Transmission of Cyber Risk Through the Canadian Wholesale Payment System

In response to growing concerns about cyber and other operational risks—such as those related to climate change—international organizations, central banks and private sector entities have taken collaborative actions to increase the operational and data resilience of financial institutions and financial market infrastructures, including payment systems. In Canada, the Bank of Canada has established and leads the Canadian Financial Sector Resiliency Group and the Resilience of Wholesale Payments Systems (RWPS) initiative, which both offer a forum for coordinating a national sectoral response to systemic operational incidents, such as cyber attacks (see Dinis 2021 for details). 

As part of the RWPS initiative, this paper studies how the impact of a cyber attack that paralyzes one or multiple banks' ability to send payments would transmit to other banks through the Canadian wholesale payment system. Based on historical payment data, we simulate a wide range of scenarios and evaluate the total payment disruption in the system. We find that depending on the type and number of banks under attack, the time of the attack and the design of the payment system, a cyber attack can quickly become systemic and result in a significant loss of liquidity throughout the system. We also demonstrate that the system-wide impact of an attack can be significantly reduced by having contingency plans that enable attacked banks to continue to send high-value payments. Given the interconnectedness of banks, we conclude that the cyber resilience of a wholesale payment system depends strongly on the cyber resilience of its participants, and we underline the importance of strong sectoral collaboration and coordination.