Cybersecurity and Deterrence

Cyber Risks to Financial Stability

By Jason Healey, Patricia Mosser, Katheryn Rosen, Alexander Wortman
Friday, December 28, 2018, 10:00 AM

The financial sector has long been at the forefront of cybersecurity protection, information sharing, and collaboration. Even so, cyberattacks on banks and other institutions of the global financial system have become more frequent and sophisticated, honing the industry’s ever-increasing focus on managing cyber risks.

Parallel to these efforts, the financial sector, regulators, and national governments have been working to improve the overall resilience and stability of the financial system in hope of preventing a repeat of panics such as the financial crisis a decade ago.

Only recently have these two tracks started to converge, to explore at a deeper level how cyber risks might induce a financial shock. As we summarize in a recent Brookings report, Lawfare Podcast, (and Atlantic Council webcast), momentum is growing around the world to bring the cybersecurity and financial stability communities closer together.

Financial Stability 101

The financial system performs an array of functions such as facilitating payment and settlement, allocating credit, transferring risk, and providing liquidity. Significant impairment of any of these core functions can cause financial instability. While there is no single comprehensive definition of “financial stability,” in general, it refers to the ability of the financial system “to facilitate and enhance economic processes, manage risks, and absorb shocks,” even in the face of significant losses, high volatility, and failures of financial institutions.

For financial stability experts in the world’s central banks, governments, and universities, it is well understood that if the system is in a fragile state, then small behavioral or policy changes can have disproportionately large impacts on stability. Particularly, these authorities are focused on three categories of vulnerabilities.

Market participants, financial instruments, and financial institutions with the highest leverage, that is high levels of indebtedness, tend to generate the most contagion regardless of the nature of the shock. They are sensitive to even moderate declines in values of assets, impairing the ability to absorb losses. In maturity transformation, market participants finance longer-term, risky, illiquid assets (such as the now-infamous subprime mortgages) with safer, more liquid assets (such as cash) that are predominately shorter-term. The greater the amount of maturity transformation, the greater the risk that a shock to the price of the risky illiquid assets would lead to a withdrawal of funding and cause contagion. Asset price changes can be amplified to induce “procyclicality.” In the simplest example, a large decline in the price of long-term assets decreases the value of collateral used by leveraged investors, magnifying losses and causing withdrawal of liquid funding. This in turn creates a feedback loop that causes additional price declines (and associated losses), and further constrains available funding.

These vulnerabilities leave financial systems fragile and subject to periodic crises and runs. The timing and specific triggers of crises are hard to predict. As a result, analysis of systemic stability typically focuses less on the sources of the possible shock than on the vulnerabilities and propagation mechanisms that make the system unstable in the first place.

Traditional financial and macro-policy shocks, though capable of causing widespread harm, tend to arise out of self-preservation rather than malice. A trader trying to corner the market is not seeking to destroy or disrupt the entire system. Likewise, policymakers can misjudge the impact of their policies, but none act with the purpose of creating financial turmoil. Cyber shocks are different. By contrast, they may be targeted and timed to disable, destroy, corrupt, or compromise market functioning, deliberately initiating financial instability.

How Might Cyber Risks Become Financial Stability Events?

A crucial difference between cyber and financial risk is that experts in financial stability are largely unconcerned about the source of the shock. The financial system is hit by many types of shocks on a regular basis, for example unexpected changes in economic policy, in regulation, or even the failure of a financial company.  The impact of these shocks depends critically on how fragile the financial system is when the shock occurs.  For example, if leverage and maturity transformation are high, a particular shock could have very large financial and economic impacts, but the same shock would have small impacts if it happens when leverage and maturity transformation are low.  In cyber, the source is crucial, as attacks are planned and conducted by sentient adversaries. Though sophisticated attacks require long-term preparation, they can be executed at targets (like single points of failure) and timing (such as “quadruple witching days”) for maximum disruption. In addition, cyberspace, like finance, is complex and highly interconnected, so disruptions in one area can cascade easily and in unexpected ways. But compared to finance, cyberspace complexity has not been well modeled or studied.

We believe adversaries might cause three different types of financial disruptions: slow-burn, initiated, or exacerbated. Slow-burn crises—perhaps like Iran’s denial-of-service attacks on banks or North Korea’s ongoing heists and disruptions—would be death by a thousand cuts. None would trigger a financial crisis, but together they might have a long-term impact. Exacerbated crises could happen when the financial system is teetering on the edge of a crisis, or in the midst of one, and an adversary intentionally gives the system a push with a cyber attack. By comparison, initiated crises arise if an adversary uses cyber capabilities to create a financial crisis that would not otherwise have occurred.

The Office of Financial Research (OFR) of the U.S. Department of the Treasury identifies three “channels” by which these risks could be transmitted, potentially leading to systemic crises:

A lack of financial substitutability as the financial system depends on a few key hubs, typically certain firms or utilities (e.g., clearing houses), to perform critical functions. A wide range of attacks could instigate a broader loss of confidence creating a “run on the banks” such as ATM hacks, takedowns of one or more particularly trusted institutions, hacker-induced flash crashes, or releases of compromising emails from bankers or regulators. Lastly, a loss of data integrity could yield systemic impacts. Cyber intrusions that directly modify or muddy the quality of, say, market prices or the amount of money in consumer accounts, could cause systemic disruption until uncorrupted backups can be found and restored.

We add a fourth channel to the OFR list: lack of IT substitutability, single points of failure in the technological system supporting the financial system. For example, a large (and growing) percent of the world’s computing and storage falls to just a few cloud service providers while all companies depend on the same basic Internet protocols, like DNS. Disruptions to any would be likely to cascade quickly.

Concerns and Recommendations

Although there has been great progress made over the years developing cyber defense, both domestically and across borders, we still have several major concerns.

Cyber conflict seems to only be getting worse, and increasingly sophisticated adversaries might deliberately aim for (or unintentionally cause) financial instability or actively work to undermine the financial sector’s response efforts. With more finance-sector dependence on an untrustworthy cyberspace, even unsophisticated actors might soon be able to trigger systemic effects.

There is also a divergence between industry and official sector work on cyber and financial stability risks and a lack of globally coordinated policies and regulations. The range of standards and preparedness across different types of firms and markets makes common efforts difficult and saps resources better spent on actual defense.

In addition, there is a dearth of information and analysis on how cyber risk intersects with business flows and decisions in stable times, and when markets and institutions are under stress and as new technologies continue to transform the industry.

We accordingly believe it is essential to foster greater shared understanding of the two disciplines—financial stability and cyber risk—and their intersections and harmonize approaches to resilience across the financial sector.

There should be a common model to quantify cyber risk with a shared lexicon to discuss cyber risk as a factor in financial stability. To assist in this effort, the public and private sectors should continue to develop and share maps of critical market structures and market processes and continue exercises to prepare for cyber risks to financial stability. Finally, international regulations must be harmonized to foster resilience and mitigate risk. These regulations must be elastic to evolve with technological change and adversary sophistication.

Every year, cyber attacks become more severe and adversaries more daring. The global financial sector has been a target, not of mere bank jobs or credit card theft, but far larger and more sophisticated attacks. These attacks might have had a systemic impact but for the heroic efforts of technologists and decision makers. Adversaries, by design or accident, will conduct someday an attack that is beyond the ability of these defenders to contain. It has never been more important to continue the work of reconciling and mitigating cyber risks to financial stability.