Dr. David Mussington worked at the White House on the Obama Administration National Security Council Staff, is a Professor of the Practice at the University of Maryland School of Public Policy, and a CIGI Senior Fellow. In 2014, Dr. Mussington led a cybersecurity gap analysis and strategy study for the Bank of Canada.
In a speech this past December, Stephen Poloz, Governor of the Bank of Canada, said the threat of cyberattacks on the financial system keeps him awake at night. Unfortunately for Mr. Poloz and his sleep habits, this threat will not be diminishing any time soon – and all of us are at risk.
The risks posed to financial systems by cyberattacks are enormous. Canada's major payments systems handle millions of transactions a day, worth billions of dollars. If there is an attack on an institution or one of the applications they use to operate, the resulting disruption – even a brief one – would strike a massive blow to the economy.
An additional risk for Canada is that its financial institutions are closely interconnected with each other. That makes it more likely that if one institution is compromised or attacked, the damage will spread to others, magnifying the effects.
That said, the financial system is widely regarded as being more prepared than other critical infrastructure sectors to cope with the threats posed by cyberattacks. Concepts of operational risk and risk management are well understood in banking and insurance circles. This background has allowed them to develop more sophisticated risk-management thinking in the cybersecurity arena.
For example, the Bank of Canada is permitted by law to oversee financial payments systems to make sure they follow risk-management practices aimed at safeguarding them from cyberattacks. A recent report from the Financial Stability Board shows that two-thirds of its member jurisdictions had regulations or guidelines in place to address cybersecurity risk in the financial sector.
But the slow, deliberate operational risk orientation of the financial sector is set to collide with several new developments that are disruptive by nature – including cryptocurrencies such as bitcoin. This leads to an important question for the financial sector: Is the progress it has achieved so far a harbinger of future risk-management mastery, or a false dawn?
As cryptocurrencies become more popular and valuable, they become a more attractive target for cybercriminals. Cryptocurrency wallets or exchanges, where a third-party provider stores customers' cryptocurrency holdings, can be particularly vulnerable to hackers. Because cryptocurrency transactions are made without any centralized monitoring systems to track them, consumers who find their holdings stolen by hackers are often left with no recourse to recover them. In the most notorious cryptocurrency hack against the Mt. Gox exchange in 2014, about 25,000 customers lost hundreds of millions of dollars worth of bitcoins. Just last month, about US$530-million worth of a cryptocurrency called NEM was lost when the Coincheck exchange was hacked. Coincheck reacted by freezing all transactions, and a lawsuit has been filed to allow traders to withdraw their remaining funds.
In cases such as these, when consumers' cryptocurrency assets vanish irretrievably, financial institutions are among the creditors that get stuck with the loss. Given the extreme volatility of cryptocurrencies and the speculation involved, there is also a risk this could happen even without hacking.
Financial institutions have taken great strides in protecting themselves against cyberattacks using risk-management approaches, but they should not be lulled into a premature sense of complacency.
As more and more customers enter the cryptocurrency market, including many who lack an understanding of the cybersecurity principles they need to keep their holdings safe, financial institutions need to develop new models of risk management and mitigation to protect themselves – and the economy as a whole.
The CyberCanada Senior Leadership Summit will take place on Feb. 28 and March 1 at the Globe and Mail Centre in Toronto, engaging Canadian corporate board members, C-suite executives and government policy makers on cyberresilience. It aims to provide enterprise leaders with tools and approaches to proactively manage risk and protect assets. The Summit is a partnership of the Council of Canadian Innovators, the Centre for International Governance Innovation, Boston Consulting Group's Centre for Canada's Future and The Globe and Mail.