The Cyber Incident Landscape

Managing cyber is a challenge

The Bank of Canada’s 2019 Financial System Review points to cyber threats and financial interconnections as vulnerabilities for the Canadian financial system.

But for many firms, cyber risk is difficult to quantify. Technology, threat capabilities and complexity in how financial institutions use information are continually advancing. The financial sector is also made up of a wide array of highly connected entities—banks, dealers, asset managers, insurers, payment systems and exchanges. Each of these has its own cybersecurity posture. Complicating matters, experts are not always clear on how to define and classify cyber incidents.

Without discounting the possibility that future risk events could be more severe than past events, we examine public information on past cyber incidents to better understand the current risk landscape.

Cyber incidents include a broad set of malicious and non-malicious events

A cyber incident is any event that jeopardizes the confidentiality, integrity or availability of information systems or that violates policies on the acceptable use of information.1

This includes both malicious and non-malicious events, such as:

• unintended misuse of information (e.g., accidental public disclosure of customer data)
• intended misuse of information (e.g., inappropriate sale of customer data)
• information technology (IT) errors that cause widespread outages or losses2
• insider threats, where an insider or former insider misappropriates information3

This note highlights data available to help quantify cyber risk. We examine what the data tell us about how firms may view malicious cyber incidents—their perceived impact and frequency—and we draw attention to how this perception compares with the data on non-malicious cyber incidents.

Data can help us understand the risks

We use the Advisen cyber loss dataset, which includes over 90,000 cyber incidents across all industry sectors worldwide.4 We highlight global trends rather than trends in Canada. This allows us to take advantage of more data and incorporate global threats affecting both foreign-domiciled financial institutions operating in Canada and Canadian financial institutions operating abroad.

Most cyber and operational risk incidents go unreported. Typically, only the larger and more egregious incidents become public and are included in the Advisen and similar databases.5 Only a subset of these included incidents will contain information on loss size. Furthermore, only certain losses (e.g., dollars stolen, fines and legal judgments) will be reported. Other loss forms, such as productivity or certain response costs (Jones and Freund 2014), are often not reported publicly.

Finally, other kinds of costs such as spillover effects on other firms and spending on cyber security (either before or in response to the event) are also often unreported.6 As a result, our findings likely represent a lower bound in terms of losses.

These data skew toward the larger types of losses that are more likely to become public. The results speak to how often public cyber incidents occurred and how much public cyber incidents have cost firms.

Malicious and privacy incidents are more frequent, but implementation errors cost more

We divide the Advisen data into three categories:

• malicious cyber incidents, also known as cyber attacks—where the threat actor is intending to do harm (e.g., ransomware attacks, hacking incidents or data theft by employees)
• privacy and lost data incidents—where the firm has inadvertently misused or lost information
• IT implementation and processing errors—where the incident occurs while firms are maintaining, upgrading or replacing IT hardware or software assets

The vast majority of cyber incidents in the financial sector have been either privacy and lost data incidents or malicious incidents (Chart 1). The higher frequency, higher median losses7 and lower loss variation (lower standard deviation) shown for privacy and lost data incidents are likely due to two factors. First, public reporting requirements have been in place for a longer period for privacy incidents than for malicious cyber incidents. Second, it has been relatively easier to assign fault in privacy cases than in malicious cyber cases; therefore, more cases have come forward and outcomes have been more certain. Liability for malicious cyber incidents is still evolving, and indications are that it will increase in the future.8

What the data do show is that because of their frequency and sizeable cost per incident, privacy and lost data incidents are also important for financial institutions. This also highlights the need for jurisdictions to have strong laws to protect data and privacy.

The frequency of IT implementation and processing errors is low, while losses and loss variation far exceed those reported for other cyber incident types (Chart 1). IT change events can be high risk to a financial firm and the system.9 We focus here on median losses because they are closer to a firm’s typical experience. A few high-loss incidents substantially skew average losses, and the highest-loss events have tended to be IT implementation and processing errors.

Median losses for malicious cyber incidents—the category of incident that typically generates the most public concern and media attention—were relatively low. Cyber attacks on the financial system have typically been “low and slow.” Cyber attackers are generally patient and want to quietly steal money from financial institutions. While this may be the typical experience so far, this may not always be the case. Moreover, these data cannot capture all the potential implications for financial stability and national security arising from malicious cyber incidents. The universe of malicious cyber risk scenarios is more likely to include those based on single points of failure or zero-day exploits.10

The data show that cyber incidents are more common in the financial sector

The financial sector experienced the highest number of malicious cyber incidents and privacy and lost data incidents of any sector, and the second-highest number of IT implementation and processing errors (Chart 2).

