Regulation of Cyber Risk in the Banking Sector: A Canadian Case Study

Peihani, Maziar

doi:10.2139/ssrn.3880115

Download This Paper

Open PDF in Browser

Add Paper to My Library

Regulation of Cyber Risk in the Banking Sector: A Canadian Case Study

Maziar Peihani, Regulation of Cyber Risk in the Banking System: A Canadian Case Study, Journal of Financial Regulation, 2022,1–23, https://doi.org/10.1093/jfr/fjac006

23 Pages Posted: 17 Mar 2023 Last revised: 20 Jun 2022

See all articles by Maziar Peihani

Maziar Peihani

University of British Columbia (UBC), Faculty of Law

Date Written: July 4, 2021

Abstract

Cyber risk is one of the greatest threats facing any modern financial system; a result of increasing dependence on technology and the appeal of troves of personal data to well-equipped hackers. This article examines the governance of cyber risk in the Canadian banking system in the context of the Covid- 19 crisis, which has led to a surge in cyber-attacks. It argues that the existing Canadian regime, which draws heavily on the Basel operational risk framework, is unfit to handle the unique challenges posed by cyber risk. Cyber incidents are unlike traditional operational disruptions in both their dynamism and impact and are not adequately captured by backward-looking proxies, such as historical losses. There is also a mismatch between the traditional risk-based supervision, which relies on annual risk rating of banks, and the quickly changing cyber profile of regulated entities. Furthermore, the bilateral and institution-specific nature of such supervision leaves out the crucial systemic perspective on cyber risk. This article calls for the current quantitative paradigm, which underlies capital adequacy regulation, to be complemented with a resilience-centric approach aimed at better accommodating and learning from unpredictable cyber incidents. This shift requires revisiting traditional supervisory practices, such as extensive reliance on centralized decision-making and planning—which may prove ineffective in the face of a firm-wide cyber incident—and a dynamic approach that keeps regulation in line with emergent knowledge. The article outlines a number of strategies which can help banks and regulators navigate and adapt to the ever-changing cyber landscape.

Keywords: cyber attacks, cyber security, COVID-19, financial institutions, operational risk

Suggested Citation: Suggested Citation

Peihani, Maziar, Regulation of Cyber Risk in the Banking Sector: A Canadian Case Study (July 4, 2021). Maziar Peihani, Regulation of Cyber Risk in the Banking System: A Canadian Case Study, Journal of Financial Regulation, 2022,1–23, https://doi.org/10.1093/jfr/fjac006, Available at SSRN: https://ssrn.com/abstract=3880115 or http://dx.doi.org/10.2139/ssrn.3880115