnerable forms of IT. So remote connections, VPNs possibly unsecured Wi Fi network, etc. And it can't be ruled out that the means for carrying out cyber attacks also increased as amateur hackers would have had more privacy operating from home. Okay, makes sense. Everyone was at home even the hackers themselves are at home. Now the second reason is that we convened a roundtable of 10 chief risk officers from some of the largest financial institutions in the Euro area earlier this year. And we did this because we wanted to hear about their main concerns, the ones that kept them awake at night. And the group was very diverse somewhere risk management leaders and banks, others were representing insurers, and some worked in the vessel fund industry. Now what we found striking was that without exception, all of them highlighted cyber attacks as a key source of concern. And many spoke of vulnerabilities being created by common reliance on the same cloud providers, making cyber risk potentially systemic. And then we had shortly afterwards, a third factor, before the Russian invasion of Ukraine, there were reports of cyber attacks on Ukrainian government websites as early as January. This year, by February, the scope of attacks had extended to Ukrainian banks. And so the risk of geopolitically motivated attacks had clearly risen to Let's talk a bit about the attacks themselves. In your analysis, you looked at a data set of about 9000 events. What kind of attacks are we talking about here? Can you can you break that down a bit for us? Sure. Well, so some clear patterns emerged from the data and the special feature provides quite a lot of detail. Let me just focus on three of the findings that we found notable. So the first, the majority of the perpetrators are criminals with financial motives. Now we found this to be true for the whole sample, and also during the pandemic. But criminals are not the only perpetrator types, activists and nation states have also been quite active. Now a hacktivist is someone that uses hacking for political purposes, right, or social, socially ethical purposes. Exactly. And then the second finding, and this was a bit of a surprise for us, the financial sector is actually not the prime target of cyber attacks. It only accounts for about 5 to 10% of all incidents. Public administration, health care and education are more frequently targeted. And then a third finding the data offers support for the view that crypto assets facilitate criminal activity. Now we found that that this is the dominant method of payment in so called ransomware attacks. So these are the give me your money or I'm going to lock you out of your IT system kind of attacks, much easier to be on the receiving end of a transfer of crypto assets to your laptop than to arrange for the collection of a suitcase filled with cash in some isolated location. Absolutely. Now, of the cyber attacks that you looked at of those 9000 cyber attacks, 50% of them reported to have happened in the US. And almost one in seven was in the Euro area. Now, at least to me, those sound like pretty big numbers for like a single region or a single country. What exactly is behind this? Are there certain things that that kind of influence where cyber attacks take place? Yeah. So the database is rich enough that we were able to do some statistical analysis. And we think an important finding of our work is that cyber attacks don't appear to be random. In fact, we find evidence of both structural and cyclical factors. So economic strength is one structural driver. For instance, developed economies have fallen victim to cyber attacks more frequently than developing economies. And we think this is probably due to differences in stages of digitalization. The degree of financial globalization also matters. So the countries that are targeted most are ones that are more integrated into global financial structures. And we also found a time dimension. Cyber attacks increase at times of heightened political and economic policy uncertainty and in a predictable way. For instance, the frequency of cyber attacks has tended to rise in the months leading up to US presidential elections. We see the same thing when geopolitical tensions are high, especially when it comes to state sponsored attacks, which often center around espionage and sabotage on the public sector. And that said, we haven't seen a huge rise in attacks since Russia launched its horrific war against Ukraine. Okay, so economic strength degree of integration in the financial system, political uncertainty, all things that can kind of influence where an attack takes place. Now, cyber attacks, they occur in this kind of dark corner of society. So I'm wondering how much information we actually have on them. So how easy is it to keep track of what's going on there? So we have to be mindful that the data that we have is self reported. And that means it's very likely to be biased. So for instance, some businesses falling victim to a cyber attack could be reputation damaging. So imagine a bank reports of a cyber attack could even encourage depositors to run to take their money out. Now, even if the reputation damage of falling victim to an attack is contained, victims could still be faced with high insurance premium if they haven't been taking sufficient precautions. And we're also seeing rating agencies taking greater account of cyber risk in ESG. So that's environmental and social and governance scores. Downgrades of these scores resulting from cyber attacks would make it more expensive for firms to raise funds in the market. You know, I never really thought about it like this, you know, that there are so many deterrents to actually reporting a cyber attack. You kind of think, OK, if I've been victim of a cyber attack, then I want the perpetrator to be found and therefore I report it. But in fact, it's not always the case. Exactly, yes, deterrence. And that means we have uncertainties, not