Hybrid and Cybersecurity Threats and The European Union's Financial System
Hybrid and Cybersecurity Threats and The European Union's Financial System
Hybrid and Cybersecurity Threats and The European Union's Financial System
5 The reported average loss increased 61 percent from 2018 to 2019, reaching $369,000 (Hiscox, 2019). The report
surveyed 5,400 firms in the US, UK, Belgium, France, Germany, Spain and the Netherlands. Approximately three out
of four businesses failed a cyber-readiness test. However, Hiscox (2019) notes many cyber incidents involve viruses/
worms, which might not constitute an ‘attack’ on a specific company.
6 https://www.bitkom.org/Presse/Presseinformation/Attacken-auf-deutsche-Industrie-verursachten-43-Milliar-
den-Euro-Schaden.html.
80
60
40
20
0
2011 2012 2013 2014 2015 2016 2017 2018
Source: Bruegel. Note: We classify articles in Factiva as cyber-attack news if they contain the words ‘Cyber attack’, while simultaneously
falling into any of the Factiva classifications ‘Malware’, ‘Data breaches’ or ‘Cybercrime/Hacking’ (Factiva articles in 31 languages). Factiva
also identifies by name the company being discussed in these articles. One or more cyber-attack articles written about a listed company
in any given month counts as one ‘cyber-attack event’. A ‘cyber-attack event’ might not necessarily correspond to an actual cyber attack
but, for example, to new measures companies take to fight cyber attacks, among other issues.
Given the highly
interconnected
nature of our Cyber attacks are not restricted to listed companies but are also relevant for public
economic systems, and other institutions. Figure 2 lists the various EU28 institutions reported in the press as
a cyber attack on having been subject to notable cyber attacks in the past 12 months. Again, while press reports
a public sector cover only a fraction of actual attacks, it is evident that the issue concerns a broad range of
entity can have entities across sectors and topics. Given the highly interconnected nature of our economic
repercussions for the systems, an attack on a public sector entity might well have repercussions for the financial
financial system system. For example, five million Bulgarians had their personal data stolen in an attack on the
Bulgarian tax authority in mid-20197. This data could potentially represent risks to financial
firms if, for example, stolen identities are used by criminals. The scope and complexity of
modern economic systems imply that the downside risks of cyber attacks can be extremely
disruptive and costly.
The literature on the impact of terrorism on the financial system can help discern
some of the implications of physical-infrastructure disruptions related to hybrid attacks.
Large-scale terror attacks can disrupt physical infrastructure, as can hybrid attacks in which,
for example, deep-sea cables are targeted. It is therefore useful to look at the empirical
literature assessing the impact of events such as the 11 September 2001 attacks in the United
States on the companies concerned and on the stability of the financial system, in order to
better understand the effects of physical disruptions to infrastructure. Theoretically, three
impacts can be distinguished: the short-term market impact arising from the destruction of
value; the medium-term confidence effects and the longer-term effects on productivity. The
empirical literature typically finds that even a large and successful terror attack such as 9/11
does not fundamentally endanger the stability of the global financial system or the global
Figure 2: Notable cyber attacks in the EU28 in the year to July 2019 as reported in
the press
> Bank of Spain (2018/11) > Bristol Airport (2018/09) > Universities in
> Germany Parliament Members > Telegram (2018/11) Germany
> UK engineering company (2018/08)
> Germany Military + embassies (2018/11)
> Universities in
> UK Parliament (2018/12) (2018/11)
Italy (2018/08)
> UK Post Office (2018/12) > Ushio Inc. (2018/12) > Universities in
> Federal Maritime and Hydrographic Agency (2019/02) > Oil & Gas companies in the Netherlands
> Spain Ministry of Defence (2019/03) Germany (2019/03) (2018/08)
> UK local Gov. networks (2019/04) > Oil & Gas companies in the > Universities in
> Finnish Ministry of Justice (2019/04) UK (2019/03) the UK (2018/08)
> Lithuanian Defense Ministry (2019/04) > Telegram (2019/06) > IESE Business
> Bulgarian Tax agency (2019/07) > ASCO Industries NV School
> Croatian Gov. Agencies (2019/07) (2019/06) (2018/09)
> Lancaster
University
(2019/07)
PUBLIC INSTITUTION: 12
> C&A (2018/09) COMPANY: 8 UNIVERSITY:6
> Saipem SpA (2018/12)
> Altran Technologies (2019/01) > Unidentified targets in France > FIFA (2018/10)
> Nyrstar SA/NV (2019/01) (2018/08) > Organisation for the
> Airbus SE (2019/02) > Unidentified targets in Greece Prohibition of
> Bayer AG (2019/04) (2018/08) Chemical Weapons
> Unidentified targets in Latvia (2018/10)
> Wolters Kluwer NV (2019/05)
(2018/08) > European Gov.
