Cyber Resilience Implications for the Financial System

In August of 2008, cyber-attacks began to affect the Georgian public and private sectors. The cyber-attacks coincided with the Russian Invasion of Georgia, which is also known as the “FiveDay War”. While most of the initial cyber-attacks that were directed against Georgia affected the public sector and media, including various government websites and Georgian news portals, a significant portion of the cyber-attacks affected the Georgian financial system.

The cyber-attacks that were directed at the financial system had the effect of bringing down online banking services. In addition, the National Bank of Georgia, which serves as the central bank of Georgia, had its website hacked. As a result of the hack, the official, reference exchange rate of the Georgian Lari to the U.S. Dollar was modified. Luckily, most consumers and other stakeholders were unable to see the unauthorized modification of the exchange rate due to the fact that most of the Georgian internet space was under a distributed denial-of-service attack at the time. If the exchange rate modification on the central bank’s webpage would have been seen by a larger audience, when Internet services are generally readily available to the public, the implications and the impact to the financial system would likely have been much greater.

The events of August, 2008 and several other large-scale cyber risk-related incidents have shown that cyber resilience has become an increasingly vital part of financial stability. In addition, the growing use and adoption of electronic information systems in the face of digital transformation of the financial system has clearly brough cyber risk to the forefront of attention.

According to the U.S. National Institute of Standards and Technology (NIST), cyber resilience is defined as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

Financial institutions that make up the financial system, especially those institutions that are deemed as being systemically important to the safe and sound functioning of the economy, need to have relevant governance, management and control processes in order to ensure cyber resilience. Furthermore, cyber resilience also needs to include an aspect of stress testing in the wake of adverse or unexpected events. Without a robust stress testing framework, it will be difficult to gain assurance that an organization such as a commercial bank or a credit union will be able to cope with various cyber risk scenarios. It is therefore important to have a holistic approach towards cyber resilience and cyber risk, in general. This is especially true for the financial system, since it forms the backbone of most national economies.

The following paper presents the various aspects of cyber resilience, which need to be considered when analyzing cyber risk within the context of the financial system.