Banks, fintechs, others lose $12bn to cyber attacks in 20 years — IMF
The International Monetary Fund (IMF) has said that financial institutions across the world lost a sum of $12 billion to cyber attacks in the past 20 years.
IMF disclosed this in a report titled, ‘Global Financial Stability Report, April 2024’.
It stated that the financial sector is extremely exposed to cyber risk, adding that about one-fifth of the recorded cyber incidents in the past two decades have affected the financial industry, “with banks being the most frequent targets followed by insurers and asset managers”.
According to IMF, the loss recorded by financial institutions since 2020 stood at $2.5 billion.
“Financial firms have reported significant direct losses, totaling almost $12 billion since 2004 and $2.5 billion since 2020.
“Financial institutions in advanced economies, particularly in the United States, have been more exposed to cyber incidents than firms in emerging market and developing economies.
“JP Morgan Chase, for example, the largest US bank, recently reported experiencing 45 billion cyber events per day while spending $15 billion every year and employing 62,000 technologists, many focused on cyber-security,” IMF stated.
Cyber incidents, according to IMF, are key operational risks that could threaten the operational resilience of financial institutions and hurt overall macroeconomic stability.
“A cyber incident at a financial institution or at a country’s critical infrastructure could generate macro financial stability risks through three key channels: loss of confidence, lack of substitutes for the services rendered, and interconnectedness.
“While cyber incidents thus far have not been systemic, ongoing rapid digital transformation and technological innovation (such as artificial intelligence) and heightened global geopolitical tensions exacerbate the risk,” the report added.
IMF said direct losses from cyber incidents reported by firms have thus far been generally modest but could become very large.
Based on available data, the median reported direct loss to a firm from all cyber incidents has been about $0.4 million, and three-fourths of the reported losses are below $2.8 million.
“Although losses from malicious incidents have been more than five times as large as those from nonmalicious incidents, at around $0.5 million, the magnitude of losses in absolute terms has been generally modest as well.
“For example, most cyber extortions, such as ransomware attacks, or malicious data breaches have resulted in losses of up to $12 million.”
IMF said the distribution is, however, heavily skewed, with some occurrences imposing losses of hundreds of millions of US dollars.”