RBA: A cyberattack is inevitable

  • By Zilla Efrat

It's almost inevitable that at some point the defences of a significant financial institution will suffer a cyber security breach which could possibly result in systemic financial instability, the Reserve Bank of Australia (RBA) warns.

In its latest semi-annual Financial Stability Review, the RBA notes that the loss of public confidence after a significant cyber event could lead to wide-spread stress in the financial system.

“Compromised confidential information could lead to severe reputational damage and reluctance from market participants to extend liquidity or credit,” it says.

“The increased level of interconnectedness in the financial system – including through a network of third-party service providers, critical financial market infrastructures, lenders and counterparties – could rapidly transmit the impact of a cyber incident from one institution to another.

“For example, several banks may rely on real-time payments from a major participant in the wholesale settlement system, which if incapacitated for a prolonged period of time could put pressure on intraday liquidity. In addition, an inability to substitute away from a key institution or service provider could cause severe operational disruptions at other institutions along the supply chain.”

But the RBA adds that whether such an attack could result in systemic financial instability will depend not only on the part of the financial institution or system affected and potential network effects, but also the cyber resilience of that institution and financial system.

It says the number of cyber-attacks on financial institutions continues to trend higher. “Over the past 18 months, this may have been accentuated by widespread remote working and use of electronic financial services due to the pandemic,” it says.

“In addition to inherent system vulnerabilities, risks from cyber-attacks are growing, reflecting increased technological capability and sophistication of highly organised cyber criminals and state-sponsored attackers.”