During the pandemic, there was a strong link between the prevalence of work-from-home arrangements and the incidence of cyber attacks, particularly at financial institutions.
The BIS (Bank for International Settlements) has published a new paper describing the impact of the Covid-19 pandemic on cyber risk in the financial sector.
Financial institutions have been at the “leading edge” of the response to cyber risk during the pandemic, the paper says. “Their already large exposure to cyber risk has been further accentuated by the move towards more working from home (WFH) and other operational challenges.”
According to the report, there was a strong link between the prevalence of WFH arrangements and the incidence of cyber attacks between the end of February and June 2020, with the financial sector being hit by cyber attacks more often than every other sector except for healthcare. Payment firms, insurers and credit unions were especially affected.
A survey among financial institutions by the FS-ISAC (Financial Services Information Sharing and Analysis Center) found a substantial rise in phishing, suspicious scanning and malicious activity against webpages for WFH staff to access the network.
Covid-19-related attacks grew with the spread of the pandemic, from fewer than 5,000 per week in February to more than 200,000 per week in late April. The attacks rose further by around one third in May and June compared with March and April.
According to the report, policy to reduce risks to financial stability must take account of two near-term trends. First, remote work is likely to remain higher than in the pre-Covid-19 period, requiring business continuity plans designed for short-term disruptions to be adapted to WFH over longer periods.
Second, financial institutions are likely to continue to move parts of their IT operations to public cloud environments, where a high concentration among a few cloud services providers could lead to single points of failure.
An estimated 82 percent of companies increased cloud usage as a result of the pandemic, while 91 percent are planning a more strategic use of cloud in the near future, the report notes, citing recent survey findings.
“Through shared software, hardware and vendors, incidents could, in principle, spread more quickly, leading to higher losses for financial institutions and stress in the financial system.”
To address cyber risk, many private and public sector organisations are strengthening their operational resilience, as well as engaging in “war games” or simulations of cyber attacks, which can help to identify vulnerabilities and enhance preparedness and lines of communication.
Moreover, financial supervisors are leveraging national or international standards or guidance to promote cyber resilience, including through the use of regional groups and cooperation forums.
“The BIS will continue supporting international cooperation in this area, recognising that cyber resilience is fundamentally a global public good,” the paper says.
The full paper is available here.
The paper was prepared by Iñaki Aldasoro, Jon Frost, Leonardo Gambacorta and David Whyte.