Roux: Cyber attack may only be a matter of time

It may only be a matter of time before a cyber attack creates a systemic problem that cascades across the broader financial industry, the Central Bank’s deputy governor has warned.

Roux: Cyber attack may only be a matter of time

Cyril Roux issued the warning in an address to the Society of Actuaries in Ireland where he said a cyber security risk essentially creates a risk across the entire financial system.

Echoing concerns from financial expert Greg Medcraft, Mr Roux said it was positive that such issues were being openly discussed ahead of any such potential attack.

“The complex interconnectedness of financial institutions and markets means that the financial system is only as strong as the weakest link in the chain.

"This is why the risk of cybersecurity risks in one firm could potentially give rise to systemic failure,” he said.

“So far we have not had a cyber event that led to systemic problems but it may only be a matter of time. A seemingly manageable security incident at a single firm could cascade quickly to the broader financial sector.

“Consider, for example, a simultaneous, co-ordinated attack on several Global Systemically Important Banks or critical financial infrastructure providers such as a stock exchange or a central counterparty clearing house.

"This could have a yet unknown domino effect on these firms’ counterparties which could have have the potential to lead to a systemic shock in the financial system.”

Mr Roux asked financial firms to prepare for successful attacks through building distributed architecture and multiple lines of defence which could mitigate the impact on customers.

The responsibility for tackling the problem should be company wide and not just a function of IT, he said.

Mr Roux outlined moves the Central Bank has made to sharpen its focus on cybersecurity, such as establishing a banking IT risk inspection team and carrying out a review of the management of operational risk in investment firms and the fund services industry.

“Some organised cybercrime groups operate with multiple divisions and specialists in key areas such as management, distribution, hacking, coding, server administration, and money laundering,” he said.

“Such cybercrime groups can conduct cyber-attacks of great scale and sophistication, such as advanced persistent threats, which are targeted attacks on specific firms, designed to evade detection and to last for months or even years.

"Typically it is only when significant damage has already been done that the firm will realise anything is wrong.”

Cybercrime includes a range of criminal activities including data theft, hacking, and disruption of IT services as well as bank fraud.

More in this section

News Wrap

A lunchtime summary of content highlights on the Irish Examiner website. Delivered at 1pm each day.

Sign up

Our Covid-free newsletter brings together some of the best bits from, as chosen by our editor, direct to your inbox every Monday.

Sign up