For losses, the financial sector stands out less. For malicious cyber incidents, the median loss for the finance sector was slightly above the median loss across all sectors (Chart 3).

For privacy and lost data incidents, the median loss for the financial sector was above the median loss across all sectors. The median loss for the financial sector was highest for IT implementation and process errors, and it was well above the median loss across all sectors.

External actors are the most common malicious threat

We group malicious cyber incidents across all sectors into:

• internal sources (current and former employees and consultants)
• external sources (criminals, terrorists, nation states or hacktivists)

Most of the publicly known malicious cyber incidents have come from external sources (Chart 4).11 Median losses have been higher for external-source incidents as well. This is also the case in the finance sector. Avoidance, resistance and deterrence controls for internal risks (e.g., background checks, access policies and monitoring notifications) likely lower the frequency and potential damage from these sources of malicious cyber incidents.

The prevalence of malicious internal-source cyber incidents in the financial sector was near the average across all sectors and less than other sectors that also handle large quantities of sensitive data (e.g., health care) (Chart 5).

We need to build resilience to all cyber incident types

Cyber incidents are frequent in the financial sector, and financial institutions have faced higher direct costs than firms in other sectors. A substantial number of these cyber incidents are malicious, most originating from external actors.

But cyber events include more than just malicious cyber incidents. A financial institution’s mishandling of information under its control can carry similar liability and may be more frequent than malicious incidents. This reinforces the need for information security policies of financial institutions to extend beyond the IT department and include more than the malicious use of information.

Errors in IT implementation and process change are also cyber incidents. While rare, they have been much costlier for firms. In some cases, they have had profound effects on the delivery of financial services (UK Parliament 2019). Before any major IT change, firms should review their risk-mitigation strategies. Authorities should also do their own risk assessments when significant market players or highly interconnected institutions make large-scale IT changes.

Authorities have an important role in ensuring that cyber threats are adequately addressed, especially those with the potential to threaten financial stability. There is a public good benefit from a resilient financial system. The Bank of Canada has introduced initiatives to improve the financial sector’s cyber resilience, including the establishment of the Canadian Financial Sector Resiliency Group and an initiative to enhance the cyber resilience of the wholesale payments ecosystem.

Our analysis reinforces the view that cyber is and will remain a key vulnerability in the financial system. Moreover, the cyber risk to the financial system is multi-faceted, including more than the malicious attacks that dominate headlines. While such attacks remain a key component and area of concern, financial firms also need to guard against internally generated data leaks and IT operational risks. A holistic view is needed to fully grasp the nature of this risk.

Endnotes

References

1. Arsenault, J. 2019. “Desjardins Security Breach Affected 4.2 Million Clients, Many More Than Initially Reported.” Canadian Press, November 1.
2. Berthelsen, C., W. Turton and J. Surane, 2019. “Tipster’s Email Led to Arrest in Massive Capital One Breach.” Bloomberg, July 30.
3. Canadian Securities Administrators (CSA). 2017. “Disclosure of Cyber Security Risks and Incidents.” CSA Multilateral Staff Notice 51-347, January 19.
4. Field LLP. 2019. “Canada: Case Summary: Wm Morrison Supermarkets PLC v Various Claimants.” Mondaq, last updated January 3, 2019.
5. International Data Corporation (IDC). 2018. Worldwide Semiannual Security Spending Guide, October 4.
6. Jones, J. and J. Freund. 2014. Measuring and Managing Information Risk. Butterworth-Heinemann.
7. Mackenzie, M. and A. Massoudi. 2012. “NYSE Cancels Trades After Algo Glitch.” Financial Times, August 1.
8. Masters, B., E. Moore and J. Pickard. 2012. “The Upgrade That Downed Royal Bank of Scotland.” Financial Times, June 25.
9. Monaghan, A. 2018. “Timeline of Trouble: How the TSB IT Meltdown Unfolded.” Guardian, June 6.
10. Security and Exchange Commission (SEC). 2018. “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” SEC Release Nos. 33-10459; 34-82746, February 21.
11. UK Parliament. 2019. “Regulators Must Act to Reduce Unacceptable Number of IT Failures in Financial Services Sector, Warns Treasury Committee.” UK Parliament website, October 28.