from Liberty Street Economics
— this post authored by Jennifer Gennaro, Jason Healey, Anna Kovner, Michael Lee, and Patricia Mosser
The Federal Reserve Bank of New York partnered with Columbia University’s School of International and Public Affairs (SIPA) for the second annual State-of-the-Field Conference on Cyber Risk to Financial Stability on December 14-15, 2020. Hosted virtually due to the COVID-19 pandemic, the conference took place amidst the unfolding news of a cyberattack against a major cybersecurity vendor and software vendor, underscoring vulnerabilities from cyber risk.
Cyber Risks Can Be Systemic
SIPA Dean Merit E. Janow opened the conference with a fireside discussion with Arthur Lindo, Deputy Director, Regulation and Supervision, Federal Reserve Board, and Jason Witty, Head of Cybersecurity & Technology Controls, CISO, JPMorgan Chase, delivered opening remarks on the second day of the conference.
Over both days, panelists discussed the current research on cyber systemic risk; ongoing public- and private-sector efforts to address cyber risk; and the possible next steps that the cybersecurity and financial sectors can take to strengthen financial stability frameworks in light of evolving cyber threats. This blog post reviews some of these conversations – see the full conference agenda for select recordings and research publications.
What Are We Learning?
In a panel entitled “What Are We Learning?,” moderator Anna Kovner, New York Fed, invited participants to discuss their ongoing research on cyber systemic risk, demonstrating diverse analytical approaches to assessing the impact of cyber threats on the financial system and the broader economy.
Leonardo Gambacorta, Bank for International Settlements, shared insights on the drivers and costs of cyber risk. A cross-sector study showed that a higher frequency of cyber incidents in the financial sector did not correspond to higher gross loss compared to other sectors. Connectivity across institutions tended to increase the costs associated with cyber attacks, and cloud technology was highlighted as a rising driver of cyber risk. Looking across countries, while cyber represents a small fraction of the operational losses experienced by corporations, the range of cyber value-at-risk (the worst expected loss over a given time horizon at a given confidence level) can be large. Gambacorta noted a large uptick in cyberattacks following the increase in remote work during the COVID-19 pandemic, with workers in the financial sector being especially targeted.
Michael Lee, New York Fed, discussed the systemic features of cyber risk, based on work involving cyberattack scenarios in the wholesale payment system. The study found that the concentration of financial activity and the velocity of payment activity are factors that contribute to a system-wide impact of a cyber attack. A disruption to payment activity at a top-five bank could materially impact the liquidity conditions of other institutions and have additional spillovers to the broader economy. Lee cautioned that the intent and the information an attacker possesses could increase the impact of a cyberattack, as could technological vulnerabilities and service providers shared between financial institutions.
Jonathan Welburn, RAND Corporation, discussed his work on firm-level networks across sectors. He summarized an approach to modeling aggregate losses resulting from a company outage that extends downstream. Systemically relevant firms were found in many sectors, indicating that systemic risk is fairly widespread throughout the broader economy. Driving home the significance of increasing digital dependence, he observed that digital service providers were highly represented among the systemically relevant firms.
Cyber risk analysis is increasingly incorporated into analysis of sovereign and credit ratings at Moody’s, noted Leroy Terrelonge III, since cyber touches on multiple methodologies and factor scores, such as economic strength. A primary challenge to understanding risks that stem from different types of cyber incidents is the lack of information about preparedness. Moody’s created its own measures of cybersecurity preparedness by using anonymized and aggregated issuer responses from global surveys.
To balance information sharing with confidentiality, Terrelonge emphasized the important roles of intentional questions and flexible, voluntary information disclosures. Lee saw the understanding of shared vulnerabilities as an important component of addressing cyber systemic risk. Gambacorta emphasized that the public and private sectors need to continue collaboration and strengthen operational resilience through simulation exercises – a topic that was further explored during the second day of the conference.
What Are We Doing?
Moderating a panel entitled “What Are We Doing?,” Patricia Mosser, SIPA, asked a diverse group of experts to discuss concrete efforts to address cyber risks to financial stability today.
