Safeguarding Finance in the Digital Age: Good Practices for Cyber Risk Oversight

Prepared by the International Monetary Fund’s Monetary and Capital Markets Department, with analytical inputs aligned with the work of institutions such as the Financial Stability Board, the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures, and the International Organization of Securities Commissions, the 2026 paper Good Practices in Cyber Risk Regulation and Supervision explains why cyber risk has become a central concern for financial authorities. The paper draws on the IMF’s Financial Sector Assessment Programs and extensive technical assistance to show that cyber incidents are no longer isolated technical failures but potential triggers of systemic financial stress. As banks, insurers, payment systems, and financial market infrastructures rely more heavily on digital technologies, cyberattacks and technology failures increasingly threaten trust, continuity of services, and overall financial stability.

A Rapidly Worsening Threat Landscape

The paper documents a sharp rise in cyber incidents over the past decade, particularly since 2020. Financial institutions are prime targets because they handle valuable data and operate critical services such as payments and settlements. Attacks have grown more frequent, costly, and sophisticated, driven by rapid digitalisation, shorter software development cycles, and rising geopolitical tensions. Artificial intelligence has made phishing and fraud more convincing, while advances in quantum computing could eventually undermine today’s encryption systems. Importantly, the IMF stresses that reported losses significantly underestimate the real damage, as many incidents go unreported and indirect costs such as reputational harm and service disruptions are often much larger than direct financial losses.

Building Better Rules for Cyber Resilience

Based on global experience, the paper argues that effective cyber regulation should be clear, coherent, and flexible. Regulators are encouraged to move away from fragmented rules that separate information technology risk from cyber risk and instead adopt unified technology-risk frameworks. These frameworks should focus on outcomes rather than prescribing specific technologies, allowing institutions to adapt as threats and tools evolve. The paper favours principles-based regulation, especially in more mature financial systems, while recognising that more detailed rules may be needed where risk-management practices are still developing. Key regulatory expectations include strong board oversight, clear risk ownership, secure system development, effective incident response and recovery planning, regular testing, and careful management of third-party service providers.

Why Supervision Matters as Much as Regulation

The IMF makes clear that regulation alone is not enough. Strong supervision is essential to ensure that rules translate into real improvements in cybersecurity. Supervisors need to maintain an active presence through continuous off-site monitoring, regular onsite examinations, and thematic reviews that focus on common weaknesses across institutions. Proportionality is a central principle: larger and systemically important institutions should face more intensive supervision, while smaller firms may be subject to simpler requirements. At the same time, supervisors must recognise that the financial system is interconnected, meaning weaknesses in smaller institutions or service providers can still pose broader risks. Building supervisory expertise, investing in training, and retaining skilled staff are identified as major challenges, particularly in emerging and developing economies.

Preparing for Crises and System-Wide Shocks

Beyond individual institutions, the paper highlights the importance of system-wide preparedness. Cyber simulation exercises, often called cyber war games, are presented as powerful tools to test decision-making, coordination, and recovery under stress. When repeated over time and followed by clear remediation plans, these exercises help strengthen resilience across the financial sector. Supervisors are also encouraged to map digital interconnections, identify concentration risks in third-party providers, and incorporate severe but plausible cyber scenarios into financial stability analysis. Financial market infrastructures receive special attention because disruptions to payment or settlement systems can have immediate and widespread economic consequences.

In conclusion, the IMF argues that cyber risk will continue to grow as finance becomes more digital and interconnected. Managing this risk requires sustained commitment, adequate resources, and close cooperation between regulators, supervisors, and the industry. Cybersecurity, the paper concludes, should be treated as a shared public good, essential to maintaining trust, stability, and confidence in the modern financial system.