The proliferation of outside fintech companies supplying financial institutions with cloud computing and other data services is a potential weak link in the cyberdefences protecting Canada’s financial system, a top Bank of Canada official said.
The problem is that a lot of the work done by these third-party companies is “outside the purview of system regulators,” Bank of Canada chief operating officer Filipe Dinis warned Wednesday at a Payments Canada conference in Toronto.
The interconnections between regulated financial institutions and outside players may pose a risk to the financial system as a result of cyber threats, Mr. Dinis said.
“Individual firms in the financial system know their own business but don’t always understand all their connections with others,” Mr. Dinis pointed out. “This can lead to decision making that ignores threats to the system.
Canadian financial institutions process $175-billion in cash payments and half-a-billion dollars in stock and bond trades every day. Mr. Dinis said these massive flows have become a favoured target of online criminals.
Individual institutions generally have strong defences to prevent theft and privacy breaches, he said.
“Our concern is not with individual firms but with the interconnections among them,” Mr. Dinis explained.
“It is no longer enough for each institution to maintain its own alarm system. While doing so provides a certain level of protection and comfort, we need to invest in system-wide defences.”
The Bank of Canada, which regulates the payment system, has been working with the country’s Big Six banks in recent months to bolster the system’s ability to recover from a major cyber intrusion. Mr. Dinis said the goal is to have a “rapid, collaborative approach” to getting the system up and running again in the event of a prolonged outage caused by a security breach.
In a speech last December, Bank of Canada Governor Stephen Poloz acknowledged that he’s kept “awake at night” by the thought that a cyber attack could knock out the payments system.
“A problem in one institution may spread to others and be amplified,” Mr. Poloz said. “As such, a successful cyber attack on one institution can become a successful attack on many.”