There is an urgent need to reduce systemic cyber risks
Like most investors, Norway’s giant sovereign wealth fund, which owns the equivalent of 1.5% of all listed companies globally, has cause for concern at a time when stock market valuations are turning, cost pressures in many sectors and heightened geopolitical uncertainty. on Ukraine and Taiwan. But what tops his list of worries? The 100,000 cyberattacks the fund faces each year, Nicolai Tangen, managing director of Norges Bank Investment Management, told the Financial Times.
If, as Willie Sutton would have said, bank robbers rob banks “because that’s where the money is”, so it’s no surprise that modern criminals resort to cyberattacks against financial institutions, such as NBIM, as well as market infrastructure in general. The number of known malware attacks rose 11% in the first half to 2.8 billion, according to the SonicWall 2022 Cyber Threat Reportthe financial sector being particularly targeted.
Some cyber experts feared an even bigger cyberattack from Russia after its invasion of Ukraine and the imposition of retaliatory sanctions by many Western countries – and it could still come to fruition. The development of powerful quantum computers, threatening to break traditional encryption methods, could one day add another dimension to the cyber threat.
The scariest aspect of the Norwegian fund’s warning was that cyberattacks could pose systemic financial risk. As more of the financial industry moves online, the surface vulnerable to cyberattacks increases. NATO strengthens its cyber defense capabilities but the western military alliance should do even more to work with private sector partners. Likewise, the Quantum Dawn Cyber Resilience Testsmanaged periodically by the US securities industry that involves more than 900 financial industry participants, could also usefully be extended to smaller and more international companies, regulators and central banks.
The lessons learned from these exercises are that effective cyber defense depends on an active partnership between governments, security agencies and private sector companies. They also point out that networks are often only as strong as the weakest link in a chain. This places a responsibility on every financial firm, and every individual within those firms, to play their part in bolstering the defenses of the industry. In this regard, too many companies are lagging behind.
Three things can be done to improve collective resilience. First, more investment should be made in developing and deploying more secure encryption technologies. For example, great strides are being made towards the implementation of homomorphic encryption techniques, which can improve both privacy and security by allowing computations to be performed on encrypted data.
Second, specialized auditing firms could be brought in to audit their clients’ data storage and cybersecurity practices. For some companies, such as aircraft manufacturers and nuclear power plant operators, successful cyberattacks could endanger lives and pose an existential risk to their businesses. Regulators should know a lot more about the risks these companies face. Third, investors should question the companies they invest in more rigorously about the steps they take to secure their operations. Shareholders must also insist that corporate boards include directors with real-world cyber expertise.
Unfortunately, given the scale and prevalence of the cyber threat, minimizing risk rather than eliminating it is all that can be achieved. But careful precautions can still help prevent sporadic attacks from turning into systemic danger.