Cyber threats are growing in scale, sophistication and geopolitical impact, exposing critical weaknesses in the global financial system. Three interlinked risks stand out: supply chain and third‑party vulnerabilities, rising systemic exposure in developing regions experiencing rapid digitalisation, and timing effects that intensify shocks during market stress. Cybersecurity is no longer merely a technical concern. At the same time, many jurisdictions are actively advancing measures to improve cyber resilience and mitigate emerging cyber risks.
Supply chain risk is increasingly the dominant transmission channel, and small and medium-sized enterprises (SMEs) are the weakest link
Attackers are shifting towards indirect access routes by exploiting smaller suppliers, vendors and service providers with lower cyber maturity. In G7 economies, cyber incidents affecting SMEs increased more than fourteenfold between 2021Q1 and 2025Q1, and in recent years SMEs have recorded more incidents than banks. However, even well‑defended financial institutions remain exposed through information and communications technology (ICT) suppliers and other third parties embedded in core business processes.
Emerging markets face elevated systemic risk due to rapid digitalisation combined with uneven cyber maturity
Emerging markets that are digitising quickly can experience a structural rise in exposure when governance, skills and regulatory enforcement do not keep pace with technology adoption. Asian emerging markets stands out because of (i) very high SME prevalence (over 99% of firms), (ii) fast growth in digital finance and cross‑border connectivity, and (iii) an emerging role in certain cyber‑enabled financial crime ecosystems. These conditions increase the likelihood that intrusions propagate across borders, vendors, platforms and value chains, turning localised incidents into regional disruptions that undermine market trust. These vulnerabilities do not arise only from newer digital tools: legacy systems, weak interfaces between older and newer platforms, and outdated governance arrangements can also create material cyber and operational risks.
Cyber shocks could amplify financial stress and reprice credit risk
Market‑based evidence in the paper indicates that credit risk premia could increase more than fivefold during market stress and peak when systemic stress coincides with bank‑focussed cyber activity. This non‑linearity implies that cyber incidents are especially destabilising when they occur in fragile market states, when liquidity is tight, risk aversion is elevated, and confidence is more easily impaired, thereby reinforcing adverse feedback loops between operational disruption and financial conditions. The growing concern of cyber threats arising from advances in AI is also evident.
Taken together, these patterns show that cyber risk can become systemic under certain circumstances: it can spread through common third‑party dependencies, concentrated critical services, and tightly connected financial and operational networks; it can interact with market stress and confidence effects; and, in severe cases, it can spill over between the financial sector and the real economy.
To limit the spread of cyber attacks safeguard confidence and reinforce financial stability, the paper emphasises a set of possible measures for financial firms and financial sector supervisors:
Raise baseline cyber hygiene at scale, prioritising common “security holes” (patching, configuration hardening, access controls, monitoring, and tested backup/recovery), with a strong focus on high‑risk nodes such as SMEs and critical vendors.
Strengthen third‑party and supply‑chain risk management in the financial sector for critical third-party services, including due diligence, contractual security requirements, continuous monitoring, and resilience and exit planning.
Enhance cross‑border co‑ordination and trusted information‑sharing, recognising that cyber incidents propagate across jurisdictions and that effective response depends on timely, actionable and credible information exchange between authorities and market participants.
Enhance SME‑focussed support, with particular attention to developing countries, by lowering compliance costs, addressing skills gaps and scaling practical support mechanisms, while promoting risk‑based approaches, simplified regulatory frameworks and the use of standards and market‑based incentives, underpinned by principles of shared responsibility and mutual trust, to strengthen cybersecurity and resilience.
Invest in ex‑ante assessment tools, while including stress testing, scenario analysis and evaluation mechanisms, and, where appropriate, consider a secure regional data centre to support data collection, oversight and preparedness.
In an era where cyber and geopolitical risks increasingly interact through supply chains and shared digital infrastructure, strengthening baseline security, third‑party oversight, regional co‑operation, and forward‑looking assessment capabilities are essential to reduce systemic fragility, maintain market confidence and protect financial stability.