The Bank of Canada has little regulatory power. It makes up for that by publishing a bi-annual report card on the state of the financial system, the institution’s way of making sure regulators and the general public know where trouble lurks. So even though Governor Stephen Poloz can’t order many changes, he still has a chance to influence behaviour. When the central bank speaks, people tend to at least listen.
For a while now, the main story to come out of the central bank’s Financial System Review (FSR) has been the concern over the combination of record levels of household debt and extreme house prices in Toronto and Vancouver. That remained the case on November 28, when the Bank of Canada released its latest FSR.
“The most important vulnerabilities for the financial system remain the high level of household indebtedness and imbalances in housing markets,” Poloz said in a statement at the start of a press conference this week. “These vulnerabilities continue to be elevated and it will take a long time for them to return to more sustainable levels.”
But there is something else that is starting to worry the central bank. In June’s FSR, and then again in November’s, the Bank of Canada went out of its way to express concern over the financial system’s ability to recover from a significant cyber attack, which the central bank now sees as a bigger vulnerability than issues such as elevated levels of corporate debt and the rise in riskier investing.
“There has been a worldwide increase in the frequency, severity and sophistication of cyber attacks,” Poloz said. “Because our financial system is so interconnected, a successful attack on one institution can potentially lead to widespread disruptions.”
Central banks have first-hand knowledge of the cyber threat. The Financial Post reported earlier this year that the Bank of Canada had been inundated with millions of phishing emails since 2012. Most of the attempted hacks were blocked by the central bank’s firewall, and those that got through were shut down before causing any damage, the Post said, citing incident reports obtained through Canada’s freedom-of-information laws. The Bank of Bangladesh was less lucky, as hackers stole US$81 million from the central bank’s reserves in 2016.
“In many ways it’s more worrisome than all the other stuff,” Poloz said of the threat posed by hackers, in an interview with the Canadian Press in October. “You think, ‘My God, how do I get my arms around that whole risk and what are the consequences?’”
Poloz appears to have conceded the onslaught can’t be stopped, and is therefore focusing the central bank’s efforts on ensuring that recovery from a successful attack would be swift. Ideally, if a bank or some other node is breached, the rest of the system rallies to keep money flowing.
While the Bank of Canada has no authority over individual financial institutions, it is responsible for the entities that facilitate financial transactions, such as Payments Canada’s Large Value Transfer System, the electronic wiring system for large payments. The latest FSR revealed that the Bank of Canada has ordered Payments Canada and others to practise how they would respond to a range of cyber attacks, and how they would recover from them. The FSR also said that the Bank of Canada is leading an effort to ensure the main participants in the wholesale payments system are ready to work together in the event of a breach. Among the scenarios being tested is one in which a large institution loses its connection to the payments system and payments-related data is corrupted.
“A collaborative approach to recovery is being examined for these scenarios, including where the corruption of critical data has resulted in a prolonged operational outage at a significant payments system participant,” the FSR stated. “This could involve major Canadian banks establishing standby relationships with each other for the execution of wholesale payments activity during an operational crisis.”
The response of some to this news will be that it’s about time.
The ransomware used to shut down tens of thousands of computers in dozens of countries in May was stolen from the US National Security Agency, suggesting no one is safe. To its credit, the Bank of Canada has been thinking about this issue for at least a few years. The December 2014 edition of the FSR included a short paper on cyber security. That report said federal government was engaged, and that the financial system had been identified as “critical infrastructure” that must be protected from hackers.
But it is one thing to identify a vulnerability, and another to execute a response. The federal government released Canada’s Cyber Security Strategy in October 2010. Public Safety Canada is the lead agency, and seven others were involved in the strategy, but not the Finance Department, the Bank of Canada or the federal banking regulator. A review of the cyber strategy released in September concluded that most of the goals of the program have been met. Still, there are problems, including coordinating private companies and others outside Ottawa.
“According to the interviewees, progress to secure systems of importance to Canada (i.e., vital infrastructure) has been limited,” the review reported. “The Strategy’s overall investment in securing systems of importance to Canada was described as inadequate, and there has been limited progress made in establishing reciprocal norms for sharing information and forging partnerships with the private sector, as well as with provinces and territories.”
That limited progress may explain some of the Bank of Canada’s concern about cyber attacks — and why it is playing a bigger role in readying the defence. That’s good. Canada’s central bank may have little direct regulatory authority, but it will be where the public turns when something goes wrong in the financial system. That happened repeatedly during the financial crisis. Given that, Poloz and the central bank’s other leaders might as well take matters into their own hands.