Cyber-attacks on financial institutions and financial market infrastructures are becoming more common and more sophisticated. Risk awareness has been increasing, firms actively manage cyber risk and invest in cybersecurity, and to some extent transfer and pool their risks through cyber liability insurance policies. This paper considers the properties of cyber risk, discusses why the private market can fail to provide the socially optimal level of cybersecurity, and explore how systemic cyber risk interacts with other financial stability risks. Furthermore, this study examines the current regulatory frameworks and supervisory approaches, and identifies information asymmetries and other inefficiencies that hamper the detection and management of systemic cyber risk. The paper concludes discussing policy measures that can increase the resilience of the financial system to systemic cyber risk.

The ability of attackers to undermine, disrupt and disable information and communication technology systems used by financial institutions is a threat to financial stability and one that requires additional attention.

Cyber risk has emerged as a key threat to financial stability, following recent attacks on financial institutions. This paper presents a novel documentation of cyber risk around the world for financial institutions by analyzing the different types of cyber incidents (data breaches, fraud and business disruption) and identifying patterns using a variety of datasets. The other novel contribution that is outlined is a quantitative framework to assess cyber risk for the financial sector. The framework draws on a standard VaR type framework used to assess various types of stability risk and can be easily applied at the individual country level. The framework is applied in this paper to the available cross-country data and yields illustrative aggregated losses for the financial sector in the sample across a variety of scenarios ranging from 10 to 30 percent of net income.

This paper highlights the emerging supervisory practices that contribute to effective cybersecurity risk supervision, with an emphasis on how these practices can be adopted by those agencies that are at an early stage of developing a supervisory approach to strengthen cyber resilience. Financial sector supervisory authorities the world over are working to establish and implement a framework for cyber risk supervision. Cyber risk often stems from malicious intent, and a successful cyber attack—unlike most other sources of risk—can shut down a supervised firm immediately and lead to systemwide disruptions and failures. The probability of attack has increased as financial systems have become more reliant on information and communication technologies and as threats have continued to evolve.

Cyber risk, defined as the risk of loss from dependence on computer systems and digital technologies, has grown in the financial system. Cyber events, especially cyberattacks, are among the top risks cited in financial stability surveys in the United States and globally.

Financial technology (fintech) is emerging as an innovative way to achieve financial inclusion and the broader objective of inclusive growth. Thus far, fintech in the MENAP and CCA remains below potential with limited impact on financial inclusion. This paper reviews the fintech landscape in the MENAP and CCA regions, identifies the constraints to the growth of fintech and its contribution to inclusive growth and considers policy options to unlock the potential.

During recent decades, the global financial system has become more digitalised and interconnected. For its functioning, the real economy requires the financial system to perform a range of key economic functions reliably. These include payment services, securities trading, settlement services and deposit taking, among others. These processes have become increasingly digitalised, creating new and important interdependencies. Hence, the financial system has come to rely critically on robust information and communications technology (ICT) infrastructures and the confidentiality, integrity and availability of data and systems. It follows that key economic functions can be disrupted through cyber incidents that affect the information systems and data of financial institutions and financial market infrastructures. Understanding the impact of such disruptions on financial stability is the focus of this report. Cyber risk is characterised by three key features that, when combined, fundamentally differentiate it from other sources of operational risk: the speed and scale of its propagation as well as the potential intent of threat actors. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated actors' ability to penetrate the networks of large organisations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders, including to entities which are not the primary target or source of disruption. Malicious cyber incidents are becoming more persistent and prevalent, illustrating the high level of sophistication and coordination that threat actors are able to achieve. The ESRB has developed an analytical framework to assess how cyber risk can become a source of systemic risk to the financial system. The four stages of this conceptual model (context, shock, amplification, systemic event) facilitate a systematic analysis of how a cyber incident can grow from operational disruption into a systemic crisis. In particular, the framework could assist in analysing systemic vulnerabilities that amplify the shock of a cyber incident, and in understanding at which point a cyber incident may become systemic. The ESRB also surveyed its membership to form a view on common individual vulnerabilities across ESRB jurisdictions. Combining these elements, the ESRB has considered a number of historical and hypothetical scenarios. It used these scenarios to try to understand the distinction between severe operational disruption to the financial system, on the one hand, and a systemic crisis, on the other hand.