Cyber Risk and the U.S. Financial System: A Pre-Moterm Analysis

After completing this reading, you should be able to:

• Explain the direct costs of and the spillovers caused by a cyber-attack.
• Explain how cyber shocks can get amplified through financial networks.
• Discuss the policy responses that can be implemented against cyber events.

Cyber-attacks are increasingly becoming a matter of concern. Recent reports show that the financial sector is the most vulnerable compared to other sectors and may experience about 300 times more cyber-attacks annually compared to other sectors. In this chapter, we explore the risks posed by cyber-attacks to the US financial system and the world in general.

The Direct Costs Of and the Spillovers Caused By a Cyber-Attack

The occurrence of a cyber event can have both direct and indirect costs on an institution.

Direct costs

Confidentiality of data may be compromised: Client account numbers or investment banking information, for example, could be stolen and publicized. Such events could cause significant losses to the bank involved. For instance, the bank could face a flood of suits from customers whose data has been exposed, and it may be forced to pay millions of dollars in damages. Loss of confidential trading data to competitors could trigger a loss that may not even be measurable in the long-term. On top of this, loss of data could ruin the bank’s reputation and result in declining customer numbers.

Availability may be compromised: A cyber event could compromise a bank’s system and lead to outages that may extend for hours or days. In these circumstances, clients and customers would be unable to access their money and other services. The bank’s day-to-day operations and liquidity could also suffer if channels used to access emergency cash are compromised.

Integrity may be compromised: Systems that have been taken over by attackers could be rendered completely useless, particularly if the attackers manage to unravel and get through proprietary firewalls and defense mechanisms. Data that has been compromised may lose its relevance and lead to legal costs.

Indirect (Spillover) Costs

Cyber-attacks may specifically impair the bank’s ability in servicing its current creditors. A good example of this is when payments or accounts are missing.

In general terms, cyber-attacks may cause immobilization of capital and liquidity for business partners: Parties engaged in business with a bank that has been hit with a cyber-attack could be unable to access payments for services rendered or even lack a channel to send resources to the bank if systems have been compromised. 

In addition, any business that has deposited its funds at a bank that has been attacked may not be able to access their cash. This could affect normal operations at such firms. For instance, a firm that pays its employees through the bank may not be able to do so.

Important Characteristics of Cyber Events

Intent: Every cyber attacker has a goal. They could be attempting to gain financially by breaching systems and diverting money to other channels. In other cases, the attacker may only be after reputational damage.

Technology: Cyber events are technological in nature, and as such, are spread through technological linkages, such as through communication networks. It is worth noting that due to the interconnected nature of systems in the digital space, a cyber event can have more widespread costs than other traditional shocks, and impact many banks simultaneously.

Uncertainty: In some cases, a cyber event may go unnoticed for a long time, especially if the attackers intend to gain financially because they will have an incentive to prolong the attack and cart away more. In some cases, it could be hard to tell whether a bank has been attacked even after it’s proven that another bank – which happens to be a close business partner – has been attacked. In some cases, some departments within a bank may be slower than others in detecting an attack.

How Cyber Shocks can get Amplified Through Financial Networks

The modern world is heavily interconnected thanks to the internet. A bank in Chicago can share information and funds with a bank in Punjab, India in just a few clicks.

Over time, bank-to-bank networks have been created connecting multiple banks across boundaries. Unfortunately, these networks can amplify and propagate shocks. For instance, an attack could compromise the distribution of liquidity and lead to a contagion. An attack originally launched from within a communication network may quickly spread to other inter-bank networks such as lending channels. The spread may be even quicker if all the victims share the same system, such as a network management system.

If there’s uncertainty about the location of a cyber shock, its disruptive effects could be amplified significantly. For instance, if a rumor goes around that some (possibly unknown) banks or financial institutions have been compromised, customers at other banks that may not have been affected at all may rush to make preemptive withdrawals.

The presence of a core periphery structure can result in a rapid spread of an attack if the core is compromised.

Policy Responses that can be Implemented Against Cyber Events

Ex post liquidity injections

Arrangements can be made to boost the liquidity of a bank following a cyber event. This can be done via open market operations or via market-wide liquidity facilities.

Strong emphasis on ex ante resilience and contingency planning

Individual institutions should be encouraged to develop systems that are resilient with respect to cyber risk. A minimum threshold can even be set with respect to the quality of systems.

Additionally, policies could be introduced requiring banks to have adequate planning for contingencies. Every institution should set in motion plans to ensure that operations are not interrupted for too long following an attack. To achieve this, there may be a need for backup systems and backup tools.

Ex ante capital requirements

A policy could be introduced requiring institutions to set aside funds that can be used to restore operations in the event of an attack. However, such a policy may not be effective in some scenarios. If an attack renders a bank’s system unavailable, for example, it may be difficult to access capital already set aside until the system is restored.

Creating additional roles of the Federal Reserve or other agencies

Introducing additional roles of the Federal Reserve can help to mitigate the effects of an attack. For example, the Fed could introduce dedicated back-up facilities in core markets that can be used in case an event occurs and renders the usual facilities unavailable.

Ex ante disclosure requirements

Ex ante requirements where institutions are obliged to disclose to regulators even minor cyber events and share information with other institutions could increase resilience by reducing uncertainty and improving collective learning.