The Cyber Incident Landscape

Managing cyber is a challenge

The Bank of Canada’s 2019 Financial System Review points to cyber threats and financial interconnections as vulnerabilities for the Canadian financial system.

But for many firms, cyber risk is difficult to quantify. Technology, threat capabilities and complexity in how financial institutions use information are continually advancing. The financial sector is also made up of a wide array of highly connected entities—banks, dealers, asset managers, insurers, payment systems and exchanges. Each of these has its own cybersecurity posture. Complicating matters, experts are not always clear on how to define and classify cyber incidents.

Without discounting the possibility that future risk events could be more severe than past events, we examine public information on past cyber incidents to better understand the current risk landscape.

Cyber incidents include a broad set of malicious and non-malicious events

A cyber incident is any event that jeopardizes the confidentiality, integrity or availability of information systems or that violates policies on the acceptable use of information.1

This includes both malicious and non-malicious events, such as:

  • unintended misuse of information (e.g., accidental public disclosure of customer data)
  • intended misuse of information (e.g., inappropriate sale of customer data)
  • information technology (IT) errors that cause widespread outages or losses2
  • insider threats, where an insider or former insider misappropriates information3

This note highlights data available to help quantify cyber risk. We examine what the data tell us about how firms may view malicious cyber incidents—their perceived impact and frequency—and we draw attention to how this perception compares with the data on non-malicious cyber incidents.

Data can help us understand the risks

We use the Advisen cyber loss dataset, which includes over 90,000 cyber incidents across all industry sectors worldwide.4 We highlight global trends rather than trends in Canada. This allows us to take advantage of more data and incorporate global threats affecting both foreign-domiciled financial institutions operating in Canada and Canadian financial institutions operating abroad.

Most cyber and operational risk incidents go unreported. Typically, only the larger and more egregious incidents become public and are included in the Advisen and similar databases.5 Only a subset of these included incidents will contain information on loss size. Furthermore, only certain losses (e.g., dollars stolen, fines and legal judgments) will be reported. Other loss forms, such as productivity or certain response costs (Jones and Freund 2014), are often not reported publicly.

Finally, other kinds of costs such as spillover effects on other firms and spending on cyber security (either before or in response to the event) are also often unreported.6 As a result, our findings likely represent a lower bound in terms of losses.

These data skew toward the larger types of losses that are more likely to become public. The results speak to how often public cyber incidents occurred and how much public cyber incidents have cost firms.

Malicious and privacy incidents are more frequent, but implementation errors cost more

We divide the Advisen data into three categories:

  • malicious cyber incidents, also known as cyber attacks—where the threat actor is intending to do harm (e.g., ransomware attacks, hacking incidents or data theft by employees)
  • privacy and lost data incidents—where the firm has inadvertently misused or lost information
  • IT implementation and processing errors—where the incident occurs while firms are maintaining, upgrading or replacing IT hardware or software assets

The vast majority of cyber incidents in the financial sector have been either privacy and lost data incidents or malicious incidents (Chart 1). The higher frequency, higher median losses7 and lower loss variation (lower standard deviation) shown for privacy and lost data incidents are likely due to two factors. First, public reporting requirements have been in place for a longer period for privacy incidents than for malicious cyber incidents. Second, it has been relatively easier to assign fault in privacy cases than in malicious cyber cases; therefore, more cases have come forward and outcomes have been more certain. Liability for malicious cyber incidents is still evolving, and indications are that it will increase in the future.8

What the data do show is that because of their frequency and sizeable cost per incident, privacy and lost data incidents are also important for financial institutions. This also highlights the need for jurisdictions to have strong laws to protect data and privacy.

Chart 1: Finance and insurance sector cyber incidents

Chart 1: Finance and insurance sector cyber incidents

Sources: Advisen cyber loss data (all years), July 2019; US Bureau of Labor Statistics Consumer Price Index (accessed through Federal Reserve Economic Data); Bank of Canada calculations

The frequency of IT implementation and processing errors is low, while losses and loss variation far exceed those reported for other cyber incident types (Chart 1). IT change events can be high risk to a financial firm and the system.9 We focus here on median losses because they are closer to a firm’s typical experience. A few high-loss incidents substantially skew average losses, and the highest-loss events have tended to be IT implementation and processing errors.

