The European Systemic Risk Board (ESRB) has today published a report on cyber incidents, such as cyberattacks. The report, which also summarises the latest estimates of the costs of cyber incidents, shows that a cyber incident could indeed evolve into a systemic cyber crisis that threatens financial stability. The ESRB has therefore identified cyber risk as one of the sources of systemic risk to the financial system which could have serious negative consequences for the real economy.
In 2017 the ESRB established the European Systemic Cyber Group (ESCG) to investigate systemic cyber risk and examine whether and how a cyber incident could cause a systemic crisis. To answer this question in the absence of historical precedents, the ESCG developed a conceptual framework and has applied it to a range of historical and hypothetical scenarios. The analysis conducted shows that a cyber incident could indeed evolve into a systemic cyber crisis that threatens financial stability. The ESRB has therefore identified cyber risk as a source of systemic risk to the financial system, which may have the potential to have serious negative consequences for the real economy.
While the total costs of cyber incidents are notoriously hard to establish, recent industry estimates range from USD 45 billion to USD 654 billion for the global economy in 2018.
Cyber risk is characterised by three features that, when combined, make it fundamentally different from other sources of operational risk: the speed and the scale of its propagation, and the potential intent of perpetrators. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated the perpetrators’ ability to penetrate the networks of large organisations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders.
The report also describes when an incident might turn into a “systemic cyber incident” that could threaten financial stability. The key tipping point would occur when confidence in the financial system was so severely weakened that important financial institutions would cease all lending activity because they were no longer willing to lend, as opposed to being (technically) unable to lend.
While standard-setting bodies, national and international authorities, and industry groups are combining their efforts to mitigate cyber risks, the ESRB intends to use its broad institutional composition and network to evaluate the costs and benefits of different policy options aimed at reducing systemic cyber risk.