BIS on Impact of Increasing Use of Cloud Technology on Cyber Risk
BIS published a working paper that examines the drivers of cyber risk, especially in context of the cloud services. The paper highlights that the use of cloud services is associated with lower costs, especially when cyber incidents are relatively small. However, as cloud connectivity increases and cloud providers become systemically important, cloud dependence is also likely to increase tail risks. The study finds that developing technological skills helps firms mitigate the costs of cyber incidents, as does more reliance on cloud services.
Cloud technology can reduce IT costs, improve resilience, and enable firms to scale better. However, the technology strengthens interdependence across firms that have shared exposures to similar (or even the same) cloud service providers. This technology enables firms to rent computing power and storage from service providers, which gives them flexibility in their storage costs. However, all of this comes with some risks, as it involves firms inherently placing a lot of trust in vendors of cloud technology. The presence of a market failure through information asymmetry between buyer and vendor is rather well-recognized. Often users of cloud services may not know the exact location of their data or the other sources of the data collectively stored with theirs. The financial sector experiences the highest number of cyber incidents (especially of a malicious type, privacy and lost data incidents). However, banks and insurance companies incur more limited losses relative to other sectors, likely due to the effects of regulation and higher investment in cyber security. Additionally, crypto-related activities, which are largely unregulated, are associated with higher losses.
Nevertheless, cloud computing can be a target for cyber criminals and could pose a concern in terms of systemic risk. Providers of cloud services, undoubtedly have some of the best cyber-security experts and ultimately provide highly secure services, but tail risks could lead to substantial losses and potentially bring the economy to a halt. Moreover, the market for cloud services is highly concentrated and there are warnings about increased homogeneity and the greater risk of single points of failure. Through shared software, hardware, and vendors, incidents could, in principle, spread more quickly, leading to higher overall costs. The impact of the use of cloud services in the case of cyber attacks can thus go both ways and clearly depends on the benefit-risk analysis. Based on this, the authors have made a hypothesis. A higher dependency on cloud technologies can alter losses from cyber events. However, the net benefit depends on the connectivity of the cyber incidents and the size of the shock.
Related Links
Keywords: International, Banking, Insurance, Securities, Cloud Computing, Cyber Risk, Systemic Risk, Operational Risk, BIS
Featured Experts
Dr. Samuel W. Malone
Sam leads the quantitative research team within the CreditEdge™ research group. In this role, he develops novel risk and forecasting solutions for financial institutions while providing thought leadership on related trends in global financial markets.
Previous Article
PRA Further Reprioritizes Work to Support Firms Amid COVID CrisisRelated Articles
EBA Updates List of Validation Rules for Reporting by Banks
EBA issued a revised list of validation rules with respect to the implementing technical standards on supervisory reporting.
EBA Responds to EC Call for Advice to Strengthen AML/CFT Framework
EBA published its response to the call for advice of EC on ways to strengthen the EU legal framework on anti-money laundering and countering the financing of terrorism (AML/CFT).
NGFS Advocates Environmental Risk Analysis for Financial Sector
NGFS published a paper on the overview of environmental risk analysis by financial institutions and an occasional paper on the case studies on environmental risk analysis methodologies.
MAS Issues Guidelines to Promote Senior Management Accountability
MAS published the guidelines on individual accountability and conduct at financial institutions.
APRA Formalizes Capital Treatment and Reporting of COVID-19 Loans
APRA published final versions of the prudential standard APS 220 on credit quality and the reporting standard ARS 923.2 on repayment deferrals.
SRB Chair Discusses Path to Harmonized Liquidation Regime for Banks
SRB published two articles, with one article discussing the framework in place to safeguard financial stability amid crisis and the other article outlining the path to a harmonized and predictable liquidation regime.
FSB Workshop Discusses Preliminary Findings of Too-Big-To-Fail Reforms
FSB hosted a virtual workshop as part of the consultation process for its evaluation of the too-big-to-fail reforms.
ECB Updates List of Supervised Entities in EU in September 2020
ECB updated the list of supervised entities in EU, with the number of significant supervised entities being 115.
OSFI Identifies Focus Areas to Strengthen Third-Party Risk Management
OSFI published the key findings of a study on third-party risk management.
FSB Extends Implementation Timeline for Framework on SFTs
FSB is extending the implementation timeline, by one year, for the minimum haircut standards for non-centrally cleared securities financing transactions or SFTs.
