Cyberattacks: The Burgeoning Threat to Canada’s Economy

It feels like cyberattacks are happening everywhere. Recent incidents in British Columbia External link. have generated media coverage and come on the heels of a high-profile data breach at the Toronto Public Library system External link. last year and an attack on four Quebec educational institutions External link. earlier this month. What’s more, last year’s Financial System Review External link. and this week’s Office of the Superintendent of Financial Institutions (OSFI) 2024–25 Risk Outlook External link. highlighted a growing risk from cybersecurity events. OSFI also recently reported a near-tripling of incidents External link. in 2023 versus the prior year. What could cyberattacks mean for Canada’s economy, and what can governments and businesses do to safeguard against them?

The possible economic impacts of cyberattacks are myriad. At the most basic level, they can cause stoppages in company operations and economic activity for some time depending on the type and duration of the incident. The risks from this are acute for financial institutions given the role they play in supplying credit to the broader economy. Attacks may erode confidence in the financial system and lead to further adverse consequences.

So far, cyber incidents have not had systemic impacts, but that risk is rising alongside the frequency of attacks and the damages they’re causing. The International Monetary Fund (IMF) estimated in April that the number of worldwide cyberattacks has doubled since before the COVID-19 pandemic External link.. About 20% of global damages incurred in the past two decades occurred just in the years since 2020. Going forward, heightened geopolitical tensions, global financial system interconnectedness and deepening links to the real economy make for an increasingly risky outlook. So do expectations for further rapid adoption of new technologies, including artificial intelligence (AI). Moreover, last month the World Economic Forum (WEF) identified a significant global cybersecurity skills shortage External link..

Canada is no stranger to these trends, as emphasized by both the Bank of Canada and OSFI. The Canadian Centre for Cyber Security maintains a page External link. on the growing risks presented by generative AI adoption. The outsized role played by small and medium-sized enterprises (SMEs) in Canada’s economy External link. also raises questions going forward. The recent IMF report found that SMEs tend to incur the most significant losses from cyber incidents, while the WEF highlighted the risk of these firms being left behind as implementation of new technologies accelerates.

So what can be done? No group of private firms, especially those dominated by smaller players, can head off system-wide risks, so robust public sector regulation and supervisory capacity are necessary. This could include strong data collection, incentives for firms to adopt prudent cybersecurity risk management practices and penalties for bad actors. Flexibility is also essential given the speed at which technologies and threats will evolve. And education and skills training could help reduce labour shortages over time. But companies must also take action, from mapping out their cyber security supply chains and potential areas of vulnerability, to creating contingency plans for system-wide disruptions.

Ultimately, investment in deterrence is less expensive than responding to attacks after the fact. The IMF calculates direct global losses from cyber incidents since 2020 at just $28 billion (in real terms). But when accounting for indirect factors like reputational damage and foregone future business, estimates of damages range from 1% to 10% of global GDP!

Cyberattacks represent a real and growing risk for Canada and the wider world. They’re also becoming more serious at a time when our highly indebted economy and housing market are still adjusting to the effects of sharply higher interest rates. To prevent negative outcomes, governments and the private sector must prepare now and work together.