> Eurofins Scientific SE (2019/06) > Unidentified targets in Poland Agencies (2019/03)
> BASF SE (2019/07) (2018/08)
> Henkel (2019/07) > Unidentified targets in the
> Sephora (2019/07) Netherlands (2018/08) INTERNATIONAL
> Siemens AG (2019/07) > Unidentified targets in the UK INSTITUTION: 3
(2018/08) > German Red Cross
(2019/07)
LISTED COMPANIES: 12 OTHER: 6 INTERNATIONAL NGO:1
Source: Bruegel based on Factiva and CSIS data. Note: Cyber attacks were identified through a Factiva search for cyber-attack news pub-
lished between August 2018 and July 2019 (as explained in the note to Figure 1). We identified additional attacks through the ‘Significant
Cyber Incidents’ list provided by the Center for Strategic & International Studies (CSIS), which focuses on “cyber attacks on government
agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars”11.
8 See Drakos (2004), Brounen and Derwall (2010) and Apergis and Apergis (2016).
9 See Chen and Siems (2003), Nikkinen and Vahamaa (2010), Maillet and Michel (2005) and Burch and Emery (2003).
10 See Chen and Siems (2003), Johnston and Nedelescu (2006) and Ferguson (2003).
11 Available at https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents.
12 This followed on from various initiatives. The European Banking Authority (EBA) published a set of guidelines on
ICT risk assessment in 2017, supplementing its own general Supervisory Review and Evaluation Process guidelines,
which are used when the supervisor evaluates whether a bank meets capital requirements and manages risks. These
guidelines refer to measures to mitigate ICT risks, information security and recommend that measures be put in
place. The Committee on Payments and Market Infrastructures and the International Organisation of Securities
Commissions published guidance on cyber resilience for all FMIs in 2016, complementing its own Principles for
Financial Market Infrastructures.
13 The ECB also emphasises the need for dynamism in approaching cybersecurity (Kopp et al, 2017). This requires pro-
moting situational awareness and a process of continuous learning as cyber-related threats change and evolve.
14 Surveys from ACCA (2019), Kaspersky (2018) and TD Ameritrade Institutional (2019) show that cybersecurity is
increasingly being prioritised by companies. Cybersecurity service providers are also expanding in revenue and
achieving record product sales, while large technology companies, including BlackBerry, Symantec, IBM, BAE Sys-
tems and CISCO, are redirecting their investments towards cybersecurity.
15 The European Centre of Excellence for countering Hybrid Threats in Helsinki is an intergovernmental think tank, also
supported by NATO and the EU. Other institutions with primarily analytical capacities exist, such as the European
Union Institute for Security Studies.
16 See https://eeas.europa.eu/sites/eeas/files/joint_communication_increasing_resilience_and_bolstering_capabili-
ties_to_address_hybrid_threats.pdf.
17 There are conflicting messages here. When we spoke to large individual financial firms, they were confident that they
take adequate cybersecurity measures. However, a survey run by IMD International (Switzerland, World Competi-
tiveness Center, www.imd.org/wcc) showed that business leaders in many countries increasingly believe that cyber-
security is not adequately addressed. Also there are strong theoretical arguments why individual institutions might
underinvest in cybersecurity, as they have an incentive to capitalise on other firms’ actions (Gordon et al, 2015).