only about the frequency, but also about the costs of those attacks. Now, even for reported incidents, measuring the cost of a cyber attack is challenging. The direct costs now say the paying of a ransom, if it was a ransomware attack, should be straightforward to measure in principle. But then there are the indirect costs. So the revenue losses resulting from reputation damage or the loss of business competitiveness, if, say, intellectual property of a firm was stolen. And those are much harder to gauge. Right. Well, we've talked, John, about what kind of things influence when and where these attacks take place and the threat that they posed for the financial system. I want to focus on the system itself and, in fact, what we can do to guard the system against these attacks. So what kind of things can be done to make the financial system more resilient against them? So we were able to confirm a key finding of a BIS study that was recently published on the drivers of cyber risk. And that study showed that the costs of cyber attacks are lower for businesses that have high IT expenditure. So finance and insurance businesses, for instance, spend a lot on IT. But they report much lower costs of cyber attacks than, say, businesses that focus on the arts. Now, that said, we have to be really careful in interpreting this finding. A once-off investment in a cybersecurity system is not going to offer eternal protection against all future cyber attacks. Cyber attackers are becoming more and more sophisticated over time. And as they do, cybersecurity systems would be forced to evolve as well. So last September, I participated in a Nordic cyber and finance conference, which was hosted by the Central Bank of Iceland. One of the speakers there, Husgulder Klinsen, drew parallels to the dynamic we are facing now with the evolution of medieval castle design in the past. So when the only weapons that attackers had were swords, bows and arrows, a very simple castle, what was called a Norman Keep, that was sufficient to protect against the attackers. A good example of that would be the, I think, the well-known square white tower at the centre of the Tower of London. Then there was technological progress that brought battering rams and catapults and also the means to topple those castles. So then castle security was upgraded with the building of walls around the Keep, possibly with so-called kill zones in between the walls and then even moats. This was an arms race and it was eventually brought to an end by the invention of gun powder and cannons as it proved too expensive to build ever more complex castles. Now in the cyber world, in just a few decades, cyber threats have evolved from the from the risk of a virus being spread via a floppy disk, so the Norman Keep, to the risk now of paralysis of critical infrastructures. And then if we look ahead, it was reported just this year that scientists at the University of Sussex think that quantum computers are likely to have the capability to decrypt the security, which is supposed to be unbreakable now, that protects Bitcoin sometime in the next decade. Now we document expectations of substantial revenue growth for cyber security firms in the years ahead. But as with the medieval castles, the costs may become too onerous for single firms to shoulder. Right. I mean, we mustn't forget that we're talking about individual companies here and many of them are small and they just can't afford the level of security that the big multi nationals can. Yes. So I mean, that can either become a public sector responsibility or in the meantime, we can do a lot of macro potential authorities can invest in monitoring frameworks. So that's like early warning tools. We get an early warning that cyber attacks could be coming. Our system wide stress testing aimed at gauging resilience of the financial system to cyber attacks. Actually, these are standard tools of financial stability analysis. And with some investment, they could help in identifying vulnerabilities and issuing warnings when necessary. But to make that happen, collaboration among authorities is going to be needed. As will the closing of data gaps, the more knowledge that we have about the fundamental drivers of cyber attacks, the easier it will be to identify sources of risk. And then we can act accordingly. Okay, collaboration, closing information and data gaps are very important here. Now, John, thank you for explaining this new and really quite fascinating topic for us. Before we wrap up, as you know very well, I do have one last question that we always ask our guests here on the ECB podcast. Do you have a hot tip for our listeners who want to learn more about the topic we've been discussing? So cyber risk, I can think of many different films that we could we could put into that category. But what's your hot tip, John? Well, I mean, in researching this, I found out that the history of cyber cyber attacks is actually longer than many people tend to think. And actually, not all hacking is bad. My tip this time is a movie. It's called The Imitation Game. Very good movie. And it tells the story of how Alan Turing and his colleagues at Bletchley Park developed the bomber, I think it's pronounced that way. It was an electro mechanical machine, which helped to break the enigma codes as early as 1940. Well, that's a great tip from my perspective, The Imitation Game, the film about Alan Turing and Bletchley Park, because I've been to Bletchley Park and I think it's a really fascinating place. So thank you for that. Thank you too. Well, that brings us to the end of this episode. And I just want to say thanks again to John Fell of our Financial Stability Department here at the ECB. Be sure to check out the show notes for further reading on this topic. You've been listening to the ECB podcast with Katie Ranger. If you like what you've heard, please subscribe and leave us a review. Until next time, thanks for listening.