COVID-19 has rapidly accelerated digital transformation and increased usage of digital financial services. Yeow Seng Tan, Monetary Authority of Singapore, highlighted that Singapore had six times more e-payment transactions in mid-2020 than in the similar period of the prior year. To meet the rapid adoption of digital technology and increased cyber risks, Tan emphasized that regulators must adapt. He also provided an overview of several cybersecurity transformation plans, including projects to map cyber interconnections of Singapore’s financial institutions to address third-party risk, build frameworks to understand cyber challenges to operational and financial risk, and develop an analytical framework focused on the financial sector.
Addressing the importance of scenario exercises, Greg Rattray, SIPA, highlighted his recent experience leading SIPA’s New York Cyber Task Force and his work with experts from many industrial sectors to identify improvements to U.S. government and private sector operational collaboration. He observed that it is challenging for institutions and experts to consider the plausible scenarios where cyber risks lead to widespread losses. Attacks on major global banks and service providers can significantly impact business operations and even undermine national security. Rattray emphasized that thinking through these scenarios is important, but also very difficult since it requires quantifying the impacts of potentially catastrophic events.
Despite the global nature of the financial system and the potential for shocks to spread across borders, there are limited global efforts to address systemic cyber risk and resilience. Arthur Nelson summarized a recent assessment by the Carnegie Endowment’s Cyber Policy Initiative of existing global cooperation initiatives, which found that these initiatives are reactive and function independently. Nelson outlined the report’s recommendations on potential areas for improving connectivity, highlighting that the financial sector, through shared global incentives, is an avenue for confidence building and facilitating cyber cooperation with other nations.
Both Nelson and Tan highlighted current activities to enhance global communication and cooperation, while all panelists stressed the importance of improved collaboration for financial sector resilience. Addressing potential mechanisms for deterrence, Rattray cautioned that cyberattacks, like the recent SolarWinds hacks, point to the need for defensive measures to disrupt attackers.
What’s Next?
In the final discussion, moderated by Jason Healey, panelists considered how cyber risks, and their proposed policies and solutions, could change given the outlook for the next few years.
Rising geopolitical tensions and great power competition will impact the future of cyber risk. Barry Pavel, Director of the Scowcroft Center for Strategy and Security at the Atlantic Council, emphasized that cyber attacks will feature prominently in the United States’ ongoing conflicts with Russia and China. Attacks, such as the SolarWinds hack, highlight the importance of third-party and supply-chain risk, and Pavel stressed that the increasing potential for cyber risks across sectors must become part of the risk calculus for financial instability.
Echoing concerns from earlier panels, Jeremy Brotherton, Federal Reserve National Incident Response Team, emphasized that the multi-sector adoption of third-party services, including cloud computing, introduces single points of failure throughout the system. A successful attack against a digital service provider could have far-reaching effects.
Strong public and private partnerships and like-minded international coalitions are necessary activities to counter future threats, such as ransomware and supply-chain risks. Alexandra Friedman, U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection, saw that the collective activities during the pandemic between U.S. government agencies, regulators, and private partners helped create and strengthen mechanisms for collaboration that could be leveraged in the future. Furthermore, there are efforts underway to understand cross-sector connectivity, such as in the financial and information-communications technology sectors.
Considering the future challenges and risks, such as the inclusion of Fintech in financial systems, Friedman observed that potential impact and risks depend on financial network connectivity and the measures firms put in place to manage their risks. Brotherton stressed that firms must have cybersecurity fundamentals in place, such as backup systems, continuity and recovery plans, and business and technical exercises. Scenario planning and cross-sector and interagency resources and exercises are other key areas for building resilience.
About the Authors
Jennifer Gennaro is the cyber fellow at Columbia University’s School of International and Public Affairs.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs.
Anna Kovner is a vice president in the Federal Reserve Bank of New York’s Research and Statistics Group.
Michael Lee is an economist in the Bank’s Research and Statistics Group.
Patricia Mosser is director of the MPA Program in Economic Policy Management at Columbia University’s School of International and Public Affairs.
Related Reading
Understanding Cyber Risk: Lessons from a Recent Fed Workshop
Have the Risk Profiles of Large U.S. Bank Holding Companies Changed?
Source
State‑of‑the‑Field Conference on Cyber Risk to Financial Stability
Disclaimer
The views expressed in this post are those of the author and do not necessarily reflect the position of the Federal Reserve Bank of New York or the Federal Reserve System. Any errors or omissions are the responsibility of the author.
