Speech

Building Cyber Resilience

December 9, 2020

It has been a pleasure to host you virtually at the fourth annual cybersecurity workshop. Normally, we would have invited you to join us in person in Washington DC, allowing us to meet, get to know each other and learn from each other —but this has been an exceptional year, with exceptional circumstances.

The COVID-19 pandemic has demonstrated the human capacity to be able to weather major, unforeseen disruption. Those that have been able to absorb and adapt to the challenges of the COVID-19 pandemic successfully are, by definition, resilient. And this has been the key theme of the last three days of the seminar – how can we build cyber resilience in our respective countries and by so doing help also to support the resilience of the global financial system. And this is particularly salient today, as during the past decade, the global financial system has become more digitalized, dependent on technology and interconnected -the pandemic giving a further spur.

Given the unconventional nature of cyber risk, we need to be agile in our approach. We need to move away from focusing purely on prevention and move to delivering cyber resilience. Traditionally there are three goals to cybersecurity: confidentiality, integrity and availability. Beyond this triangle of security, we believe it is important to add another property: resilience. Recent cyber incidents have demonstrated the perpetrators’ ability to penetrate the networks of large organizations and incapacitate them quickly. Resilience is what allows an organization to endure security threats and cyberattacks instead of critically failing. A key to resilience is accepting the inevitability of threats and even limited failures in your defenses. It is about remaining operational with the understanding that attacks and incidents happen on a continuous basis, and it is not an issue of ‘if’ but ‘when.’ Here there is a parallel to the human body. Your body still figures out a way to continue functioning even if your external layer of defense – your skin – is penetrated by a cut or attacked by disease. Just as in the body, in the event of a cyber incident, the objective should be to find ways to withstand disruption, continue functioning and ultimately restore normal operations.

The discussions in the last three days have allowed us to collectively reflect on the key elements that we must focus on, to allow us to build our resilience against this unconventional threat. Allow me to focus on three key themes. We started with an overview of the threat landscape, recognizing that the threat is borderless and the capabilities of cyber attackers are constantly evolving, readily scalable and increasingly sophisticated. Without understanding the threat and its evolution, we cannot build our capabilities to protect, detect and respond accordingly. Much like COVID-19, without understanding the nature and specifics of the virus and its threat, we cannot build a vaccine that will protect us.

We focused on the essential role of governance and risk management to an organization’s implementation of a systematic and proactive approach to managing the prevailing and emerging cyber threats that it faces. Supervisors must ensure that organizations have strong leadership, the right culture at the top level which permeates throughout the organization, ongoing oversight and adequate resources and expertise to deal with these risks. Just like COVID-19 has shown, managing a crisis requires strong leadership and adequate expertise and resources - cyber is no different.

We discussed how information sharing within a trusted community allows members of that community to leverage their collective knowledge, experience and capabilities to address the threats they may face. It enables them to make informed decisions about their defensive capabilities, threat detection techniques and mitigation strategies. By sharing information, organizations act in the public interest to support the safe and sound operation of the entire financial system. As COVID-19 has shown, we can only overcome adversity by working together, sharing knowledge, and pooling our resources. This information sharing, collaboration and coordination must be cross-border and international, whether as a response to the COVID-19 pandemic or for building cyber resilience.

In closing, let me thank the organizers and panelists, and all of you, for attending from all over the world. I hope that next year the IMF will convene this important annual event in person, and we will look back at this year as the moment when each of us strengthened our individual and collective resilience and were able to withstand all the adversities. Thank you and stay safe.