Coordinated diplomatic pressure, backed up by a credible threat of sanctions or other punishment, will be needed to ensure compliance by rogue states.
68
As detailed above, the distribution between banks and customers of the costs incurred by successful cyber attacks is problematic. Placing the burden on customers when they have little power to affect their banks’ security efforts may be unfair, but making the banks responsible for covering consumer losses raises the problem of moral hazard. Both the banks and their customers would benefit from a more mature cyber security insurance sector as a way to monetize risky behaviour by firms and individuals and incentivize good behaviour. Due to the novelty of cyber risk, cyber security insurance remains a fledgling industry that needs government attention. It will need detailed data on cyber exploits to properly quantify risk. Yet, banks currently have little incentive to share the frequency with which they are attacked, as that may have a negative impact on a firm’s reputation. Since February of this year, Canada’s prudential regulator, the Office of the Superintendent of Financial Institutions, has required federally regulated banks and insurers to report technology and cyber security incidents, although more robust requirements for the disclosure of breaches of the sort found in the European Union’s General Data Protection Regulation would be even more beneficial (Middleton 2018).
Works Cited
These efforts will need to be complemented by coordination at the international level to confront the transnational nature of cyber threats by promoting common standards and information sharing. The Group of Seven (G7) has begun the process of harmonizing cyber security standards for financial institutions, formulating the “G7 Fundamental Elements of Cybersecurity in the Financial Sector” (G7 2016). The Group of Twenty, through the Financial Stability Board (FSB), has likewise started to consider the risk that cyber operations pose to financial stability and has made attempts at developing a common lexicon to ensure consistent classification and reporting of cyber breaches (FSB 2018). Ultimately, the global community has a collective interest in defending the integrity of the international financial system. In an interconnected world, robust common regulatory standards are essential to this effort.
Leuprecht, Christian, David Skillicorn and Arthur Cockfield. 2019. “Cybersecurity in the Financial Sector as an Economic Security Issue: Leuprecht, Skillicorn, and Cockfield at the House of Commons Committee on Public Safety and National Security.” Macdonald-Laurier Institute, January 29. www.macdonaldlaurier.ca/cybersecurity-financial-sectoreconomic-security-issue-leuprecht-skillicorn-cockfield-housecommons-committee-public-safety-national-security/.
Governing Cyberspace during a Crisis in Trust
BBC News. 2013. “South Korea Blames North for Bank and TV Cyber-attacks.” April 10. www.bbc.com/news/technology-22092051. Berr, Jonathan. 2017. “WannaCry ransomware attack losses could reach $4 billion.” CBS News, May 16. www.cbsnews.com/ news/wannacry-ransomware-attacks-wannacry-virus-losses/. Bouveret, Antoine. 2018. “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment.” IMF Working Paper, June 22. www.imf.org/en/Publications/WP/ Issues/2018/06/22/Cyber-Risk-for-the-Financial-SectorA-Framework-for-Quantitative-Assessment-45924. Corkery, Michael and Matthew Goldstein. 2017. “North Korea Said to Be Target of Inquiry Over $81 Million Cyberheist.” The New York Times, March 22. www.nytimes. com/2017/03/22/business/dealbook/north-korea-said-tobe-target-of-inquiry-over-81-million-cyberheist.html. Eoyang, Mieke, Allison Peters, Ishan Mehta and Brandon Gaskew. 2018. “To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Actors.” Third Way, October 29. www.thirdway.org/report/ to-catch-a-hacker-toward-a-comprehensive-strategy-toidentify-pursue-and-punish-malicious-cyber-actors. FireEye. 2018. “APT38: Un-usual Suspects.” https://content.fireeye.com/apt/rpt-apt38. Fleishman, Glenn. 2018. “Equifax Data Breach, One Year Later: Obvious Errors and No Real Changes, Report Says.” Fortune, September 8. http://fortune.com/2018/09/07/ equifax-data-breach-one-year-anniversary/. ForexBonuses. 2017. “The World’s Most Cashless Countries.” www.forexbonuses.org/cashless-countries/. FSB. 2018. “Cyber Lexicon: Consultative Document.” July 2. www.fsb.org/2018/07/cyber-lexicon-consultative-document/. G7. 2016. “G7 Fundamental Elements of Cybersecurity for the Financial Sector.” www.treasury.gov/resourcecenter/international/g7-g20/Documents/G7%20 Fundamental%20Elements%20Oct%202016.pdf. Healey, Jason, Patricia Mosser, Katheryn Rosen and Adriana Tache. 2018. “The Future of Financial Stability and Cyber Risk.” Brookings Institution, October 10. www.brookings.edu/ research/the-future-of-financial-stability-and-cyber-risk/. Jones, Sam and Tim Bradshaw. 2017. “Global Alert to Prepare for Fresh Cyberattacks.” Financial Times, May 14. www. ft.com/content/bb4dda38-389f-11e7-821a-6027b8a20f23.
Leuprecht, Christian, Joseph Szeman and David B. Skillicorn. 2019. “The Damoclean sword of offensive cyber: policy uncertainty and collective insecurity.” Contemporary Security Policy 40 (3). https://doi.org/10.1080/13523260.2019.1590960. Matthews, Christopher. 2013. “How Does One Fake Tweet Cause a Stock Market Crash?” Time, April 24. http://business.time.com/2013/04/24/how-doesone-fake-tweet-cause-a-stock-market-crash/. Middleton, Chris. 2018. “Cyber attacks could cost bank half of its profits, Warns IMF.” Internet of Business, June 25. https://internetofbusiness.com/fintech-cyber-attackcould-cost-bank-half-of-its-profits-warns-imf/. Raytheon Company. 2015. 2015 Industry Drill-Down Report: Financial Services. www.websense.com/assets/reports/ report-2015-industry-drill-down-finance-en.pdf. Symantec. 2016. “SWIFT Attacker’s Malware Linked to More Financial Attacks.” May 26. www.symantec.com/connect/ blogs/swift-attackers-malware-linked-more-financial-attacks.