New York Fed Warns of Financial System ‘Pre-Mortem’ Cyber Risk
In a new report, the Federal Reserve of New York warns a sustained cyber attack on the U.S. financial system could result in “significant spillover” and widespread disruption.
In the report, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis (https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf), authors Thomas M. Eisenbach, Anna Kovner and Michael Junho Lee model how a cyber attack may be amplified through the U.S. financial system, focusing on the wholesale payments network. The model estimates impairment of any of the five most active U.S. banks would result in “significant spillovers to other banks, with 38 percent of the network affected on average.”
“Cyber attacks are an increasing concern especially for financial service firms, which may experience up to 300 times more cyber attacks per year than other firms,” the paper said. “Almost every financial stability survey includes cyber attacks among the top risks.”
In a baseline scenario, the report analyzed the impact of a cyber attack on the largest five participants in the network, finding that, on average, if any of these large banks stops making payments, 6 percent of institutions breach their end-of-day reserves threshold.
“While the number of affected banks is relatively small relative to the number of banks in the network, the affected banks are often very large,” the paper said. “Weighting the impact of a cyber attack by the assets of affected banks dramatically increases the average spillover impact to about 38 percent of bank assets (excluding the attacked institution). This reflects the high concentration of payments between large institutions, and the large liquidity imbalances that follow if even one large institution fails to remit payments to its counterparties.”
The paper noted disruptions can be even larger within a local area, arising if the impairment of banks’ liquidity is transmitted through local bank branches. For instance, nearly 10 percent of U.S. metropolitan statistical areas would experience a severe disruption (more than 40 percent of MSA deposits at impaired banks). The numbers are even higher at the county level, due to high banking concentration within many US counties. Markets with less bank competition are more vulnerable to disruptions, as a direct impact on a large bank is likely to directly impair a large share of local deposits.
The report notes cyber attack can be designed for maximum disruption. “The extent to which an attacker is informed with respect to the payment system, the targeted institution, and its relation to the payment network, may dictate the magnitude of systemic risk arising in an attack,” it said. “For example, past studies highlight that total payment activity is often heightened at predictable, regular days over the course of the year. Attacks on seasonal days associated with greater payment activity are more disruptive relative to a non-seasonal days, with average impacts that are about 13 percent greater.”
Similarly, the report said a cyber attacker with specific knowledge of a targeted institution that targets the attack to a particular date could produce impairments that are another 10 percent larger than seasonal day disruptions. “We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.”