The European Systemic Risk Board (ESRB) has published a report on cyber incidents, such as cyberattacks. The report, which also summarizes the latest estimates of the costs of cyber incidents, shows that a cyber incident could indeed evolve into a systemic cyber crisis that threatens financial stability.
The ESRB has therefore identified cyber risk as one of the sources of systemic risk to the financial system which could have serious negative consequences for the real economy. While the total costs of cyber incidents are notoriously hard to establish, recent industry estimates range from $45 billion to $654 billion for the global economy in 2018.
Cyber risk is characterized by three features that, when combined, make it fundamentally different from other sources of operational risk: the speed and the scale of its propagation, and the potential intent of perpetrators. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated the perpetrators’ ability to penetrate the networks of large organizations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders.
The report also describes when an incident might turn into a “systemic cyber incident” that could threaten financial stability. The key tipping point would occur when confidence in the financial system was so severely weakened that important financial institutions would cease all lending activity because they were no longer willing to lend, as opposed to being (technically) unable to lend.
While standard-setting bodies, national and international authorities, and industry groups are combining their efforts to mitigate cyber risks, the ESRB intends to use its broad institutional composition and network to evaluate the costs and benefits of different policy options aimed at reducing systemic cyber risk.