BIS on Impact of Increasing Use of Cloud Technology on Cyber Risk
BIS published a working paper that examines the drivers of cyber risk, especially in context of the cloud services. The paper highlights that the use of cloud services is associated with lower costs, especially when cyber incidents are relatively small. However, as cloud connectivity increases and cloud providers become systemically important, cloud dependence is also likely to increase tail risks. The study finds that developing technological skills helps firms mitigate the costs of cyber incidents, as does more reliance on cloud services.
Cloud technology can reduce IT costs, improve resilience, and enable firms to scale better. However, the technology strengthens interdependence across firms that have shared exposures to similar (or even the same) cloud service providers. This technology enables firms to rent computing power and storage from service providers, which gives them flexibility in their storage costs. However, all of this comes with some risks, as it involves firms inherently placing a lot of trust in vendors of cloud technology. The presence of a market failure through information asymmetry between buyer and vendor is rather well-recognized. Often users of cloud services may not know the exact location of their data or the other sources of the data collectively stored with theirs. The financial sector experiences the highest number of cyber incidents (especially of a malicious type, privacy and lost data incidents). However, banks and insurance companies incur more limited losses relative to other sectors, likely due to the effects of regulation and higher investment in cyber security. Additionally, crypto-related activities, which are largely unregulated, are associated with higher losses.
Nevertheless, cloud computing can be a target for cyber criminals and could pose a concern in terms of systemic risk. Providers of cloud services, undoubtedly have some of the best cyber-security experts and ultimately provide highly secure services, but tail risks could lead to substantial losses and potentially bring the economy to a halt. Moreover, the market for cloud services is highly concentrated and there are warnings about increased homogeneity and the greater risk of single points of failure. Through shared software, hardware, and vendors, incidents could, in principle, spread more quickly, leading to higher overall costs. The impact of the use of cloud services in the case of cyber attacks can thus go both ways and clearly depends on the benefit-risk analysis. Based on this, the authors have made a hypothesis. A higher dependency on cloud technologies can alter losses from cyber events. However, the net benefit depends on the connectivity of the cyber incidents and the size of the shock.
Related Links
Keywords: International, Banking, Insurance, Securities, Cloud Computing, Cyber Risk, Systemic Risk, Operational Risk, BIS
Previous Article
BoE Publishes Version 2.0.1 of Capital+ XBRL UtilityRelated Articles
EBA Issues Erratum for Phase 2 Package of Reporting Framework 3.0
EBA published an erratum for the technical package on phase 2 of the reporting framework 3.0.
EBA Updates Lists of Entities for Use in Capital Calculations under SA
EBA published an erratum for the technical package on phase 2 of the reporting framework 3.0.
MAS Amends Notice on Related Party Transactions of Banks
MAS amended Notice 643A that addresses requirements for banks to prepare statements of exposures and credit facilities to related concerns or parties.
ECB Amends Guideline on Euro Short-Term Rate
ECB has published, in the Official Journal of the European Union, the Guideline 2021/565 on the euro short-term rate (€STR) and this guideline amends the previous ECB Guideline 2019/1265.
EBA Consults on Standards Related to FRTB-SA
EBA launched a consultation on the draft regulatory technical standards on the list of countries with an advanced economy for calculating the equity risk under the alternative standardized approach (FRTB-SA).
PRA Proposes Rules Related to IRB Approach for Credit Risk
PRA is proposing, via CP7/21, the approach to implementing new requirements related to the specification of the nature, severity, and duration of an economic downturn in the internal ratings-based (IRB) approach to credit risk.
BoE Outlines Regulatory Treatment of Recovery Loan Scheme of UK
The UK government launched the Recovery Loan Scheme (RLS) as part of its continued COVID-19 support for UK businesses, as announced by HM Treasury on March 03, 2021.
FSB Addresses G20 on COVID Measures, TBTF Reforms, and Climate Risks
FSB published a letter, from its Chair Randal K. Quarles, to the G20 Finance Ministers and Central Bank Governors, ahead of their virtual meeting on April 07, 2021.
OSFI Unwinds Temporary Increase to Covered Bond Limit for Banks
OSFI issued a letter to the deposit-taking institutions issuing covered bonds and announced the unwinding of the temporary increase to the covered bond limit for deposit-taking institutions, effective immediately.
EU Amends CRR and Securitization Regulation in Response to Pandemic
To support recovery from the COVID-19 crisis, EU has published two regulations to amend the securitization framework, as set out in the Securitization Regulation (2017/2402) and the Capital Requirements Regulation or CRR (575/2013).