The International Monetary Fund (IMF) says financial institutions lost a sum of $12 billion to cyberattacks in the past 20 years.
IMF disclosed this in a report titled ‘Global Financial Stability Report, April 2024’.
The Bretton Wood institution disclosed this in one of the report’s chapters on April 9 and plans to publish the remaining report on April 16.
According to the IMF, the losses recorded by financial institutions since 2020 stood at $2.5 billion.
IMF said the financial sector is extremely exposed to cyber risk, adding that about one-fifth of the recorded cyber incidents in the past two decades have affected the financial industry, “with banks being the most frequent targets, followed by insurers and asset managers.”
“Financial firms have reported significant direct losses, totaling almost $12 billion since 2004 and $2.5 billion since 2020,” IMF said.
“Financial institutions in advanced economies, particularly in the United States, have been more exposed to cyber incidents than firms in emerging markets and developing economies.
“JP Morgan Chase, for example, the largest US bank, recently reported experiencing 45 billion cyber events per day while spending $15 billion every year and employing 62,000 technologists, many focused on cybersecurity.”
Cyber incidents, IMF said, are key operational risks that could threaten the operational resilience of financial institutions and hurt overall macroeconomic stability.
“A cyber incident at a financial institution or at a country’s critical infrastructure could generate macrofinancial stability risks through three key channels: loss of confidence, lack of substitutes for the services rendered, and interconnectedness (Adelmann and others 2020),” IMF said.
“While cyber incidents thus far have not been systemic, ongoing rapid digital transformation, technological innovation (such as artificial intelligence), and heightened global geopolitical tensions exacerbate the risk.”
IMF said direct losses from cyber incidents reported by firms have thus far been generally modest but could become very large.
“Based on available data, the median reported direct loss to a firm from all cyber incidents has been about $0.4 million, and three-fourths of the reported losses are below $2.8 million,” the Bretton Wood institution said.
“Although losses from malicious incidents have been more than five times as large as those from nonmalicious incidents, at around $0.5 million, the magnitude of losses in absolute terms has been generally modest as well.
“For example, most cyber extortions, such as ransomware attacks, or malicious data breaches, have resulted in losses of up to $12 million.”
IMF said the distribution is, however, heavily skewed, with some occurrences imposing losses of hundreds of millions of US dollars.
