There is an urgent need to reduce systemic cyber risks

Like most investors, Norway’s giant sovereign wealth fund, which owns the equivalent of 1.5 per cent of every listed company in the world, has a lot to worry about in an era of gyrating market valuations, surging cost pressures across many industries and heightened geopolitical uncertainty over Ukraine and Taiwan. But what tops its worry list? The 100,000 cyber attacks the fund faces every year, Nicolai Tangen, chief executive of Norges Bank Investment Management, told the Financial Times.

If, as Willie Sutton reputedly said, bank robbers rob banks “because that is where the money is”, then it is little surprise that modern-day criminals are resorting to cyber attacks on financial institutions, such as NBIM, as well as market infrastructure more generally. The number of known malware attacks rose 11 per cent in the first half of the year to 2.8bn, according to the 2022 SonicWall Cyber Threat Report, with the financial sector being particularly actively targeted.

Some cyber experts had feared an even greater cyber onslaught from Russia following its invasion of Ukraine and the imposition of retaliatory sanctions by many western countries — and that may yet materialise. The development of powerful quantum computers, threatening to crack traditional encryption methods, may one day add another dimension to the cyber threat, too.

The most chilling aspect of the Norwegian fund’s warning was that cyber attacks could pose a systemic financial risk. As more of the finance industry moves online, so the surface area that is vulnerable to cyber attacks increases. Nato has been boosting its cyber defence capabilities but the western military alliance should do even more to work with private sector partners. Similarly, the Quantum Dawn cyber resilience tests, periodically run by the US securities industry that involve more than 900 participants across the finance sector, could also be usefully extended to both smaller and more international firms, regulators and central banks.

The lessons from such exercises is that effective cyber defence depends on an active partnership between governments, security agencies and private sector firms. They also highlight that networks are often only as strong as the weakest link in a chain. That puts the responsibility on every financial firm, and every individual within those firms, to play their part in boosting the industry’s defences. In that respect, too many companies are behind the game.

Three things can be done to improve collective resilience. First, more investment should be put into developing, and deploying, more secure encryption technologies. For example, big strides are being made towards implementing homomorphic encryption techniques, which can enhance both privacy and security by enabling computations to be made on encrypted data.

Second, specialist auditing firms could be asked to scrutinise their clients’ data storage and cyber security practices. For some firms, such as aeroplane manufacturers and nuclear power plant operators, successful cyber attacks could endanger lives and pose an existential risk to their businesses. Regulators should know far more about the risks that these companies are running. Third, investors should be quizzing companies in which they invest more rigorously about what actions they are taking to secure their operations. Shareholders should also insist that company boards include directors with real-world cyber expertise.

Sadly, given the cyber threat’s scale and prevalence, risk minimisation rather than elimination is all that can be achieved. But prudent precautions can still help prevent sporadic attacks from turning into a systemic danger.