The financial system is the linchpin of society and the global economy, yet it remains unclear who is responsible for protecting it against cyber attacks. Those lines of responsibility have been further blurred as digitalization turns financial service firms into tech companies and tech companies into financial service firms—a trend only accelerated by the coronavirus pandemic.

National security agencies prioritize threats that cause loss of life or physical damage to public infrastructure, because no one dies and nothing explodes when a cyber attack hits the financial sector. For their part, most central banks have limited experience dealing with either cyber threats or the national security agencies whose involvement is necessary to defend against and counter them. Rising geopolitical tensions and inaction by states have left industries frustrated and customers at risk.

Geopolitical tensions and inaction by states have left industries frustrated and customers at risk.

Meanwhile, several governments and many more nonstate actors have used digital tools to defraud, disrupt, and otherwise threaten financial institutions. North Korea has stolen some $2 billion over the past decade—more than three times what it generated through counterfeit activity over the four decades prior. Wall Street firms asked the White House for help when Iranian hackers targeted them with massive distributed denial of service (DDoS) attacks in 2012. More dangerous attacks and ensuing shocks should be expected. Most worrisome would be incidents that corrupt the integrity of financial data, algorithms, and transactions.

Individual governments, financial firms, and tech companies cannot adequately redress these challenges alone. The 2016 Bangladesh cyber incident was a wake-up call, highlighting the potential systemic consequences of a cyber attack. It triggered a flurry of efforts to catch up with the new realities, but many lacked a clear long-term vision.

More dangerous attacks and ensuing shocks should be expected.

Thankfully, collaborative work has begun to identify best practices for cybersecurity and lessons for further international cooperation. This includes the G7’s Cyber Experts Group and the capacity-building conference series hosted by the International Monetary Fund (IMF). Carnegie has led one such cybersecurity initiative—with support from the World Economic Forum, the IMF, central banks, finance ministries, the financial messaging platform SWIFT, and other financial firms—and will release in late 2020 a strategy to improve the resilience of the global financial system. A separate campaign focuses on strengthening capacity to implement these recommendations while attending to related policy goals, such as advancing financial inclusion worldwide.

  • Tim Maurer