Why banks need to boost their cybersecurity investments

Cyber attacks on the banking sector are prevalent, yet system-wide investment in cybersecurity is suboptimal, opening up the risk of financial instability, privacy issues and bank runs.

In the paper 'Cybersecurity and financial stability', University of Auckland macroeconomics professor Prasanna Gai, economics lecturer Chanelle Duley and Deutsche Bundesbank economist Kartik Anand highlight the need for banks to work together and collectively contribute to improving cyber defences. They also provide new perspectives on the tools regulators and the industry use to tackle cybersecurity.

"Cybersecurity is a growing issue, and New Zealand is not immune," says Professor Gai. "The country has seen several large-scale cyber attacks over the past few years, with both the NZX and the Reserve Bank of New Zealand hit badly."

Many banks and other businesses in the financial sector use the same platforms and digital services for their online banking services and back-end operations, says Gai.

Such services are typically provided by the same handful of companies, with one 2019 survey estimating that Amazon, Microsoft, Alibaba, Google, and IBM account for 77 percent of the market.

While cost-saving, the researchers say shared services can create cybersecurity dependencies – one bank's access can become the 'back door' through which attackers impact others.

This means the cybersecurity of the financial system can end up depending on the bank with the lowest level of protection.

Gai says investing more in cybersecurity contributes to improving the security blanket around the platforms, lowering the probability of a successful attack on all banks.

However, he says that the desire for banks to free-ride on the contributions of others in relation to collective security means that many underinvest in cybersecurity.

As part of their research, Gai, Duley and Kartik designed a formal model, the first of its kind, to outline the impact of cyber-attacks on financial stability and the implications for regulation.

They show how cyber attacks might morph into bank runs, when a large number of customers withdraw their funds over fears their money is at risk.

"In our model, banks are more inclined to put money into their operational resilience to decrease the risk of a bank run rather than investing in cybersecurity measures that will work to protect both themselves and the security of the system as a whole. System-wide investment in cybersecurity is suboptimal as a result," they say.

The researchers also show that while the temptation to free-ride induces underinvestment in cybersecurity, the prospect of a bank run encourages greater investment.

Regulatory and supervisory tools should take these factors into account, says Duley.

"We explore a few tools that can help foster the collaboration needed among banks to allow those who are left behind, those smaller banks, to increase their cybersecurity provision.

"One way is to do a 'cyber stress test'. This is where regulators simulate a cyber-attack on different banks to help identify weak points and then support corrective action for those players."

Another tool, says Duley, is to support banks with subsidies.

"Banks tend to be quite resistant to sharing information around cyber-attacks because of reputational concerns. But sharing information can help to develop stronger defences. Subsidies could provide resources to foster information sharing across banks because information is a key aspect of cybersecurity provision."

The overarching message, say Duley and Gai, is that it's in everyone's collective interest to contribute to cybersecurity.