Regulation of Cyber Risk in the Banking System: A Canadian Case Study

Abstract

Abstract Cyber risk is one of the greatest threats facing any modern financial system; a result of increasing dependence on technology and the appeal of troves of personal data to well-equipped hackers. This article examines the governance of cyber risk in the Canadian banking system in the context of the Covid-19 crisis, which has led to a surge in cyber-attacks. It argues that the existing Canadian regime, which draws heavily on the Basel operational risk framework, is unfit to handle the unique challenges posed by cyber risk. Cyber incidents are unlike traditional operational disruptions in both their dynamism and impact, and are not adequately captured by backward-looking proxies, such as historical losses. There is also a mismatch between the traditional risk-based supervision, which relies on annual risk rating of banks, and the quickly changing cyber profile of regulated entities. Furthermore, the bilateral and institution-specific nature of such supervision leaves out the crucial systemic perspective on cyber risk. This article calls for the current quantitative paradigm, which underlies capital adequacy regulation, to be complemented with a resilience-centric approach aimed at better accommodating and learning from unpredictable cyber incidents. This shift requires revisiting traditional supervisory practices, such as extensive reliance on centralized decision-making and planning—which may prove ineffective in the face of a firm-wide cyber incident—and a dynamic approach that keeps regulation in line with emergent knowledge. The article outlines a number of strategies which can help banks and regulators navigate and adapt to the ever-changing cyber landscape.