In January this year, the Federal Reserve Bank (FRB) published a working paper which assessed impact on the financial system from a hypothetical cyber attack on a large US financial institution (FI). The FRB paper used data from Fedwire funds which represent the majority of wholesale payments between FI’s in the US to quantify how an attack on a single FI or group of FI’s could spread through the financial system.
The cyber scenario presented in the FRB paper is ground-breaking for a few reasons; first the scenario assesses the impact on the whole financial system while cyber impact assessments till date have focussed on a single institution; second it connects the liquidity in the financial system to cyber attack and third in building the scenario, consideration is given for timing of cyber attack to have maximum impact such as choosing the day of the attack. In summary, the scenario shows how inherent features of a cyber attack like malicious intent, uncertainty and compromise of systems and data could pose a systemic risk to the financial system due to the inter-connectedness of the large FI’s in US.
The central premise of the scenario is that an attacked FI is unable to send payments through Fedwire funds for a whole day since its systems and data are compromised however the FI will continue to receive payments from other firms who are not aware of the attack. By accumulating payments from all its counterparties while not sending any payments the attacked institution soaks up liquidity from the financial system and effectively acts as a liquidity black hole. The paper examines how this type of scenario could impact the liquidity position of other banks that fail to receive payments from the attacked institution. The study finds that impact of such a hypothetical cyber attack on a large US FI could be;
- foregone payments ranging from one-third to over 2.7 times daily U.S. GDP.
- Five to 35 percent of total daily payment value in US being impacted
- 38% of bank assets (excluding the attacked FI) affected
- 40% of MSA deposits at impacted banks being impacted
Some other interesting analysis from the FRB paper;
- Impairment of six smaller banks (below $10 billion in assets) or one large institution between $10 and $50 billion has the same impact. This is alarming as it is well known that the smaller sized banks do not have the same budget and cyber defense capabilities as the larger banks.
- Attacking an institution on worst possible day increases impact by 25%
The FRB paper in January was followed by a speech last week by Christine Lagarde, Managing Director of IMF re-iterating that cyber risk could trigger a liquidity crisis and pose systemic risk to the financial system. The global cost of cyber attacks on financial firms could be as high as $654 billion as mentioned in her speech last week. This speech follows a LinkedIn post in June 2018 by Christine Lagarde where the Head of IMF highlighted why the IMF was focussing on cyber attack as a source of systemic risk to the financial system. In that LinkedIn post it was mentioned that based on data collected by IMF on cyber attacks in 50 countries the average the annual potential losses from cyber-attacks was close to 9 percent of banks’ net income and taking an average of the worst 5 cases the impact could be as high as 50% of the net income of the banks. A recommendation was made in the post towards better quantification of cyber risk losses using an approach based on frequency and severity of cyber attacks which was previously advocated for estimating Operational Risk capital. This is interesting coming at a time when most regulators are moving away from complex modeling of operational risk to using simpler, rules-based standardized approach but that is subject for another day and post.