From Russian hackers to credit card data breeches, cybersecurity risks and digital threats are of increasing concern to the financial services industry, and the Bank of Canada is taking note.
The central bank's twice-annual Financial System Review released on Thursday said that cyberthreats against financial institutions have become more complex and frequent in recent years. Such risks have become a point of "structural vulnerability" that is likely to persist for the long term.
"The increasing incidence and severity of cyberattacks highlight a particular threat to financial institutions," the FSR document states, adding that the "interconnectedness of the financial system could lead to rapid transmission of stress" from such an attack.
The country's largest financial firms including banks and insurers have expressed concerns about the rise of cyberrisks, with leaders such as Bank of Nova Scotia's chief executive officer Brian Porter pledging to make investments in technology to ward off threats.
Other public incidents ranging from the e-mail impersonation that fooled Bank of England Governor Mark Carney to a massive theft at Bangladesh Bank earlier this year have shown that digital criminals cast a wide net for targets. The possibility that hackers meddled in the 2016 U.S. presidential election has also loomed large, with the issue resurfacing as former FBI director James Comey testified at Thursday's U.S. Senate Select Committee on Intelligence.
"Our view is that this problem is serious today, and going to get worse," said Richard Nesbitt, chief executive of the Global Risk Institute for Financial Services (GRI) in Toronto. "Technology is going to continue to advance and it's going to challenge the cybersecurity systems that are used today."
The Canadian financial system is vulnerable to attacks on two fronts, the FSR noted. First, there's the risk that the infrastructure banks, insurers and investment firms use could be compromised directly. Then there's the risk of contagion, where a cyberattack on the financial industry could have an impact on non-financial sectors, such as telecommunications, energy and utilities.
A large attack could shake public confidence in the financial system and cause economic consequences that could ripple across Canada, the FSR report states.
In recent years cyberinsurance has emerged as one way to combat the risk of financial harm to companies stemming from data breeches and other cyberliabilities. But such policies have limitations on what they will cover, and there's relatively limited data for the insurance industry to draw upon to underwrite and price such products. Cybersecurity insurance is still an emerging product, the report said, adding that policies can't "fully insure against an attack with systemic effects."
The FSR said that the public sector should play a part in co-ordinating cyberdefences. The report notes that "a successful cyberattack could have broad spillovers and could damage confidence in the financial system, affecting far more than the original target. Protecting against an attack, therefore, has benefits beyond an individual institution and can be considered a public good."
Mr. Nesbitt said the Bank of Canada's statements will help draw broader attention to the issue of cyberrisk across corporations.
"The march of technology is going to make systems increasingly vulnerable. Let's face it, it's kind of an arms race – the bad guys versus the people trying to protect us from them," Mr. Nesbitt said. "It's way better if we combine resources in a co-ordinated way – industry, government, academia – in order to solve these problems."