Median losses for malicious cyber incidents—the category of incident that typically generates the most public concern and media attention—were relatively low. Cyber attacks on the financial system have typically been “low and slow.” Cyber attackers are generally patient and want to quietly steal money from financial institutions. While this may be the typical experience so far, this may not always be the case. Moreover, these data cannot capture all the potential implications for financial stability and national security arising from malicious cyber incidents. The universe of malicious cyber risk scenarios is more likely to include those based on single points of failure or zero-day exploits.10

The data show that cyber incidents are more common in the financial sector

The financial sector experienced the highest number of malicious cyber incidents and privacy and lost data incidents of any sector, and the second-highest number of IT implementation and processing errors (Chart 2).

Chart 2: Share of total incidents by NAICS sector

Chart 2: Share of total incidents by NAICS sector

Sources: Advisen cyber loss data, July 2019 (all years); US Bureau of Labor Statistics Consumer Price Index (accessed through Federal Reserve Economic Data); Bank of Canada calculations; North American Industry Classification System (NAICS)

For losses, the financial sector stands out less. For malicious cyber incidents, the median loss for the finance sector was slightly above the median loss across all sectors (Chart 3).

For privacy and lost data incidents, the median loss for the financial sector was above the median loss across all sectors. The median loss for the financial sector was highest for IT implementation and process errors, and it was well above the median loss across all sectors.

Chart 3: Median losses by cyber incident type

Sources: Advisen cyber loss data, July 2019 (all years); US Bureau of Labor Statistics Consumer Price Index (accessed through Federal Reserve Economic Data); Bank of Canada calculations

External actors are the most common malicious threat

We group malicious cyber incidents across all sectors into:

  • internal sources (current and former employees and consultants)
  • external sources (criminals, terrorists, nation states or hacktivists)

Most of the publicly known malicious cyber incidents have come from external sources (Chart 4).11 Median losses have been higher for external-source incidents as well. This is also the case in the finance sector. Avoidance, resistance and deterrence controls for internal risks (e.g., background checks, access policies and monitoring notifications) likely lower the frequency and potential damage from these sources of malicious cyber incidents.

Chart 4: Malicious cyber incidents by NAICS sector and threat source

Sources: Advisen cyber loss data, July 2019 (all years); US Bureau of Labor Statistics Consumer Price Index (accessed through Federal Reserve Economic Data); Bank of Canada calculations; North American Industry Classification System (NAICS)

The prevalence of malicious internal-source cyber incidents in the financial sector was near the average across all sectors and less than other sectors that also handle large quantities of sensitive data (e.g., health care) (Chart 5).

Chart 5: Share of malicious cyber incidents from internal actors by NAICS sector

Chart 5: Share of malicious cyber incidents from internal actors by NAICS sector

Sources: Advisen cyber loss data, July 2019 (all years); Bank of Canada calculations; North American Industry Classification System (NAICS)

We need to build resilience to all cyber incident types

Cyber incidents are frequent in the financial sector, and financial institutions have faced higher direct costs than firms in other sectors. A substantial number of these cyber incidents are malicious, most originating from external actors.

But cyber events include more than just malicious cyber incidents. A financial institution’s mishandling of information under its control can carry similar liability and may be more frequent than malicious incidents. This reinforces the need for information security policies of financial institutions to extend beyond the IT department and include more than the malicious use of information.

Errors in IT implementation and process change are also cyber incidents. While rare, they have been much costlier for firms. In some cases, they have had profound effects on the delivery of financial services (UK Parliament 2019). Before any major IT change, firms should review their risk-mitigation strategies. Authorities should also do their own risk assessments when significant market players or highly interconnected institutions make large-scale IT changes.

Authorities have an important role in ensuring that cyber threats are adequately addressed, especially those with the potential to threaten financial stability. There is a public good benefit from a resilient financial system. The Bank of Canada has introduced initiatives to improve the financial sector’s cyber resilience, including the establishment of the Canadian Financial Sector Resiliency Group and an initiative to enhance the cyber resilience of the wholesale payments ecosystem.

Our analysis reinforces the view that cyber is and will remain a key vulnerability in the financial system. Moreover, the cyber risk to the financial system is multi-faceted, including more than the malicious attacks that dominate headlines. While such attacks remain a key component and area of concern, financial firms also need to guard against internally generated data leaks and IT operational risks. A holistic view is needed to fully grasp the nature of this risk.

