Cyber risk is increasing rapidly with the digitalisation of the economy, and the Covid crisis has accelerated this trend. The financial sector is particularly targeted and cyber risk, while it has not yet led to a major crisis, can become systemic and threaten financial stability. Various public policies can be implemented to mitigate this risk.
Cyber risk – which encompasses all risks that arise from using digital technology – represents a major economic risk in today's world. It can be defined as an operational risk affecting the confidentiality, availability or integrity of information or information systems. It covers both malicious acts and inadvertent incidents caused by human error or accident.
The number of cyber incidents is sharply on the rise, but the costs they represent for the economy as a whole remain difficult to estimate. There are both direct and indirect costs, affecting not only the organisation targeted by an incident but other stakeholders as well (partner firms, customers). They likely amount to several hundred billion euros annually for the global economy.
The financial sector is a particularly attractive target for cyber attacks due to the potential for a large payoff. It is also a highly digitalised sector, which increases its exposure. During the COVID-19 pandemic, the sudden shift to work-from-home arrangements made it one of the most exposed industries.
The financial sector is also highly interconnected, which increases the likelihood of shocks spreading more widely. To function properly, it relies on the confidence of its participants, and this confidence can be eroded by a security incident. Although a systemic event has yet to occur, cyber risk has been identified as one of the main risks for financial stability.
Organisations tend to underestimate cyber risk and underinvest in cybersecurity. To ensure an adequate level of security, various public policy levers can be mobilised: training, regulation, stress testing, industrial policy, cyber insurance. The proposed Digital Operational Resilience Act (DORA), at the European level, and the cyber insurance working group launched by the Directorate General of the Treasury, in France, contribute to that effort.