Welcome everyone to the sixth annual Cybersecurity Workshop and Happy New Year. I am very pleased that we are back in person, hosting this important event at our head office in Washington, D.C. This comes after a gap of two years when the pandemic forced us to meet virtually only. I hope you are as thrilled as I am by the opportunity to be joined by almost 90 in-person participants and a similar number of online ones from over 60 countries to discuss how to enhance cybersecurity in the financial sector.
This year, we explore cyber resilience through disruptions. We ask: What key lessons can be drawn from recent geopolitical conflicts? What cybersecurity challenges could arise as new forms of money and technology alter the financial landscape? And finally, how can we foster effective regulation and supervision of cyber risks, and achieve operational and cyber resilience that will ensure the delivery of critical financial services even when disruptions are likely?
Before exploring these three questions, I would like to extend special thanks to our co-sponsor, the Financial Sector Stability Fund, for making this workshop possible with its generous contributions. I am also deeply grateful to our speakers for joining our workshop and sharing their invaluable knowledge and experience.
Last year, we had the opportunity to engage with some of our member countries that were targeted by cyber-attacks that disrupted the delivery of public services. The severity of these attacks serves as a reminder for us all. If we want to successfully drive change through greater digital connectivity, we must address the underlying vulnerabilities. To expand on my thoughts, let me return to my three questions.
What have we learned from recent geopolitical conflicts?
Disputes can arise for many reasons, and when differences are not settled through diplomacy, they could needlessly deteriorate into wars—including in cyberspace. In the modern age, as warfare goes online, we are more likely to witness cyber-attacks and the use of state-of-the-art technology. Compounding the problem, cyber-attacks often spillover and generate a much broader impact than originally intended.
Cyber incidents could come with great uncertainty and complexity. Perpetrators and their motivations are often obscure. Cyber operations could involve commercial, government, or military targets. Recent incidents demonstrate the ability of computer hackers to cripple a country’s critical infrastructure. Electricity, water, telecommunications, and transportation are among these essential infrastructures—those that help a society and economy function. Third-party service providers that are part of the complex supply chains could also be disrupted.
The financial sector continues to be a target of choice for criminal gangs and other types of attackers. For the financial sector, critical infrastructure includes systems for clearing, settling, or recording payments, securities, derivatives, or other financial transactions. Given their systemic importance in most jurisdictions, their operations and cyber resilience are subject to a high degree of oversight to ensure their safety and efficiency. Preparedness is key across the different types of cyber-attacks—phishing, supply chain attacks, or ransomware, for example—that could unfold because of geopolitical conflicts.
Which takes me to my second question.
What cybersecurity challenges could arise with the transformation of the financial landscape?
Fintech—such as new and emerging forms of digital money and finance—has financial stability benefits and risks that need to be carefully weighed. As I mentioned earlier, greater digitalization brings greater vulnerabilities. As more systems and devices are connected and depend on computer software to function, this widens the attack surface. The interconnectedness poses challenges for financial stability. As the financial sector adopts newer technologies and requires greater involvement of third and fourth parties, emerging concentrations of technology, vendors, and service providers assume systemic proportions.
In addition, there is a window of vulnerability because of the inevitable delay between discovering and patching security bugs. When these bugs are found by bad actors first, they have the potential to create major disruptions.
In recent times, cyber incidents have involved the hacking of cryptocurrency exchanges. The ability of criminals to steal and rapidly move large amounts of crypto assets reminds us of operational and financial risks. They are real, potentially systemic, and need to be addressed. Similarly, cybersecurity considerations are a precondition for the issuance of central bank digital currencies. This is to protect the integrity, privacy, and finality of payments, among others.
At this point, let me pose my third and final question.
How could we ensure effective regulation and supervision of cyber risks, and achieve operational and cyber resilience?
Given its mandate to promote the stability of the international monetary system, the IMF has made efforts on many fronts to address this question. Let me share some key observations and initiatives to date.
In international fora, including the Financial Stability Board, there are notable policy developments for the financial sector that the IMF is proud to be contributing to. Efforts are underway to harmonize the regulatory reporting of cyber incidents to promote fast response and recovery, thus protecting financial stability. International standard-setting bodies prioritize operational and cyber resilience across institutions, markets, and infrastructures, establishing expectations for the continuity of critical business services through disruption. Shortcomings in the cyber resilience of financial market infrastructures, in particular, need to be addressed as there remain gaps in their response and recovery times under extreme cyber-attack scenarios and testing arrangements.
On the surveillance front, formal assessments of cybersecurity risk supervision and oversight have helped monitor developments and strengthen policy frameworks across member countries. In 2020, the IMF began to include the assessment of this frontier topic as part of its Financial Sector Assessment Program (FSAP) for selected jurisdictions. This complements and deepens the assessment of operational risks in the banking sector and the underlying financial market infrastructures, which are broader in scope.
On capacity development, efforts to enhance the regulation and supervision of cyber risks have been very beneficial to member countries. Apart from hosting annual cybersecurity workshops such as the one starting today, the IMF has proactively developed online tools to enhance the knowledge and skills on cybersecurity and trained officials through regional workshops. Bilateral technical assistance has focused on developing and strengthening cybersecurity regulations and supervisory frameworks.
Let me now conclude.
Looking ahead, achieving operational and cyber resilience in the face of disruptions will be a key challenge.
Geopolitical conflicts could, and indeed have spilled over into cyberspace, generating cyber-attacks. The structural transformation of the financial landscape will create new opportunities and risks, including for cybersecurity. And finally, effective regulation and supervision of cyber risks and achievement of cyber resilience will depend on international collaboration, information sharing, cooperation among relevant authorities, and commitment to work together.
In conclusion, a collective effort is needed. I am confident that this workshop will provide yet another contribution toward that direction.