Researchers at the Federal Reserve of New York recently issued a study saying that intrabank “wholesale” payments are so concentrated in the top five banks that if any one of them were disrupted by a cyber attack, the result could be a liquidity crisis in the banking system – a kind of cyber run on the banks.
Here's the scenario, as laid out by the research paper, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis.
The top five banks handle about 50% of the $3 trillion in bank-to-bank payments that pass through the Federal Reserve’s Fedwire settlements system daily. If one of the banks were knocked off Fedwire because its internal systems had been disrupted, the effects would radiate rapidly.
Banks would continue to pay into the stricken bank’s account, but no funds would be coming out, creating a “liquidity black hole.” As banks realized the system was clogged, they would stop paying out to their counterparties to protect their own liquidity. Thirty-eight percent of the banking system could be impacted to the tune of 2.5 times the daily GDP of the United States, the paper estimates.
A dire “pre-mortem” – but how credible? We asked Jack Jones, creator of the FAIR™ model for his reaction. FAIR, of course, is known for applying critical thinking to separate the probable from the possible when it comes to cyber attacks and their effects. In particular, FAIR helps organizations think through the likely threat actors and their capabilities to arrive at a rational view of how vulnerable the organization may be in any scenario. It’s through that lens on risk, that Jack makes these comments:
“The people who did this analysis recognize that the kind of attack they’re describing is different from the normal financially-motivated fraud and data theft attacks that are so common today. If I were writing the paper, I might have emphasized that point a little more because it’s relevant to the odds of this kind of attack occurring. The first question I’m asking myself is “Who would do this, and why?”
“Because the global financial system and almost every country's economy are so highly integrated, this kind of attack would have global effects. Almost everyone loses, with the possible exception being economically isolated, pariah states. Furthermore, because of the profound global effects, the perpetrator (if they were a nation state) would almost certainly be subjected to very real consequences, perhaps even military retaliation because this could easily be portrayed as an act of war. So, maybe even a rogue country would hesitate to pull this trigger unless leadership there felt it had no alternative.
“So, if nation-states aren’t likely to perpetrate such an act, who would? Well, there are always the anarchists and agenda-driven hacktivists who believe society has gotten out of hand and the reset button needs to be pushed. That said, the effects of something like this — as painful as they would be — aren’t likely to reset society or create anarchy. Also, at least some of the fanatics in the world are inseparable from their nation-states, so as much as they might want to watch havoc unfold over here, they may be reluctant to pull such a trigger for fear of retaliation.
Furthermore, pulling off this kind of cyber attack requires a certain level of sophistication and coordination. Do the fanatics have those capabilities? Maybe. Does the law enforcement/intelligence community already pay a lot of attention to them? Yes, but perhaps with a focus on kinetic versus cyber activity. Could they pull off something like this without being found out in advance. Perhaps, but there are probably easier ways for them to wreak havoc.
“Consequently, after reading this paper I’m left wondering what kinds of natural disasters or technology failures might also result in similar payment flow disruptions, as these kinds of events are probably more likely. And are there policy and/or regulatory controls that can help make the financial system more resilient whether the actor is some cyber-lunatic or Mother Nature?”
The paper’s authors did suggest a policy change: “Requirements to disclose to regulators even minor cyber events or to share with other banks information on threat assessments and contingency plans could increase resilience by reducing uncertainty and improving collective learning.” Another group of Fed researchers, at the Federal Reserve of Richmond, recently published a paper saying that what’s needed in the financial system is a commonly accepted way to assess risk – and suggested using FAIR and cyber risk quantification as the way to go.
More than 7,000 security and risk professionals from around the world and from one-third of the Fortune 1000 companies are members of the FAIR Institute - join them!