OFR_2016_Financial-Stability-Report
OFR_2016_Financial-Stability-Report
OFR_2016_Financial-Stability-Report
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2.3 Cybersecurity Incidents Affecting <strong>Financial</strong><br />
Firms<br />
<strong>Financial</strong> institutions, like other businesses, are under constant threat<br />
of malicious cyber activity. They are especially vulnerable because of<br />
their reliance on information technology (IT) and their many links to<br />
each other, to financial markets, and to other parts of the economy.<br />
Malicious cyber activity that targets financial firms has become more<br />
common and more sophisticated. Incidents can disrupt services,<br />
reduce confidence in firms and markets, and damage the integrity of<br />
key data.<br />
Malicious cyber activity<br />
that targets financial<br />
firms has become more<br />
common and more<br />
sophisticated. Incidents<br />
can disrupt services,<br />
reduce confidence in<br />
firms and markets, and<br />
damage the integrity of<br />
key data.<br />
The <strong>OFR</strong> ranked vulnerability to malicious cyber activity as a top threat<br />
with substantial potential impact. Quantifying the magnitude of these risks<br />
or measuring the resilience of institutions is difficult. Still, cybersecurity<br />
incidents clearly have the potential to cause real harm. Some financial institutions<br />
play unique roles. If their IT systems were compromised, that could<br />
disrupt payment systems or markets and trigger a cascade of operational and<br />
financial losses.<br />
<strong>Financial</strong> firms already fight off malicious cyber activity on many fronts<br />
(see White House, 2013). They may spend heavily to defend themselves.<br />
Regulators have also taken steps to increase cyber-resilience. They have<br />
encouraged information-sharing and collaboration and issued guidance and<br />
rules for financial firms. U.S. regulators could also consider developing a<br />
shared risk-based approach to guide financial firms in their IT security practices.<br />
Although firms are primarily responsible for the security of their systems,<br />
regulators should provide guidance and oversight and work to ensure<br />
that the financial system can recover quickly.<br />
Cybersecurity Incidents Come in a Variety of Forms<br />
Cyberattacks are deliberate efforts to disrupt, steal, alter, or destroy data on<br />
IT systems. Tactics include finding hidden weaknesses in widely used software<br />
(called zero-day vulnerabilities) to get into IT systems, targeting e-mail<br />
accounts to steal passwords (spear-phishing), targeting websites to infect<br />
users with malicious software (malware), and implanting software that<br />
locks companies out of their own IT systems (ransomware). The growth<br />
in Internet links provides more ways for attackers to enter proprietary IT<br />
systems and networks.<br />
Detailed data about frequency, tactics, and results of cybersecurity incidents<br />
are scarce. In part, data are lacking because firms and authorities avoid<br />
reporting them due to reputation concerns or concerns over giving insights<br />
to potential hackers (see <strong>OFR</strong>, 2015; U.S. Congress, <strong>2016</strong>). Cybersecurity<br />
38 <strong>2016</strong> | <strong>OFR</strong> <strong>Financial</strong> <strong>Stability</strong> <strong>Report</strong>