Our survey says … Building cyber resilience in the financial sector

It may come as no surprise to learn that cyber attacks in the financial sector have been increasing in recent years, with the annual financial firm loss from cyber incidents rising from approximately $300 million in 2017 to approximately $2.2 billion in 2021 and the share of attacks from the financial sector growing more than twofold in the last decade (Box 3.2 and Figure 3.2.1 on page 99 of Global Financial Stability Report, October 2024 - Steadying the Course: Uncertainty, Artificial Intelligence, and Financial Stability).

Background

Cyber security has emerged as a critical concern for central banks, supervisory authorities, policymakers and financial institutions and is an important area of focus for the International Monetary Fund (IMF) as well as global and sector standard-setting bodies (SSBs), including the Group of Seven, the Group of Twenty, the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors.

In March 2025, the IMF published a technical note and manual (TNM) titled "Strengthening cyber security: Lessons from the Cybersecurity Survey" by Rangachary Ravikumar, a senior financial sector expert in the Monetary and Capital Markets Department at the IMF. The TNM reviews the findings of two cyber security surveys that the IMF conducted in 2021 and 2023 respectively and makes a number of recommendations. The views expressed in the TNM are those of the author and do not necessarily represent the views of the IMF, its executive board, or IMF management.

Survey design and objectives

The IMF's cyber security surveys aimed to assess the cyber security preparedness of central banks and supervisory authorities, particularly in low and lower-middle-income countries. In so doing, they address information gaps and help adapt the IMF's initiatives to the needs of member countries.

Each survey consisted of 42 questions built around seven themes:

• governance and strategy

• cyber regulation and supervision

• monitoring, response and recovery

• incident reporting and information sharing

• cyber deterrence

• financial stability analysis

• continuous learning and capacity development. 

These themes were identified on the basis of the work that has been conducted to date on cyber security risk by the IMF and a number of SSBs (figure 1 of the TNM).

The survey was issued to the authorities of 90 countries, which were invited to the IMF's Annual Cybersecurity Workshop. The 2021 survey elicited 53 responses and the 2023, 74 responses, with 32 countries responding to both surveys. A breakdown of responses according to geographic distribution, shows that Africa and Asia account for the majority of responses (62.3% of the 2021 responses and 71.6% of the 2023 responses), followed by Latin America and Europe, as detailed further in the table below, which replicates the data in Table 1 on page 7 of the TNM.

Main findings

Governance and strategy

The surveys contain six questions addressing governance and strategy. The responses revealed that while progress has been made in developing national and financial sector-focused cyber security strategies, significant gaps remain. More than half of the surveyed jurisdictions had neither a national cyber security strategy nor a financial sector cyber security strategy, although there is an increase in the percentage of jurisdictions planning to develop a cyber security strategy within a year from 21% in 2021 to 27% in 2023.

Governance arrangements have improved. Overall jurisdictions with governance arrangements in place rose from 57% (2021) to 65% (2023). According to the 2023 survey, where the central bank and supervisory authority are separate institutions, 89% of jurisdictions had formalised co-ordination between each institution, which included information sharing for the purposes of financial stability.

Cyber regulation and supervision

Eight questions were focused on cyber regulation and supervision. There has been an increase in jurisdictions reporting dedicated technology or cyber security frameworks but more work is required to extend these regulations across the entire financial sector.

The surveys demonstrate that there is a positive correlation between the presence of a national cyber security strategy and cyber risk regulation, which suggests that the existence of a cyber security strategy expedites the establishment of cyber risk regulation.

While dedicated ICT and cyber risk regulations as well as data privacy laws have become more prevalent and supervisory architecture has strengthened, there are still significant gaps. For example, more than a quarter of jurisdictions surveyed do not undertake on-site examinations that cover cyber risk and the share of jurisdictions carrying out the full gamut of supervisory approaches, which include full-scope, limited-scope and thematic reviews along with on-site examinations, has remained at roughly 50%. 

Monitoring, response and recovery

This theme had five questions. Threat intelligence-gathering remains predominantly informal, and response and recovery capabilities after cyber incidents are weak. While 44% of respondents to the 2023 survey had amended cyber regulations following major cyber incidents, 30% had not yet established protocols for handling such incidents. When dealing with cyber incidents, many rely on off-site monitoring (60.8%) and analysis of reported incidents (52.7%), with on-site interventions constituting the least common approach (33.8%).

