Cyber Risk

Cyber risk is the threat that computer systems will be breached, corrupted, or taken offline by malicious actors, causing direct financial loss, operational shutdown, or compromise of sensitive data. Unlike traditional operational-risk—a system fails because it was poorly designed—cyber risk involves an adversary actively trying to damage you. The pace of attacks, the sophistication of threat actors, and the interconnectedness of financial systems mean cyber risk now sits at the forefront of institutional worry.

The attack surface of modern finance

A financial institution is a network of systems: trading platforms, settlement systems, customer banking portals, back-office infrastructure, and data centers. Each connection is a potential attack vector. An employee’s email account is compromised; the attacker uses it to pivot into the internal network. A software vulnerability is discovered; the attacker exploits it before a patch is deployed. A third-party vendor’s security is weak; the attacker uses that vendor to infiltrate a bank’s systems.

The attacks come in flavours. Ransomware locks files and systems, demanding payment for a decryption key. Data breaches steal customer information or trade secrets. Business-email compromise tricks employees into transferring money to fraudulent accounts. Distributed denial-of-service attacks overwhelm systems with traffic, knocking services offline. Insider threats—employees acting maliciously—can bypass external defences entirely. None of these are new, but scale and sophistication have exploded.

Direct and indirect losses

Direct losses are clearest: a bank loses £50 million in a fraud scheme, or a firm pays £100 million in ransomware demands. Stolen credit-card data exposes the bank to liability and reputational damage. A trading system is hacked; erroneous trades are executed, resulting in losses the firm must absorb.

Indirect losses multiply quickly. If a custodian or major financial utility is attacked and goes offline, even uncompromised firms face cascading disruption. Settlement systems fail; trades can’t clear. Payment systems freeze; liquidity evaporates. A systemic attack on critical infrastructure—the power grid, the Internet backbone, or a major exchange—propagates shocks across markets globally. The 2012 attack on Saudi Aramco destroyed tens of thousands of computers; Saudi Arabia’s broader economy felt the ripple.

Beyond direct financial loss sit reputational costs. A firm that loses customer data faces regulatory fines, litigation, and lost trust. Customer accounts migrate to competitors. Stock prices fall. Insurance doesn’t cover reputational harm.

Ransomware and the extortion model

Ransomware attacks have become a cottage industry. A criminal gang penetrates a firm, exfiltrates sensitive data, then encrypts the systems and demands payment for the decryption key. If the firm refuses, the gang sells the data or posts it publicly, creating reputational and regulatory risk.

The business model is brutally effective: firms often pay the ransom because the cost of downtime—halted trading, inaccessible systems, lost transactions—exceeds the ransom demand. Some firms pay even knowing that payment funds further attacks. Regulatory pressure is rising; some jurisdictions now restrict ransom payments. But the supply of cyber criminals far exceeds law enforcement’s capacity to prosecute, so the attacks persist.

Third-party and supply-chain risk

A financial firm’s own systems might be fortress-like, but its vendors often aren’t. A cloud-service provider stores your data; if that provider is hacked, your data is stolen. A software vendor supplies back-office systems; a vulnerability in that software exists for months before discovery, during which every firm using that software is exposed. A payment processor is compromised; transactions are rerouted.

Supply-chain risk is particularly vicious because it’s distributed and hard to see. A bank might audit its top 10 vendors religiously but rely on 500 third-party services through intermediaries, any one of which could be an entry point. The colonial Pipeline ransomware attack in 2021 didn’t require hackers to be particularly sophisticated—they exploited a compromised VPN password, a mundane supply-chain failure. The US energy sector ground to a halt.

Systemic and contagion effects

A large institution falling to a major cyber attack creates contagion risk. If a central bank or major clearing house is hit, the entire financial system feels the tremor. During COVID lockdowns, when financial-services workforces shifted to remote work, cyber attacks spiked; attackers exploited hastily secured VPNs and home networks. If a truly systemic event—a coordinated attack on multiple major banks, or a successful attack on the Federal Reserve itself—materialised, the consequences would dwarf any single firm’s losses.

Regulating institutions have begun treating cyber resilience as a prudential requirement on par with capital ratios and liquidity buffers. The Dodd-Frank Act and equivalent global regulations now require banks to maintain cyber-attack response plans, incident reporting, and recovery procedures. But regulation lags threat.

Insurance and the limits of protection

Cyber insurance is available, but its scope is often narrow. It covers certain direct losses (theft, extortion, business interruption) but not others (reputational harm, systemic contagion). Premiums are rising sharply as insurers learn the true cost of cyber claims. And increasingly, insurers exclude coverage for firms deemed to have poor security hygiene—unpatched systems, weak passwords, no multi-factor authentication. This creates a perverse incentive: only well-resourced firms can afford cyber insurance, while weaker firms go bare.

A firm betting on cyber insurance as its primary risk management is fooling itself. Insurance is a backstop for catastrophic loss, not a substitute for strong defence.

Detection and response

Modern cyber defence is not binary—either breached or not. Instead, it’s assumed that attackers will penetrate; the goal is to detect intrusions quickly, isolate compromised systems, and limit damage. This requires continuous monitoring, threat-intelligence sharing, and incidence-response protocols that are tested regularly.

Some firms hire “red teams”—internal security experts who actively try to breach their own systems, finding weaknesses before real attackers do. Others join threat-intelligence consortiums where firms share information on attacks and vulnerabilities, multiplying collective awareness. But good cyber defence requires sustained capital investment and skilled staff. Automation can help, but ultimately, detecting a sophisticated adversary often requires humans.

The investor perspective

For equity and debt investors, cyber risk is now a material factor in valuing firms. A company with poor cyber discipline faces elevated risk of catastrophic loss. Institutional investors increasingly demand cyber-security audits and insurance disclosures. Firms in sensitive sectors—banking, insurance, energy, healthcare—face the highest scrutiny. A firm dismissed as “not vulnerable to cyber attack” is probably not being thoughtful enough.

At the portfolio level, diversification across industries and geographies reduces exposure to any single catastrophic cyber event. Avoiding firms with known cyber vulnerabilities or poor security track records is prudent. And recognising that cyber risk is systemic—a major attack on financial infrastructure could trigger broad market losses—argues for keeping overall portfolio risk measured even if cyber insurance seems cheap.

See also