The impact from a cyberattack on financial institutions (FIs) could reach as high as a few hundred billion dollars annually, chipping away at profits and threatening the stability of financial firms, the International Monetary Fund (IMF) warned in a new report.
According to an IMF staff modeling exercise, the IMF found that FIs could lose that much each year because they are a target of hackers, and due to the role they plan in managing and handling funds. The IMF report said a successful hack of an FI could spread quickly through the interconnected financial system. What's more, the IMF said that lots of FIs use older systems that may not be able to fight off a cyberattack. That attack could result in financial losses, as well as a hit to the FIs' reputation, which could lead to more losses.
To ascertain the risk, the IMF used techniques from actuarial science and operational risk measurement to come up with total losses from cyberattacks. Taken "at face value," the IMF said the study suggests the average annual potential losses from cyberattacks could be nearly 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario where cyberattacks are frequent, the hit would be two-and-half to three-and-a-half times as high, or between $270 billion and $350 billion. In the worst 5 percent of cases, the average potential loss could be as high as half of a bank's net income, which would place the entire financial sector at risk.
In addition, the IMF noted that the estimated losses are much bigger than the cyber insurance market, with premiums remaining small globally at around $3 billion as of last year, and most FIs not carrying cyber insurance. When they do, they get limited coverage with insurers, having a tough time evaluating the risk of cyberattack exposure, noted the IMF. The IMF said there is a way to improve the risks, pointing to governments collecting more "granular, consistent and complete data on the frequency and impact of cyberattacks." The IMF said that would help assess risk for the financial sector.
The IMF wrote in the report, "Requirements to report breaches — such as considered under the EU’s General Data Protection Regulation [GDPR] — should improve knowledge of cyberattacks. Scenario analysis could be used to develop a comprehensive assessment of how cyberattacks could spread and design adequate responses by private institutions and governments."