By Phil Warren (Bank of England), Kim Kaivanto (Lancaster University) and Dan Prince (Lancaster University).
- There is not a uniform view of the link between cyber risk and systemic risk: some assume a direct link whereas others query the connection.
- Beyond nation states, the vast majority of independent cyber attackers are currently unlikely to have the capability to systemically impact the financial sector.
- The financial sector has a large number of environmental features which are conducive to a systemic cyber compromise.
- There are no current examples of systemic cyber risk crystallising and impacting the real economy but this does not prove an absence of risk.
- We conclude there is a credible case to link cyber risk to systemic risk in the financial sector.
- Recommendations for future consideration include:
– Further development of the intelligence-led approach to cyber security.
– Policy responses that seek to cut through sectoral, geographical and public/private boundaries.
– Organisations should accept that compromises are likely to happen and therefore prioritise response and recovery activities.
– Undertake further studies to better understand the relationship between data integrity and authenticity, trust in financial services and the potential for real-economy impact via a cyber attack.
– A specific focus on risks associated with third-party dependencies.