Member of the Board Tuomas Välimäki
Cyber as a Systemic Risk policy panel
4th Annual Nordic Cyber in Finance Conference
Oslo and online, 30 November 2021
introductory statement: Cyber as a systemic risk
Good morning everyone. I am glad to be able to participate this excellent conference on cyber issues and especially this policy panel on the systemic aspects related to cyber risks.
As a central banker, systemic risks and their prevention are close to my heart. Nowadays, one easily forgets that central banks were not invented to steer interest rates, nor to ensure price stability. We were established in most cases to safeguard financial stability. For example, the Fed was created back in 1913 to prevent bank runs, that were common in the first decade of last century.
Loss of confidence is often the key feature behind not only bank panics but all types of systemic events. And if it’s not the origin, loss of confidence will anyway escalate the crises to the next level. Even solvent institutions are fragile, when they run out of liquidity, and your liquidity position is guaranteed only just as long as other market participants have confidence in you. Through contagion, confidence in you and other market participants may deteriorate, even if it’s your peer institution that is facing a crisis.
To address this this type of developments, i.e. to preserve confidence in the financial system, central banks have become the lenders of last resort not only to banks but sometimes also even, more widely to the financial markets.
Our role in systemic crisis prevention is not limited to addressing liquidity crisis, we have also been given an oversight function. We are overseeing payment and settlement systems, whereby the objectives of safety and efficiency are promoted by monitoring existing and planned systems, assessing them against these objectives and, where necessary, inducing changes.
So, addressing financial stability in all formats is our business, and maintaining confidence is a key to addressing all types of systemic crisis.
However, whereas our means to deal with liquidity crisis have unfortunately been tested many times during past decades, our toolkit for addressing payment and settlement system or a banking crisis originating from cyber incidents are not so straight forward – printing more money does not help solving a cyber incident.
That’s why, on this front, we need to be even more concerned on crisis prevention: we need thorough monitoring to identify threats, we need to have comprehensive plans for quick recovery to facilitate business continuity, and we need common platforms to share information on cyber incidents.
Everyone in the business should understand that we are not playing a zero-sum game here. The financial sector is all about trust and if the trust is compromised in one entity, it has negative effects on the whole industry not just the individual entity. Cyber threats are common: I am not better off if my competitor is being hit by a cyber incident. If you were attacked last week, I am likely to be the target this week, and if confidence is lost in one part of the market, everybody is likely to suffer – like in systemic liquidity crises.
Hence, keeping your house in order is not enough, we should all try to enhance resilience of all participants in the business. Sharing information on cyber issues seems to be an excellent way to this aim. The Finance ISAC (the information sharing and analysis center) is an important example in Finland of an entity built for this purpose.
Finance ISAC brings together the national Cyber security center, which is the competent authority, and the industry. I encourage this and other similar forums to develop tools for open information sharing, as knocking on the wall of one bank is likely to happen again in the next bank.
Cyber risks have been increasing with the industry having become as digitalized as it is today. Cyber is one of the operational risks, but due the importance of it, it deserves to be treated separately.
We have become familiar dealing with the many threats to the financial system over the past decades. However, many cyber issues are so new that we cannot really know how well we are able to deal with them.
That’s why, we also need new types of testing procedures. We, the central banks in many Nordic countries, have been promoting the Threat Intelligence Based Ethical Red teaming for financial institutions in our jurisdictions. But if we think this is the right direction for banks and insurance companies in Finland, why not expose the central banks themselves to such tests?
This is what we asked ourself, before we, at the Bank of Finland, decided to expose our operations, systems and processes to a TIBER-test, to find out how well we can identify, recover and respond to a sophisticated attack. The findings were eye-opening. For example, the test revealed how an attacker could make use of the information the employees and the bank has put into social media. Without going into more details, we gained useful information on preparing for cyber threats.
In the Nordics, we have much in common. Several banks operate in many Nordic Countries and there is shared infrastructure as well. This goes also to the supporting supply chain that at least partly is common to us all.
From the TIBER-perspective, there are many aspects supporting this. The central banks are working together, and this cooperation is continuously being developed further. As a starting point for the tests, Danmarks NationalBank, Suomen Pankki (Bank of Finland) and next year also Norges Bank will use the same threat information from Nordic Financial CERT. As I mentioned Norges Bank in this context, I want to mention that we have been following their preparations with interest, and we are happy to hear about the decision to establish TIBER-NO.