The European Systemic Risk Board (the “ESRB“) has published a report on cyber risks and incidents, which, owing to the interconnectedness of various information systems, spread quickly and widely.
The ESRB has found that cyber incidents are becoming more persistent and prevalent. It is therefore unsurprising that no organisation is immune from such attacks. In fact, recent incidents involving large high-profile organisations illustrate how sophisticated and coordinated such attacks have become. Cyber incidents can also spread widely across sectors and beyond geographical borders, including to entities which are not the primary target or source of disruption.
The ESRB characterises attacks by three key features that, when combined, fundamentally differentiate it from other sources of operational risk: the speed and scale of its propagation as well as the potential intent of threat actors.
In a bid to tackle such threats and prevent wider harm to the market, it has developed an analytical framework to assess how cyber risk can become a source of systemic risk to the financial system. The four stages of this model (context, shock, amplification, systemic event) analyse how a cyber incident can grow from operational disruption into a systemic crisis.
The ESRB also surveyed its membership to form a view on common individual vulnerabilities across ESRB jurisdictions. The information gleaned from this will help it understand the distinction between severe operational disruption to the financial system, on the one hand, and a systemic crisis, on the other hand.
The ESRB also noted that in order to mitigate further the risk of a systemic cyber incident materialising, more work is required to address system vulnerabilities and reduce the potential for widespread disruption. This will requirement engagement and coordination between stakeholders, as well as consistent and clear communication from authorities in order to set standards and mitigate against potential harm.