Why a cyber attack could trigger the next financial crisis

The cost of cybercrime is estimated to hit US$575b per year.

In the modern digital economy cyber attacks and data breaches are inevitable, and without proper regulatory and supervisory capabilities, some regulators in Asia-Pacific believe the next financial crisis might be triggered by a cyber attack. According to Deloitte's Cyber regulation in Asia Pacific report, released today, across the globe and within Asia Pacific cyber attacks are increasing in frequency and sophistication. It is estimated that the cost of cybercrime can be up to US$575bn per year, and the financial services sector is a key target.

"The financial system relies on confidentiality of data, protection of deposits, and provision of critical services, and all of this has come under threat in recent years as the frequency of cyber attacks has increased. Cyber risks are only set to increase as financial institutions become more data-driven digital businesses, and as more financial services are delivered online. If cyber risks and responses are not well managed, it could even threaten the stability of the financial system. Only those financial institutions who have robust cyber security and cyber risk management will be able to retain customers, maintain trust and enhance their competitive edge," said Kevin Nixon, Global & Asia-Pacific Leader, Centre for Regulatory Strategy, Deloitte.

In response to these risks, regulators are considering appropriate standards and supervisory tools, and are actively urging firms to enhance capabilities so as to address these emerging threats. However, the Deloitte Cyber regulation in Asia Pacific report outlines a number of existing challenges Asia Pacific faces in relation to cyber security and examines how regulators across the region are seeking to tackle these.

Here's more from Deloitte:

Although cyber threats cut across borders, regulatory approaches to cyber risk in Asia Pacific are varied and localised, with no significant steps taken yet toward harmonised standards across the region. Financial institutions struggle to understand the regulatory differences at a country level, to be aware of emerging threats and to design cyber risk programs that are coherent and robust across jurisdictions.

Despite that, there is a general consistency with regulatory approaches going beyond just security to focus on governance, vigilance and response.

Outsourcing of work
The need to defend against outsourcing risk is an emerging and growing area of concern, in particular for those economies where IT services are widely contracted out to jurisdictions with weaker cyber security regimes.

Lack of human resources capabilities
Another challenge for financial institutions operating in Asia Pacific is that organisations have a shortage of dedicated IT security specialists and cyber professionals, meaning they may have difficulty staying up to date with the pace of change in the cyber landscape. Many financial institutions lack management recognition or understanding of the importance of cyber security and fail to adopt a coordinated approach across functions.

Deloitte's report provides a framework for overcoming these challenges and for strengthening cyber resilience.

"Cyber attacks are inevitable, and once regulators and organisations accept this, they can focus on building holistic, dynamic, enterprise wide cyber risk programs that are continually tested and updated to allow for agility and swift recovery. Strategies that enhance security, stay vigilant for emerging threats, ensure a flow of insights through to the cyber ecosystem and have senior support and oversight will be the ones that best position financial institutions to stay ahead of regulatory expectations," said James Nunn-Price, Asia-Pacific Cyber Risk Leader, Deloitte.

Beyond this, industry and regulators should work together to further the development of cyber skills and expertise, to foster common standards and approaches, to support information sharing and to facilitate coordinated responses to incidents and attacks.

As the home to the world’s fourth largest internet population, Southeast Asia is particularly vulnerable to cyber attacks as it has neither a developed system of data protection laws nor a strong adoption of cyber security best practices. According to Thio Tse Gan, Southeast Asia Cyber Risk Leader, Deloitte, the region is moving in the right direction despite the current environment.

“Leaders from the Association of Southeast Asian Nations (ASEAN) Member States, convened at the ASEAN Ministerial Conference on Cybersecurity in October 2016, and called for closer cybersecurity cooperation, stronger coordination of regional cybersecurity capacity building initiatives, and strengthening ASEAN discussions with a specific focus on cyber security.”

“At the same time, involvement from the private sector is essential as organizations will need to ensure that they keep pace with regulatory changes. Singapore provides a prime example on how close cooperation between the public and private sectors can help create a robust and resilient cyberspace,” added Tse Gan.

The Deloitte Cyber regulation in Asia Pacific report highlights initiatives launched by the Singapore Ministry of Information and Communications as well as the InfoComm Media Development Authority aimed at developing critical infrastructures’ vigilance and resilience. They have conducted attack drills, simulation exercises, and undertaken contingency planning. Further, especially for financial institutions, the Monetary Authority of Singapore has also taken an active interest in enhancing cyber security amongst the regulated population, introducing guidelines on resilience building, and on AML/CTF and outsourcing risk.