Need to review
the capital
requirements?
Capacity to organise
rapid macro-policy
response
Source: Authors’ assessment based on interviews and reading of publicly available literature.
18 BIS (2018) surveyed the range of practices in different jurisdictions in terms of managing cyber risks. They found that most
regulators have taken action to promote the creation of frameworks that enhance the cyber resilience of those they regulate.
They did that by either issuing principles-based guidance or prescriptive regulation. The Basel Committee commented
on the lack of homogeneity in approach, style and regulatory requirements across the globe. And while most regulatory
authorities expect entities to have a cybersecurity strategy, they do not actually require it. As the financial sector is becomes
increasingly digital there is a need for greater alignment of national regulatory and supervisors.
1. Information sharing can be improved within and between jurisdictions. The Basel Commit-
tee (BIS, 2018) reports that most jurisdictions have put in place cyber-security information-shar-
ing mechanisms (either mandatory or voluntary) involving banks, regulators and security agen-
cies. Following an attack, financial institutions are required to report to the authorities. BIS (2018)
also found that banks communicate adequately between themselves, with the regulator and
with national security agencies in the event of an attack. By contrast, there is typically much less
communication going from the regulator back to banks, or between regulators across borders.
Some EU banks have indicated to us that they receive very little communication from authorities
on cyber risks, in contrast to the detailed information banks are required to provide. Collabora-
tion between the private sector and public authorities is important when it comes to information
exchange and responding to ongoing attacks, as also emphasised by the NIS Directive.
The tension between 2. When it comes to testing, the EU and the euro area in particular should consider hold-
national sovereignty ing regular preparedness exercises for the financial system. The G7 under the French
on security matters presidency undertook in summer 2019 a cyber-attack exercise, but to our knowledge
and shared no such exercises for the financial system have been carried out at the EU or euro-area
responsibility for level. Clear assignment of responsibilities and rapid cross-border collaboration between
financial-system national and European authorities and the private sector are critical to understanding
stability creates how to reduce the damage and recover quickly. While the European Union Cybersecurity
multiple challenges. Agency (ENISA) carries out exercises in other sectors19, an EU-wide exercise focusing on
the financial system seems warranted.
3. The tension between national sovereignty on security matters and shared responsi-
bility for financial-system stability creates multiple challenges. For example, responses
to cyber incidents involve law-enforcement agencies, which do not necessarily follow a
sufficiently integrated approach to account for the wider implications to the EU financial
system. Even more difficult is the question of political judgement and response to hybrid
As cyber and hybrid risks increase, the EU’s system of fragmentation on issues of security,
but centralisation on financial and other economic issues, will be tested. This asymmetry was
not an obstacle in a world in which security threats were more contained (or of a different
nature) and the EU trusted the United States to be its security guarantor. We believe that
Europe will be increasingly asked to provide for its own security, and as a unit. At the very
least, it will require a greater level of collaboration among national authorities.
