Regulating Cyber Risk: Revisiting the Current Prudential Approach

Cyber risk has become one of the most complex emerging challenges of the financial system. Financial regulators around the world have repeatedly named cyber risk as one of the greatest threats to the sound functioning of the financial system. It has grown alongside the financial sector’s increased reliance on technology and use of sophisticated digital tools. The modern financial ecosystem has also become increasingly connected in its operations and is dependent on a shared network of information systems and technological interconnections between financial system participants. Cyber incidents no longer merely pose a problem for an individual institution but present a larger risk to the system as a whole.

Although the frequency of cyber incidents and their resulting economic losses have grown steadily over the last decade, the Covid-19 pandemic led to a surge in cyber-attacks. The pandemic boosted the demand for online services and higher connectivity, while also introducing new vulnerabilities resulting from financial institution staff working from home on personal devices and private networks. The frequency of Covid-19 related cyber-incidents on the financial sector was second only to the healthcare sector. This highlights the urgency of adapting to the threat of cyber risk and creates an opportune moment for analysis.

In a recent paper, I examine the Canadian banking system’s cyber risk governance framework. The paper argues that the existing regulatory approach falls short of what is needed to meet the unique challenges of cyber risk in the financial sector. The paper advocates for complementing the current quantitative paradigm that underlies regulation with a resilience-centric approach aimed at better accommodating and learning from unpredictable cyber incidents.

The current regulatory approach to cyber risk treats it as a subset of operational risk. The Basel Committee on Banking Supervision requires banks to use the Standardized Measurement Approach to determine operational risk requirements based on income and historical losses. The Canadian approach is based on a prudential apparatus developed as part of the Basel Accords. The Office of the Superintendent of Financial Institutions (OSFI), Canada’s federal prudential regulator, imposes the Basel operational risk framework on the financial institutions that it regulates. This general framework is supplemented with guidelines that specifically address technology and cyber risks. In providing this framework and guidelines, OSFI takes a principles-based approach that relies on regulated entities to establish the content of cyber security strategies and operational risk management.

A key issue with this operational risk model-based approach is its backward-looking nature. Risk models that use historic data do not adequately capture future low frequency-high risk events such as cyber-attacks. Moreover, treating cyber incidents the same way as traditional operational disruptions such as natural disasters may overlook the unique features of cyber risk. A cyber-attack is not a random, one-time incident but rather an incident that actively adapts to continuing innovations and past success. Although consistency and simplicity can be beneficial for some models of operational risk, they may not be helpful in the context of cyber risk.

Another issue with this approach is its highly centralized nature. By focusing on individual firms and their senior management, OSFI’s approach to cybersecurity strategy creates a central decision-making apparatus. This can result in a lack of resiliency in response to operational disruptions caused by a cyber-attack.

An understanding of these challenges can identify pathways for reform. Firstly, the current prudential system’s narrow focus on technical defence systems and quantitative prediction models should be broadened to take a qualitative approach to cyber resilience that can accommodate and learn from cyber incidents. A shift in focus from cybersecurity to cyber resilience would allow for an adaptive, ongoing strategy that prioritizes continual improvement rather than a prescriptive ‘outcome’ or ‘end state’. This would create more effective systems for dealing with cyber risk. Secondly, there should be a broader recognition of systemic risk implications that goes beyond individual enterprises. More attention should be paid to an integrated analysis of cyber risk. Specifically, mapping a network of financial and technological connections across the financial system at key nodes would allow for better understanding of channels of contagion for cyber risk and points of failure at which systemic risk is concentrated. Third, a common set of standards and an international cooperative approach to joint supervision of cloud service providers should be developed, due to their critical function to the financial system and global nature. Lastly, regulators should foster knowledge mobilization as part of the adaptive governance of cyber risk, so that new information on emerging risks can be incorporated into risk management practices and regulatory instruments.

However, beyond addressing gaps in the current regulatory regime, there are other impediments that hinder effective regulation of cyber risk. These include privacy, reputational, and legal concerns on the part of financial institutions. Existing forums often rely on mandatory incident reporting rather than fostering peer-to-peer participation and collaboration. Importantly, national security interests, which include cyber-attacks and intelligence gathering on vulnerabilities by other nation states, may come into tension with knowledge sharing. As a result, international cooperation on cyber resilience may remain limited.

Maziar Peihani is Assistant Professor, Lawson Lundell UBC Professor in Business Law, at the Peter A. Allard School of Law, The University of British Columbia.