Cybersecurity is an area of increasing priority for decision-makers in all sectors of the economy. This is especially true for sectors whose business models rely on highly networked infrastructures. The financial services sector adopted very early computer-based tools to meet the increasing needs for complex and agile calculations. Despite this, technical, organisational and conceptual security have never been part of early adopters consideration. Although the financial sector is in a more mature position than other industries in terms of levels of cybersecurity, the standard of cybersecurity also depends on regulatory requirements and on the perception that the allocation of resources does not follow the logic of return on investment.

This White Paper first outlines how financial services are complementary to digital processes and how this interplay affects cyber-risks. Second, the paper describes the legal and regulatory aspects of cybersecurity and privacy relevant to the financial industry. Furthermore, it gives a snapshot of the current cyber-threat landscape and presents a brief taxonomy of current and future attack vectors, case studies and defensive measures. The paper continues to discuss empirical key findings on the impact of cyber-attacks on intangible assets and how the HERMENEUT methodology can be applied in the financial services sector. The study concludes by providing recommendations on risk mitigation, risk transfer and risk avoidance.

Key findings

  • Cyber-attacks that strike the finance sector in the US produce cascading effects on the administrative and support services sector first. In terms of economic losses, the finance sector is the first affected sector with losses amounting to $US 28,958 million. The activities auxiliary to financial services and by the insurance activities sector follow tightly, with up $US 24,398 million of economic losses.
  • Along the recovery period, which is assumed to be 180 days, we can see that the activities auxiliary to financial services and insurance activities sector was the first affected sector over the early days of the attack, but is caught up by the finance sector itself around 50 days after the attack. This shows the high dependence of the activities auxiliary to financial services and insurance activities sector to the finance sector. The evolution of economic losses of the other sectors closely follows the ranking.
  • Developing a comprehensive cyber-defence strategy is essential to address current cyber-risks adequately and to minimise direct and indirect losses. First, organisations need to understand their threat landscape, and locate and identify their most critical digital assets. Then, they eventually have to act above their risk appetite by applying technical, organisational and conceptual measures to minimise vulnerabilities. The measures envisaged should not limit to software or hardware systems, but should also cover organisational considerations.