The impact of cybersecurity risks on the efficiency of digital currency: global experience

Over the past decades, a clear trend towards the introduction of digital technologies into the economy has emerged throughout the world. Digitalization is happening in almost all areas: education, healthcare, public administration, finance and banking, business, industry, etc. For Kazakhstan, this is a relatively new trend, since the course towards digitalization and the “Digital Kazakhstan” program began to be implemented only in 2018. However, over 4 years, Kazakhstan has achieved results in the field of digitalization: today the country is among the top 30 most digitized states of the UN. Kazakhstan is one of the few countries that have fully implemented digital documents. Thus, the population has the opportunity to receive more than 90% of all government services in electronic format.

A natural consequence of digital modernization in the field of finance and the banking sector was the process of creation of a central bank digital currency (CBDC) by the National Bank (NB RK), which began in 2021. Digital tenge (DT) is the third type of fiat money, which is an obligation of NB RK. It has all the same properties of a form of payment as cash and non-cash funds. A pilot project for the use of central heating is planned to be launched at the end of 2023, and its functionality will be fully implemented in 2025.

Simultaneously with the increase in the number of successfully implemented projects in the field of digitalization in Kazakhstan, the risks associated with cyber crimes increase. Cyber crimes are criminal acts committed using computer networks, digital technologies or the Internet. They include a wide range of crimes that can target computer systems, data or people using electronic devices.

Considering that the process of digitalization in Kazakhstan itself started only in 2018, statistics on cyber crimes also began to be kept only from this year, and during this period only 517 cases were identified. However, over time, this figure increased more and more, and in 2022, the Committee on Legal Statistics and Special Accounting of the Prosecutor General’s Office of the Republic of Kazakhstan already registered 20.4 thousand cyber crimes. In the first quarter of 2023, more than 4 thousand cyber crimes were recorded , which is 12% higher than the same quarter in 2022. At the moment, according to the International conference Kaspersky Cyber Security Weekend, Kazakhstan ranks 7th in the world in terms of the number of cybercrimes.

In light of these statistics, questions naturally arise: do cyber risks threaten the functioning of DT in the Kazakh economy? What cyber risks may NB RK face after the introduction of DT?

NB RK published a study in which it provided an assessment of the potential cyber risks that may threaten the central heating system. This study notes that the implementation of the project ensures at least a basic level of security. It minimizes the occurrence of information security incidents or damage to confidentiality and any data. It is noted that further research and/or some resources will be required to reduce the likelihood of cyber risks. Thus, a pressing topic for Kazakhstan is the impact of cyber risks on global economies. To what extent have cybersecurity risks been studied in other countries?

Cybersecurity is defined as the set of tools, policies, security concepts and measures, risk management approaches, actions, safeguards and technologies that the central bank uses to protect the cyber environment. This broad concept allows each country to independently determine measures to combat cyber crime and pursue its own policy aimed at ensuring cybersecurity.

Based on data from global cyber attacks that occurred between May 2016 and May 2022, Shu Tian, Bo Zhao , Resi Ong Olivares in their study (2023) tried to assess the cyber risks that central banks face when implementing CBDC.

Cybersecurity risk is an important factor determining the central bank's decision to implement CBDC. Depending on the impact of cyber risks of CBDC on the central bank, the authors identify two types of cyber risks - cyber risks of the private sector and systematic risks of the financial system.

The first type of cyber risk is a set of situations in which, via fraudulent activities, cyber attacks occur on private wallets of crypto assets, as a result of which consumers suffer losses. While such cyber risks pose challenges to consumer protection, private sector cyber risks do not pose a threat to the nation's financial system. Their occurrence has a positive effect on the attitude of the central bank towards CBDC. CBDC is an incentive for the central bank to create a more reliable electronic currency, which will result in a reduction in the number of financial losses of the population, leakage of personal data and the problem of asset security.

The second type of cyber risk is the results of cyber attacks, the infliction of which poses a threat to the entire national financial system as a whole. CBDC is a form of fiat money, which means that any failure in the currency system could affect the financial stability or efficiency of the wholesale and retail payment infrastructure, causing financial shocks, including liquidity shortages or commercial bank defaults. Central banks are committed to create CBDC to increase public protection and reduce cybersecurity risks. However, there is no evidence that CBDC is resilient to cyber attacks, especially those inflicted for reasons other than monetary purposes. Such global cyber attacks are called “cyber wars”. They are created with the aim of causing damage to government and civilian infrastructure and disrupting the country’s critical systems.

Thus, in order to maintain the stability of the country’s national financial system, NB RK must stay ahead of events and prevent potential risks by addressing cybersecurity issues and strengthening international cooperation in the field of regulation. An effective solution is the exchange of knowledge and experience between NB RK and the central banks of other countries to strengthen protection and establish international standards for preventing cybersecurity risks.