Endnotes

  1. 1. Cyber Lexicon, Financial Stability Board, November 12, 2018.[]
  2. 2. For example, the loss at Knight Capital is described in Mackenzie and Massoudi (2012).[]
  3. 3. See, for example, Arsenault (2019) and Berthelsen, Turton and Surane (2019).[]
  4. 4. The earliest cyber incident captured in the Advisen cyber loss dataset occurred in 1973; however, over 90 percent of the cyber incidents in the dataset occurred after 2008.[]
  5. 5. Public reporting of cyber incidents has increased as public reporting requirements have been established. See CSA (2017) and SEC (2018) for examples of these requirements.[]
  6. 6. International Data Corporation (IDC) estimates that spending on various forms of cybersecurity is expected to reach US$134 billion by 2022 (IDC 2018).[]
  7. 7. Throughout the paper, average- and median-loss information is calculated with reference to the number of incidents where losses have been reported, not the total number of incidents. Losses are provided in less than 10 percent of cyber incidents included in the Advisen dataset.[]
  8. 8. See, for example, Wm Morrison Supermarkets PLC v Various Claimants (2018), which established that employers can be held vicariously liable for data breaches stemming from rogue employees (Field LLP 2019), and McGrath v Marriott International, Inc. et al., which highlights the shareholder class action lawsuits that have become common in response to data breaches.[]
  9. 9. Although we have yet to see a systemic cyber incident in the financial sector, some of the best examples of prolonged outages—those that had the potential to impact confidence in the financial system—have been due to errors in IT implementation and processing. See, for example, the IT implementation errors at TBS bank (Monaghan 2018) and Royal Bank of Scotland (Masters, Moore and Pickard 2012).[]
  10. 10. In risk analysis, two types of risk scenarios are likely to be particularly damaging when they occur. In fragile condition scenarios, the vulnerability to attack is zero until a control fails and then all attacks are successful (e.g., single point of failure). In unstable condition scenarios, all attacks would be successful but have not occurred because threats are not aware of the attack type (e.g., zero-day exploits).[]
  11. 11. Malicious insiders, given their access and knowledge of an institution, can be significant threats. But they are not as prevalent as is typically reported. Industry reports tend to bundle data about malicious and non-malicious insiders together.[]

References

  1. Arsenault, J. 2019. “Desjardins Security Breach Affected 4.2 Million Clients, Many More Than Initially Reported.” Canadian Press, November 1.
  2. Berthelsen, C., W. Turton and J. Surane, 2019. “Tipster’s Email Led to Arrest in Massive Capital One Breach.” Bloomberg, July 30.
  3. Canadian Securities Administrators (CSA). 2017. “Disclosure of Cyber Security Risks and Incidents.” CSA Multilateral Staff Notice 51-347, January 19.
  4. Field LLP. 2019. “Canada: Case Summary: Wm Morrison Supermarkets PLC v Various Claimants.” Mondaq, last updated January 3, 2019.
  5. International Data Corporation (IDC). 2018. Worldwide Semiannual Security Spending Guide, October 4.
  6. Jones, J. and J. Freund. 2014. Measuring and Managing Information Risk. Butterworth-Heinemann.
  7. Mackenzie, M. and A. Massoudi. 2012. “NYSE Cancels Trades After Algo Glitch.” Financial Times, August 1.
  8. Masters, B., E. Moore and J. Pickard. 2012. “The Upgrade That Downed Royal Bank of Scotland.” Financial Times, June 25.
  9. Monaghan, A. 2018. “Timeline of Trouble: How the TSB IT Meltdown Unfolded.” Guardian, June 6.
  10. Security and Exchange Commission (SEC). 2018. “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” SEC Release Nos. 33-10459; 34-82746, February 21.
  11. UK Parliament. 2019. “Regulators Must Act to Reduce Unacceptable Number of IT Failures in Financial Services Sector, Warns Treasury Committee.” UK Parliament website, October 28.

Disclaimer

Bank of Canada staff analytical notes are short articles that focus on topical issues relevant to the current economic and financial context, produced independently from the Bank’s Governing Council. This work may support or challenge prevailing policy orthodoxy. Therefore, the views expressed in this note are solely those of the authors and may differ from official Bank of Canada views. No responsibility for them should be attributed to the Bank.

JEL Code(s): G, G2, G28, M, M1, M15, O, O3, O33, O38