“[W]e should see the global payment system for what it really is: an essential global public good whose integrity is increasingly being challenged by malicious cyberattacks and fraud attempts....” Benoît Cœuré, Member of the Executive Board of the ECB, Speech, 26 June 2018

“I rob banks because that’s where the money is.” Attributed to Willie Sutton.

When terrorists attacked the World Trade Center on September 11, 2001, they also attacked the U.S. financial system. In addition to destroying critical financial infrastructure, the collapse of the twin towers closed the New York Stock Exchange and disrupted the payments system that links U.S. intermediaries, threatening to shut down banks, ATM machines and credit card operations across the country. Only extraordinary intervention by the Federal Reserve kept the system afloat (see, for example, Rosengren).

We have long argued that financial stability is a vital common resource (see here). As ECB Board member Cœuré suggests in the opening quote, the same applies to financial cybersecurity—the protection of financial information and communications technologies (ICT) and their associated networks from failures and attacks. The events of 9/11 and their aftermath dramatically highlighted the link between stability and cybersecurity. Moreover, because our financial system is so deeply reliant on ICT and on large, global networks, these two objectives are more closely linked than ever before: ensuring one means guarding the other.  

In this post, we highlight the pervasiveness of cyberthreats as a source of operational risk in finance. Consistent with the Presidential Policy Directive 21 and a recent Presidential Executive Order aimed at strengthening cybersecurity, the U.S. government has designated financial services infrastructure as critical to national and economic security (see here). Nevertheless, numerous challenges—ranging from the availability of reliable data to the ever-changing nature of the attacks themselves—make the goal of safeguarding financial ICT networks very difficult. To be effective, cybersecurity efforts require mechanisms for preventing successful attacks, limiting their impact, and promoting quick, reliable recovery. Reducing vulnerability and contagion while boosting cyberresilience is a very tall order.

We start with some general information on data breaches—the unauthorized exposure of personal identifying information (PII). Breaches have grown frequent and massive: the largest known occurrence (Yahoo!) involves three billion records, while seven other instances exceed 500 million records each! All these extensive breaches have occurred since 2013, consistent with a substantial increase of the threat over time. Factors that contribute to this trend include: (1) increased reliance on ICT; (2) development of large-scale databases with detailed PII; (3) expansion of networks (like supply chains and financial markets) with multiple entry points that facilitate contagion; (4) and the rise of sophisticated bad actors, including cybercriminal organizations and well-financed agents of hostile nation states.

Second, data breaches appear especially likely to occur in financial services. The first chart shows the number of records exposed since 2005 in the U.S. financial sector: according to the Privacy Rights Clearinghouse (PRC), a total of 750 financial data breaches exposed more than 640 million records. (The entire PRC database includes 8,229 data breaches resulting in the combined exposure of 11 billion records.) Drawn from a geographically broader dataset from Verizon, the information in the second chart below shows business-sector shares of confirmed breaches over the past five years (through 2017). Financial services stand out as the top target, accounting for nearly 22% of the 9,900 breaches in this sample. Importantly, this share far exceeds that of financial services in the value-added of the U.S. economy (diamonds). The contrast with manufacturing—which accounts for about 5% of the breaches and 11½% of U.S. value added—is striking.

U.S. financial services: number of records breached (millions), 2005-May 2018

Financial services: data breaches (share of total breaches in percent, 2013-17) and value-added (share of total value-added in percent, 2017)

It’s not difficult to imagine why the financial sector is both vulnerable and a target. Financial institutions, markets, and third-party vendors are especially reliant on ICT to supply instantaneous on-demand services in large volumes at low cost. They have enormous client databases. They form an extensive network—domestically and globally—through the payments mechanism, exchanges, clearing and settlement systems, and the like. Cyberattackers can and do seek out the weakest links in these chains in order to achieve their goals—whether to steal property or, as may be the case with some hostile state actors, to destroy it and undermine confidence. And, it is no mystery why they target data related to finance. As bank robber Willie Sutton supposedly said, that’s where the money is.

Indeed, we are reminded of the history of warring states’ attempts to attack their enemies by undermining key financial apparatus while profiting from the activity. The classic example is Nazi Germany’s effort to counterfeit the British pound during World War 2 (see Altig). Such for-profit state actions are hardly relics of the past: as an official of the Secret Service—which was founded to battle counterfeiting in the aftermath of the Civil War—has observed, recent widely-publicized raids attributed to hostile state agents (like the 2017 Wannacry ransomware attack) mimic the actions of cybercriminal organizations (see page 49 here).

Fortunately, the publicity arising from the most devastating leaks—like the 2017 Equifax breach—has focused the attention of financial institution risk managers, CEOs and Boards of Directors on cyberthreats. Since 2014, DTCC’s systemic risk barometer, a survey of its many global clients as well as of regulators and researchers, consistently ranks cyberrisk as the #1 or #2 concern. Similarly, the Bank of England's (BoE) systemic risk survey shows a surge after 2014 in the share of respondents (typically financial executives responsible for risk management or treasury functions) who cited a cyberattack as one of five risks that would have the greatest impact on the U.K. financial system, as well as one that would be most challenging for their firm to manage (see chart). These cyberattack shares were the second highest (or tied for the second highest) in the BoE survey rankings.