Jurisdictions' approaches to cyber security testing also reveal major gaps. While there has been an improvement since the 2021 survey, the 2023 survey responses reveal that only 21.6% of respondents had a mandatory cyber security testing regime actively managed by the authorities.

Information sharing and incident reporting

Ten questions were devoted to information sharing and incident reporting. Although there has been progress with systematic information-sharing arrangements within the financial sector (28% of respondents reported the existence of information-sharing arrangements in 2023 compared to 12% in 2021), many jurisdictions still lack systematic information-sharing arrangements – with approximately 40% of respondents indicating they were not aware of such arrangements.

Similarly, while there have been increases in the share of respondents having an incident reporting regime (43% in 2021 to 49% in 2023) and a cyber incident reporting template (47% in 2021 to 55% in 2023), this remains sub-optimal. The disparity between the cyber incident reporting template and incident reporting regime percentages also suggests that there are jurisdictions with a prescribed cyber incident reporting template that do not have a cyber incident reporting regime.

The surveys clearly indicate that wholesale payment systems and messaging networks have become critical dimensions of cyber security readiness. Approximately 60% of the 2023 respondents reported that wholesale payment systems and messaging networks were part of information-sharing networks and contributed to enhancing cyber awareness, compared to under half in 2021. Furthermore, about 54% of respondents said that wholesale payment systems and messaging networks capitalised on existing cyber security working groups for implementing a strategy to prevent fraud.

Cyber deterrence

The cyber deterrence section of the survey had four questions. Most jurisdictions reported having cybercrime regulations but there is a marked lack of clear guidance and processes between law enforcement authorities, the central bank and financial entities on reporting cybercrime, gathering evidence and transferring this evidence to help to prosecute cybercriminals.

Computer emergency response teams (CERTs) were not present in almost a third of respondents. Where CERTs were present, the 2023 survey found that about 18% of respondents indicated that there was no co-ordination between supervisory authorities and the CERT, which tracks the result of the 2021 survey. About 28% of countries reporting good co-ordination did not have a CERT focused on the financial sector (FinCERT). Of those countries confirming in the 2023 survey that they did have a FinCERT, the central bank ran the FinCERT in approximately 59% of the jurisdictions.

Financial stability analysis

Financial stability analysis also attracted four questions. By 2023, only 8% of the respondents had a "cyber map." A cyber map assists in strengthening cyber security by identifying the main technologies, services and connections between financial sector institutions, service providers and in-house or third-party systems. 60% of respondents indicated that they did not have the required information to develop such maps. Notwithstanding around 31% of respondents noted that they were developing a cyber map and were expecting to complete the work within the next 12 months.

The majority of respondents did not undertake quantitative analysis or incorporate cyber risk in stress tests. However approximately 39% of respondents reported that they collected and analysed data on frequency and loss arising from cyber attacks, up from 23% of respondents in 2021. Key information on cloud migration by financial institutions was often unavailable to supervisory authorities and central banks, although the position reflected in the 2023 survey shows there has been an improvement.

Continuous learning and capacity development

The final theme, continuous learning and capacity development, received five questions. Again the surveys' findings identified a number of areas requiring attention. In the 2023 survey, almost 45% of respondents reported that there was no formalised approach to strengthening cyber risk supervisory capacity and that decisions were made on an ad hoc basis. In terms of cyber security training options available, the 2023 survey showed that more than 97% of respondents placed heavy reliance on free webinars and online courses compared to 60% using certification training along with examinations and 40% using academic programmes. Despite professional qualifications gaining momentum, as shown by a large number of respondents in the 2023 survey (60%) indicating that they require an IT degree for cyber security supervisory staff, about 28% of respondents said that technical qualifications were only present for senior supervisors.

Recommendations

Based on the findings from the surveys, the TNM makes a number of recommendations to strengthen cyber security in the financial sector.

Governance and strategy

Governance arrangements require improvement in several jurisdictions, with focused work needed to formulate national-level and financial sector-level cyber security strategies. With reference to the BCBS's "Principles for Operational Resilience" (Principles) and "Revised Principles for the Sound Management of Operational Risk", and the CPMI and IOSCO's "Guidance on Cyber Resilience for Financial Market Infrastructures", the TNM outlines the core ingredients of effective governance. These include well-formulated structures and institutional mandates, taking care institutions have adequate legal powers and accountability frameworks, ensuring sufficient human, financial and technical resources, as well as implementing effective monitoring and follow-up practices. The TNM emphasises the benefits that can arise from co-ordination between financial regulators beyond the sharing of information, including achieving harmonised regulations, developing best supervisory approaches and tackling cyber incidents collectively where applicable. It recommends the use of memorandums of understanding between financial regulators to help formalise institutional arrangements.