Mahardika, Permana, Maulisaa in an article (2023) studied the prospects for cybersecurity after the introduction of the digital rupiah in the Indonesian economy. According to the authors, the ultimate goal of the central bank of implementing CBDC is to ensure the stability of the financial market by identifying and reducing (since they cannot be completely eliminated) any risks. With the close relationship between finance and technology in a digital society, a cyber attack on any financial institution can quickly spread throughout the entire financial system and cause widespread disruption and loss of trust. The implementation of a digital financial system creates potential cybersecurity issues that are different from those in the current digital financial system. The authors identify the following risks associated with cybersecurity:

1) The likelihood of a large centralization of financial data: the implementation of CBDC may lead to the creation of a centralized registry that collects and stores information on financial transactions, under the control of the central bank;

2) Reduced availability of data for regulators: when implementing a digital banking system, blockchain technology is implemented, which may make it more difficult for regulators to access data on financial transactions than in the case of traditional financial systems;

3) Dependence of security on the integrity of third-party validators, which check and confirm the correctness of transactions and the state of the network;

4) Complications in storing client keys;

5) Dependence of security on the reliability of manufacturers of digital digital banking equipment (servers, blockchain nodes, cryptographic modules, hardware wallets and other components);

6) Complicated transaction revocation;

7) Possibility of increasing the volume and scale of errors due to programmable transactions.

The authors of the work developed two models that are recommended to use by central banks to reduce cybersecurity risk. Under the first model, the central bank can delegate its powers to protect the cyber environment to a third-party organization that will manage the system on behalf of the central bank. The second model is hybrid access through third parties using a licensing mechanism. When implementing this model, the central bank will provide licenses to CBDC operators with the provisions applied in technical regulations, such as ensuring the security of electronic systems, ensuring the reliability of the payment system used, including points for legal entities for CBDC operators. Hybrid distribution models allow third parties or intermediaries (such as banks or a payment system operator) to offer products and perform operational functions, while the central bank retains the issuance and distribution functions. Considering the status and legal basis of activity, according to our assumptions, NB RK is more inclined to use a hybrid model.

One of the first countries which implemented CBDC was the Bahamas. A February 2023 working paper from the International Monetary Fund (IMF) provides an analysis of Latin America and the Caribbean's implementation experience with CBDC. The digital currency of the Bahamas, called the sand dollar, was officially released in October 2020 and became the world's first government-backed digital currency. The main prerequisites for the creation of CBDC in this country were the desire to expand access to financial services for the population of remote islands, increasing the stability of the payment system to external influences and the high cost of cash payments for government institutions by citizens who do not have bank accounts. However, as of the end of January 2022, the sand dollar represented less than 0.1% of the currency in circulation and the broad money supply. However, the experience of implementing CBDC to the economy of the Bahamas is very useful for Kazakhstan, since the Bahamas is one of the few countries where CBDC is already fully operational.

The Bahamas Central Bank conducted a separate assessment of the sand dollar's cyber risks, noting that the Bahamas Central Bank is exposed to operational and reputational risks that arise from cyber attacks and various failures. To ensure the cybersecurity of the sand dollar, the central bank established a separate division tasked with monitoring cyber risks. The central bank is modernizing its information and monitoring systems. It is the responsibility of all authorized financial institutions to undergo a thorough cybersecurity assessment by an independent global firm before being approved to integrate the sand dollar platform with their user applications.

The authors also presented an assessment of the cyber risks of the Central Bank of the Organization of Eastern Caribbean States, which was the first to introduce a digital currency for the monetary union called DCash (DXCD). At the moment, DXCD is at the pilot project stage, but the Organization has already assessed some of the cyber risks of its implementation and taken appropriate measures to mitigate them. To minimize cybersecurity risks, the pilot project is limited to the scope of system integration. The DXCD system is not planned to be linked to the central bank's core payment systems, such as the real-time gross settlement (RTGS), bank operating systems, or automated clearing house (ACH) systems, where money moves between banks without the use of paper checks, money orders, or credit card networks. or cash. This approach, based on the high degree of uncertainty of cyber risks, is endorsed by the IMF. However, it is emphasized that after the pilot version, it will be necessary to conduct additional tests to assess risks and vulnerabilities after connecting the CBDC system to other payment and operational systems of the central bank and financial institutions.

Thus, we can conclude that the implementation of the centralized digital banking system is a completely new project for economies around the world. Only coordinated work of all divisions of the central bank will be able to introduce this system with maximum efficiency. Nowadays, when assessing cyber risks, NB RK should adhere to general rules. These include the exchange of experience between the central banks, the development of an additional organization for assessing, analyzing and preventing cybersecurity risks, and thorough testing of CBDC at the pilot project stage.