References
ACCA (2019) Cyber and the CFO, Association of Chartered Certified Accountants
Apergis, E. and N. Apergis (2016) ‘The 11/13 Paris terrorist attacks and stock prices: the case of the
international defense industry’, Finance Research Letters 17 (C): 186-192
Arcuri, M.C., M. Brogi and G. Gandolfi (2017) ‘How does cybercrime affect firms? The effect of
information security breaches on stock returns’, Proceedings of the First Italian Conference on
Cybersecurity, January
BIS (2018) Cyber-resilience: Range of practices, Basel Committee on Banking Supervision, December
Brounen, D. and J. Derwall (2010) ‘The Impact of Terrorist Attacks on International Stock Markets’,
European Financial Management 16 (4): 585-598
Burch T., D. Emery and M. Fuerst (2010) ‘What can “nine-eleven” tell us about closed-end fund discounts
and investor sentiment?’ The Financial Review 38: 515-529
Chen, A. and T. Siems (2003) ‘The effects of terrorism on global capital markets’, European Journal of
Political Economy 20 (2): 349-366
DCMS (2019) Cyber Security Breaches Survey 2019, UK Department for Digital, Culture, Media &
Sport, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/
attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf
de Boer, N., H. Sütfeld and J. Groshek (2012) ‘Social media and personal attacks: A comparative
perspective on co-creation and political advertising in presidential campaigns on YouTube’, First
Monday 17(12)
Drakos, K. (2004) ‘Terrorism-induced structural shifts in financial risk: airline stocks in the aftermath of
the September 11th terror attacks’, European Journal of Political Economy 20 (2): 435-446
ECB (2018) Cyber resilience oversight expectations for financial market infrastructures, European Central
Bank, December
ESAs (2019) ‘Joint advice on the costs and benefits of developing a coherent cyber
resilience testing framework for significant market participants and infrastructures
within the whole EU financial sector’, JC 2019 25, European Supervisory Authorities,
10 April, available at https://eba.europa.eu/documents/10180/2551996/
JC+2019+25+%28Joint+ESAs+Advice+on+a+coherent+cyber+resilience+testing+framework%29.pdf
EPRS (2019) ‘ENISA and a new cybersecurity act’, Briefing, 26 February, European Parliamentary
Research Service
Fama, F. and K.R. French, (1992) ‘The Cross‐Section of Expected Stock Returns’, The Journal of Finance
47(2): 427-465
Ferguson, R.W. (2003) ‘11 September, the federal reserve, and the financial system’, speech on 5 February,
available at: https://www.bis.org/review/r030207d.pdf
Fiott D. and R. Parkes (2019) ‘Protecting Europe: the EU’s response to hybrid threats’, Chaillot Paper 151,
April, European Union Institute for Security Studies
Frey B., S. Luechinger and A. Stutzer (2007) ‘Calculating tragedy: Assessing the costs of terrorism’, Journal
23 See IMF (2001), Johnston and Nedelescu (2006), Maillet and Michel (2005) and Chen and Siems (2003).
Where:
Yit is the market return of company at time , i.e., , with representing the stock price of
company at time ;
RFt is the risk-free rate at time , the monthly-equivalent of the 10-year US Treasury Bond
rate;
MKt is the market return at time , the market return of the S&P500 Index;
SMBt is the Fama-French monthly Small Minus Big Factor, meant to control for the excess
returns of small (low market cap) stock portfolios compared to big stock (large market cap)
portfolios;
HMLtis the Fama-French monthly High Minus Low Factor, meant to control for the excess
returns of large book-to-value stock portfolios compared to low book-to-value portfolios24;
Cit is the variable of interest, representing the severity of a cyber attack event on company i
at time t.
The variable of interest is the number of times a company has been mentioned in the
media, in a given month, in cyber-attack news (see note to Figure 1 for definition of cyber-at-
tack news). Our assumption here is that more substantial attacks are more likely to be com-
mented on by more media outlets and more frequently. The number of mentions in the media
also directly correlates with dissemination of information to the public and thus brings higher
reputation costs. Variable is therefore a proxy for the severity of the cyber attack.
The companies in questions are all those which over the 2011-2019 period were men-
tioned in the media as targets of cyber attacks.
We got the following key results:
1. A press mention of a company in the context of a cyber attack is not enough for a statis-
tically significant decrease in its returns. Only if a company is mentioned more than 15
times in a month in the context of a cyber attack do we find a negative effect on monthly
returns.
2. We estimate that 100 mentions of a cyber attack event on a company in the media in a
given month is associated with a decrease of 2.6 to 3.2 percentage points on the compa-
ny’s monthly returns.
3. We do not find any evidence that financial companies are more affected than non-finan-
cial companies, nor banks specifically.
24 For information on the rationale behind the factors, refer to Fama and French (1992). For information on the factors
see Kenneth R. French at https://mba.tuck.dartmouth.edu/pages/faculty/ken.french/Data_Library/f-f_factors.html.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: