20-65% of banks' quarterly profit at risk from full-blown direct cyberattacks: MAS study

A FULL-BLOWN direct cyberattack on a bank would cost it 20-35 per cent of quarterly profits, even when contingency measures are in place, the latest stress test by the Monetary Authority of Singapore (MAS) showed.

This cost for this worst-case scenario jumps to as much as 65 per cent, if no contingencies have been made, said the regulator, as it raised scrutiny on the impact of cybersecurity on financial stability in Singapore. Deposits could also decline by 1-5 per cent.

The fresh estimates come as MAS flagged the "nascent understanding" of the relationship between cyber risk and financial stability at this point.

"Many financial institutions have traditionally regarded cyber risk as a microprudential operational risk that can be addressed through entity-specific cybersecurity and contingency measures," said the MAS in its annual Financial Stability Review released on Thursday.

"Given the interconnected and increasingly digitalised nature of the financial sector, it is now necessary to also consider the systemic financial stability implications of cyber risks."

Most of the decline in profits that banks expect as a result of cyberattacks would come from a loss in future revenues due to reputational impact, as well as higher costs from monies stolen, legal charges and marketing expenses.

The stress test showed that banks expect to be most affected by theft and disruption-related cyberattacks on themselves and external parties.

These theft-related attacks cited by banks include automated teller machine (ATM) jackpotting, where malware causes ATMs to dispense cash, or through the hacking of banks' payment systems to effect unauthorised fund transfers.

As for disruption-related attacks, banks identified threats from distributed denial-of-service attacks that prevent customers from accessing Internet and mobile banking applications, as well as a disruption to the banks' internal payment processing systems.

Banks raised damage or corruption of customer data as another example of a damage-related cyberattack.

The MAS study said banks said they have taken various measures to mitigate cyberattacks, deploying "multiple layers" of security controls to protect sensitive data and monies from theft.

Banks have also implemented distributed denial-of-service mitigation measures, which are tested regularly to verify their effectiveness. Critical data is regularly backed up to storage systems which can be used to restore the information at a point in time.

The measures are extended to third-party service providers, banks said, with periodic audits done to verify that the providers' cybersecurity measures are in place.

Banks have also set up business continuity measures so that they can switch to an alternative service provider, or perform critical services in-house when outsourced services are disrupted.

MAS added a call for "concerted collaboration" between regulators and the banking industry to utilise existing analytical tools, while developing new approaches to better assess and boost the financial sector's cyber resilience.