Cyber regulation and supervision

The TNM highlights the importance of greater legal and regulatory clarity regarding supervisory powers and the need for more attention from leadership. Cyber risk regulations should be extended across the whole financial sector as a priority. A number of existing workstreams from SSBs may help to inform this, such as the work of the International Organization for Standardization, the National Institute of Standards and Technology (NIST), and ISACA. Other useful resources include the Cyber Risk Institute Profile, a cyber security framework for the financial sector developed by the Cyber Risk Institute, and national/supranational regulatory standards such as Canadian Office of the Superintendent of Financial Institutions' Technology Risk Management Guideline, the Monetary Authority of Singapore's Technology Management Guidelines and the European Banking Authority's Guidelines on ICT. The TNM additionally notes the need to strengthen cyber risk supervision by increasing on-site examinations and off-site supervision from their current levels. On-site examinations of third-party service providers also require improvement; IOSCO's Principles on Outsourcing and the FSB's toolkit for enhancing third-party risk management and oversight may provide useful insights in this respect.

Monitoring, response and recovery

Central banks and supervisory agencies need to develop processes for ongoing threat intelligence-gathering and establish protocols for handling major cyber incidents. The TNM recommends the FSB's "Effective Practices for Cyber Incident Response and Recovery", the NIST's cyber security framework as well as the CPMI and IOSCO cyber resilience guidance referred to above, which discusses response and recovery in detail.

Information sharing and incident reporting

Significant work is required to put in place effective information-sharing networks within the financial sector and across other sectors. In particular, jurisdictions should prioritise cyber incident reporting frameworks, defined thresholds, appropriate categorisation and criteria for classifying incidents. The TNM notes that lessons can be drawn from a number of initiatives currently in place, including the Euro Cyber Resilience Board's Cyber Information and Intelligence Sharing Initiative, the Financial Services Information Sharing and Analysis Center, and the Connect Inform Share Project of the UK's National Cyber Security Centre. To foster better practices in relation to cyber incident reporting, the TNM encourages authorities to review the FSB's "Final Report on Recommendations to Achieve Greater Convergence in Cyber Incident Reporting", which includes a common format for incident reporting exchange. Finally, the TNM observes that more can be done by wholesale payments and message networks to capitalise on existing cyber security working groups and participate in information-sharing networks, and it refers to the CPMI and IOSCO's toolkit, "Reducing the Risk of Wholesale Payments Fraud Related to Endpoint Security: A Toolkit", and the Society for Worldwide Interbank Financial Telecommunication (SWIFT)'s customer security programme.

Cyber deterrence

Legal provisions to criminalise cyber attacks and establish CERT/FinCERTs require particular attention and coordination among stakeholders must be developed and maintained. Clear guidance on the processes between law enforcement authorities, central banks and financial sector entities is also needed to address the uncertainty on how to report cybercrime, retain digital evidence and transfer this evidence to help with prosecutions. The International Telecommunications Union, "ITU Cybersecurity Program: CIRT Framework" provides valuable guidance on establishing a national CERT and sets out regional and international co-operation mechanisms to identify, manage and respond to cyber threats.

Financial stability analysis

The TNM underscores the need to develop cyber mapping. The BCBS's Principles illustrate how the interconnections and interdependencies of critical functions should be mapped. Data collection should be enhanced to support financial stability analysis and improve understanding of the digital landscape as well as third-party dependencies. In view of the rapid adoption of cloud computing, the TNM refer to the FSB's "Third-Party Dependencies in Cloud Services-Considerations on Financial Stability Implications."

Continuous learning and capacity development

The TNM calls for more work to be done to build cyber security supervisory capacity and highlights the key role that the IMF can play in doing this. In particular, its online course on cyber risk supervision can be used more frequently and its cyber risk supervision toolkit could help to fast-track capacity development.

Conclusion

Cyber security remains a growing risk in the financial sector. Concerted efforts from central banks, supervisory authorities, and policymakers are required to strengthen preparedness. The IMF's surveys highlight progress made and gaps that need to be addressed and its recommendations across the seven themes provide a helpful guide for building robust cyber security strategies, a clear and consistent regulatory framework, along with coordinated industry-wide practices.

This article has been published in www.compliancemonitor.com and www.i-law.com.