08 June 2022

SUERF: Cybersecurity and financial stability

As the digital transformation in banking has gathered pace, so have cyber risks to financial stability. The prevalence of cyber attacks is particularly pronounced in the financial system

: Data from the Carnegie Endowment for International Peace indicates that the number of cyber attacks on financial institutions is increasing four-fold, year-on-year (Mauer and Nelson, 2020). Together, these trends pose a new challenge for financial sector participants. Despite the growing interest in cyber risk, there is currently no model that links cyber attacks to bank and investor behaviour. This policy brief summarises recent analysis (Anand, et al., 2022) clarifying how cyber attacks can engender financial instability.

"Cyber security is a public good… the social benefit conveyed by a well functioning and resilient financial system… requires a higher level of investment in cyber security than what individual firms would like to do on their own. In addition, many individual firms rely on shared services.... an individual firm may rely on others in the shared network to make investments to increase the security of the network, but if every firm thinks this way, there will be underinvestment in security." − Loretta J. Mester, Reserve Bank of Cleveland, 21 November 2019.

Cybersecurity as a public good

Our analytical framework builds on the premise that banks use shared digital services provided by third-party vendors who offer scale-efficiencies. Examples include data warehousing, runtime services, and operating systems that facilitate both customer online banking services and the bank’s back-end operations. Adoption of these services by financial institutions has been accelerating over the past few years (Harmon, 2020). Services are provided by just a handful of companies. A survey by Gartner (2019) estimates that Amazon, Microsoft, Alibaba, Google, and IBM account for 77% of the market.

While cost saving, shared services, which we refer to as “platforms”, create cybersecurity dependencies – one bank’s access can become the ‘back door’ through which attackers impact others. By gaining access to a bank’s systems, attackers can deploy malicious code to exploit vulnerabilities in the platform – which are often unknown even to the vendor (Perlroth, 2021) – and cause outages. The Stuxnet malicious code that spread via Microsoft Windows and targeted industrial control systems is an example of an attack that exploited several zero-day vulnerabilities (McDonald et al., 2013).

Since remedial actions against vulnerabilities are not always available, banks must, therefore, invest in cybersecurity to monitor and repel unauthorised intrusions into their systems. Investing in cybersecurity allows a bank to protect both itself and others on the platform. Cybersecurity thus has the hallmarks of a weakest-link public good (Hirshleifer, 1983; Cornes, 1993). Just as in times of flood, the sea penetrates the sector where citizens have constructed the lowest dike, the cybersecurity of the financial system depends on the bank with the lowest level of protection. As such, we can picture the “security blanket” over the platform as a circular region with banks situated along the perimeter. Each bank is responsible for maintaining security along its portion of the perimeter. But an attacker who breaches the section of the perimeter guarded by one bank can disrupt the platform and adversely impact all banks. The weakest-link formulation implies that investment in cybersecurity generates positive externalities for all banks.

Cyber attacks

We argue that cyber attacks may be characterised by three factors. First, there is the intensity with which attackers try to breach the cybersecurity defences and causing the platform to suffer an outage. Uncertainty over the intensity of an attack reflects uncertainty about the identity of the attacker - this attribution problem is a distinguishing feature of cyber attacks (Hayden, 2011). For example, state-sponsored attackers have considerable resources to launch more sophisticated attacks that are more likely to be successful than attacks by typical cyber-criminals.

Second, following a successful intrusion and the deployment of malicious code, the shared services may suffer temporary outages that disrupt operations for all banks. For example, the recent distributed denial of service (DDoS) attack on the New Zealand Stock Exchange prevented the posting of market announcements and led to trading suspensions over several days (Tarabay, 2021). During these outages, banks are unable to access or manage some proportion of their key functions.

Third, even after the attack has been repelled, there may be longer-lasting damage. These include the loss of secret information pivotal to the bank’s role as a financial intermediary (Dang et al., 2017), losses incurred from paying ransom demands, and even physical damage to critical systems. Bouveret (2018) estimates that the annual average loss to banks from cyber attacks amounts to some US$100 billion, or 9% of banks’ net income globally.

Bank illiquidity and insolvency conditions

Platform outages can impair a bank’s ability to manage its assets and, thereby, service its debts in a timely manner. In particular, if the outage is sufficiently large, relative to the mass of debt holders who choose to withdraw, this can render the bank illiquid but solvent. The decisions of debt holders to withdraw are, in turn, driven by their concerns over the bank’s ability to pay. In our model, we parametrise these concerns by the degree of rollover risk.

Cyber attacks can also lead to banks suffering financial losses. The credit downgrading in 2019 of the Maltese bank, Valletta PLC, following a cyber attack highlights the risks to bank insolvency (S&P Global Market Intelligence, 2019). If the losses are large, they can lead to banks failing due to insolvency.

Figure 1 depicts how the insolvency and illiquidity conditions of a bank − following a successful cyber attack − are related. While the insolvency condition only depends on the severity of the outage shock, the insolvency condition depends on both the outage shock and mass of debt holders who withdraw. Importantly, there is a critical mass of withdrawals, denoted γ, at which the two conditions intersect. Whenever withdrawals are less than γ, then bank failure is primarily driven by insolvent. While, when the mass of withdrawals is greater than , concerns over illiquidity are the overarching reason for the bank to fail, even though it may be solvent...

more at  SUERF

© SUERF