Cyber attacks are becoming ever more frequent and sophisticated, and firms and policymakers list cyber risk as a major concern. Financial institutions and financial market infrastructures are especially at risk, and the financial industry ranks consistently as one of the most-attacked industries. While there have been several studies and surveys on cyber threats for the private sector – and firms in the financial sector in particular – little is known about central banks’ assessment of cyber risk.
The survey reveals four main insights. First, central banks from advanced economies (AEs) and emerging market economies (EMEs) differ in their assessment of the frequency and cost of different cyber attacks. All central banks deem phishing and other forms of social engineering as the most likely type of attack vectors. AE central banks are significantly more worried about supply chain attacks (a cyber attack that seeks to damage an organization by targeting less-secure elements in its supply chain) than their EME counterparts. When it comes to the costs resulting from an attack, advanced persistent malware and ransomware attacks rank highest. Turning to the who of these attacks, AE central banks deem organized crime and state-sponsored entities to be the main perpetrators. Among EME central banks, it is organized crime and individuals or activists.
Second, central banks actively discuss and develop policy responses to cyber attacks and have increased their cyber security-related investments notably since 2020. Technical security control and resiliency feature high on the priority list in terms of areas for investment in cyber security. Training existing staff on cyber security or hiring new staff with the relevant skills are also considered important, especially among EME central banks. Beyond investments, central banks focus on developing concrete policy responses. All central banks put a high focus on developing an incident response plan in case their own institution is attacked, and several central banks are also developing a formal strategy for responding to an attack on the financial system at large.
All central banks run internal exercises to simulate cyber attacks, and the most frequently modeled scenarios are an attack on the system of the central bank itself, as well as an outage of the payments system or other critical FMI. While supervisory authorities in most EMEs provide a framework for the collection of information on cyber attacks on financial institutions, less than half of those in AEs do. Similarly, while supervised firms are mandated to report losses related to cyber attacks to the central bank in almost all EMEs, only two-thirds of AE respondents report that such disclosure is required. No jurisdiction requires firms to disclose such losses publicly, however.
Third, central banks deem the potential losses from a systemically relevant cyber attack to be large, and think that losses from cyber attacks in the financial sector have increased over the past year. Only a few central banks fully agree that the financial sector is adequately prepared for cyber attacks, and over half of the respondents think that investment in cyber security has been inadequate over the past year. Beyond traditional financial institutions, respondents reported that they see fintechs to be more at risk from a cyber attack than big techs, even though most respondents agree that a successful attack on a big tech would lead to materially higher aggregate costs than an attack on a fintech.
Fourth, central banks in AEs and EMEs already cooperate widely on a range of topics. Bilateral cooperation among central banks, as well as cooperation in bodies at the regional and global levels, is the norm. When it comes to specific topics related to cooperation, information sharing, simulations and policy formulations to improve cyber resilience stand out in AEs. Among EMEs, central banks frequently cooperate in the realms of information sharing and policy formations. In addition, over two-thirds of respondents develop common standards and protocols for the financial sector. The BIS supports central banks’ cyber security work, as well as global cooperation in this domain, in several ways – for example, through its Cyber Resilience Coordination Centre or projects of the BIS Innovation Hub.