Cyberattack cited as a top source of systemic risk or as the risk most challenging to manage (share of survey respondents, percent), 2011 to 2018

Of course, most cyberrisks do not pose a threat to the financial system. The losses involved add to business transactions costs, but are too small to affect the system as a whole. For example, using a sample of more than 400 firms in 13 countries or regions, Ponemon estimates the annual probability for a firm experiencing a data breach involving 10,000 records or more is nearly 14%. However, that probability drops below 1% for a large-scale breach involving at least 100,000 records.

At the same time, most of the burden of protecting electronic records and networks falls on individual firms. This creates a problem. Because firms cannot reap the full benefits of their investments, they lack the incentive to ensure the socially optimal level of cybersecurity or cyberresilience (see Chapter 7 of the 2018 Economic Report of the President). That is, they do not internalize the spillover effects on other firms and on the broader economy of their inadequate preparations. Left on its own, the private market will underinvest. This means that there is a role for government—in cooperation with the private sector—in promoting cybersecurity.

What should the government do? One key role is to encourage disclosure and information sharing. Firms have strong incentives—for legal and reputational reasons—to conceal the cyberattacks. As a result, it is widely believed that most events go unreported. According to the Center for Strategic and International Studies (page 4), when attackers hacked Google in 2010, only 1 in 34 Fortune 500 firms that also lost intellectual property reported the loss. (The Council of Economic Advisers used that small 3% ratio of reported incidents to estimate the economy-wide losses due to “malicious cyber activity.”)

The lack of reporting makes the financial system more vulnerable. First, not knowing the probability of an event makes it more difficult for firms to manage the changing risks. Second, concealment contributes to long lags in recognizing ongoing attacks. As a result, it is difficult or impossible to prevent contagion and reduce widespread damage. Third, the lack of a sufficient data history, combined with the ongoing evolution of attack mechanisms and vulnerabilities, means that it is impossible to build actuarial models for pricing insurance against losses from cyberattack.

On this final point, even with reliable data, private insurers are unlikely to provide coverage against the systemic risks posed by the largest cyberattacks: virtually by definition, the correlations in firm performance that such events trigger renders these risks undiversifiable. Perhaps as a result, in a recent simulation, Lloyds estimates that insurance would cover only about 7% of the losses from a criminal exploitation of a mass software vulnerability.  This is far lower than the 20-plus% insured average for natural catastrophe losses since 1990, let alone the 39% insured share in 2017 (see Munich Re). According to Warren Buffett, his firm, Berkshire Hathaway, “doesn’t want to be a pioneer on this” because “I don’t think we or anybody else knows what they’re doing when writing cyber” insurance.

Going forward, the Office of Financial Research (OFR) highlights three channels through which cyberevents can lead to systemic risk: (1) lack of substitutability; (2) loss of confidence; and (3) loss of data integrity. The first highlights the role of key hubs in the financial universe—including custodial banks and payment, clearing and settlement firms—through which much cybertraffic passes. Not only are these potential nodes of contagion, but they may be impossible to replace quickly, making speedy recovery from a cyberattack difficult for the system as a whole. The second emphasizes the potential loss of customer trust in the financial system that Equifax-like breaches can trigger. The third includes the corruption of data—perhaps purposefully by a hostile state actor—that limits the ability of financial firms to function. A recent private-sector study identifies data corruption as the most likely means of a large-scale cyberattack, reflecting the challenges of detection, response, and recovery. The second and third OFR channels appear closely related: widespread theft of records could make personal identification information―passwords, two-factor identification, and even biometric data―so unreliable that firms would no longer be confident with whom they are transacting. Indeed, after Equifax (if not before), we assume that names, social security numbers, birthdays, and addresses are no longer sufficient to protect property rights, especially against malicious state actors.

The good news is that widespread public attention to these threats—along with frequent, sizable losses—has prompted both firms and governments to promote cybersafety. IDC estimates financial sector spending in 2017 on cybersecurity at $16 billion, with outlays projected to grow annually by more than 10% in coming years. Granted, this is only 1% of U.S. valued-added in finance and insurance; but it is something.

In the United States, firms also have formed associations (like FS-ISAC) to share insights and data, and to establish reliable safety procedures (like Sheltered Harbor) in the event of infrastructure failures. Thought leaders in the industry are proposing new forms of coordination to limit the systemic threat, including the development of concrete standards for recovery, for communication with the public, and for mutual assistance in the event of a large-scale attack. Financial regulators also are actively pursuing means to address cyberrisks (see, for example, Figure 5 here). In some cases, as in the European Union, they are compelling rapid disclosure of data breaches, helping to speed the response of the financial system. Together with the private sector, financial regulators also have developed a range of “tabletop exercises”—we call them cybersecurity stress tests—to expose vulnerabilities in the system and to focus the attention of firm boards and executives on cyberrisk management and cyberresilience.

The challenge nevertheless will be to keep up with the malicious actors. We are in an arms race. To stay competitive, firms and regulators will need to anticipate and focus on prospective risks, rather than merely ensure compliance with rules that address past incidents. Most important, they will need to avoid the kind of “failure of imagination” that the 9/11 Commission cited as one of the key sources of U.S. vulnerability to that attack (see page 339 here). The rapid changes in both technology and the financial system bring not only new opportunities, but the possibility for previously unimagined catastrophes as well. If anything, the odds of disaster rise with the increased complexity and interconnectedness of finance.

Bottom line: there is no room for complacency. Private financial firms and government authorities need to remain vigilant, sharing intelligence and other defenses to ensure that our financial system remains stable and secure.