Financial institutions lose $12bn to cyber attacks in 20 years — IMF

105

The International Monetary Fund (IMF) has revealed that over the last two decades, financial institutions worldwide have suffered losses totaling $12 billion due to cyber attacks.

This information was unveiled in the ‘Global Financial Stability Report, April 2024’ published by the IMF. The organization highlighted the significant vulnerability of the financial sector to cyber threats, noting that approximately one-fifth of all reported cyber incidents in the past twenty years have impacted the financial industry. Banks emerged as the primary targets, followed by insurers and asset managers.

IMF further stated that financial institutions have incurred losses amounting to $2.5 billion since 2020.

“Financial firms have reported significant direct losses, totaling almost $12 billion since 2004 and $2.5 billion since 2020.

“Financial institutions in advanced economies, particularly in the United States, have been more exposed to cyber incidents than firms in emerging market and developing economies.

“JP Morgan Chase, for example, the largest US bank, recently reported experiencing 45 billion cyber events per day while spending $15 billion every year and employing 62,000 technologists, many focused on cyber-security,” IMF stated.

Cyber incidents, according to IMF, are key operational risks that could threaten  the  operational resilience of financial institutions and hurt  overall  macroeconomic  stability.

“A cyber incident at a financial institution or at a country’s critical infrastructure could generate macro financial stability risks through three key channels: loss of confidence, lack of substitutes for the services rendered, and interconnectedness.

“While cyber incidents thus far have not been systemic, ongoing rapid digital transformation and technological innovation (such as artificial intelligence) and heightened global geopolitical tensions exacerbate the risk,” the report added.

The IMF noted that while direct losses reported by firms due to cyber incidents have been relatively small thus far, there is a potential for them to escalate significantly.

“Based on available data, the median reported direct loss to a firm from all cyber incidents has been about $0.4 million, and three-fourths of the reported losses are below $2.8 million.

“Although losses from malicious incidents have been more than five times as large as those from nonmalicious incidents, at around $0.5 million, the magnitude of losses in absolute terms has been generally modest as well.

“For example, most cyber extortions, such as ransomware attacks, or malicious data breaches have resulted in losses of up to $12 million.”

IMF said the distribution is, however, heavily skewed, with some occurrences imposing losses of hundreds of millions of US dollars,” the Bretton Wood institution said.