Back in February, Steven D. Baker and Michael Junho Lee from the Federal Reserve Bank of New York released a paper about systemic cyber risk and how to measure it meaningfully.
Amongst the paper’s many conclusions, I find the ones about where the risk arises and how it transmits throughout the financial system the most interesting.
Baker and Lee decompose the contributing factors into three, paraphrased, modules:
- Cyber villains be villaining. There are adversarial actors out there who, in the most strategically devious way, will find and exploit the cracks in the system.
- We are not entirely tech safe, which increases the risk of being tech sorry. Without pointing the finger, some take the stance of: it will probably not happen to me, and only adjust accordingly when it does happen to them. That leaves the aforementioned cracks to be found and exploited.
- No financial institution is a technological island. Everyone is connected to everything in multiple ways.
As for the cyber villains, the paper finds
“that heightened geopolitical tensions can motivate and embolden cyber adversaries to increase aggression”
I am just grateful that none of that tomfoolery is happening right now.
Also, the cyber villainy is industrializing in its quest to villain more and exhibits seasonality in the way it tends to attack during US holidays when everyone has left the office early.
When Baker and Lee focus on the technological vulnerabilities, they find that cyber incidents might not be that common, but when they occur, they tend to hit the biggest firms for maximum impact.
Lastly, the cyber-attacks can ripple from one institution to the whole financial system through liquidity and asset holdings. The paper uses words such as illiquidity spiral, fire-sale, and sudden drops in asset values, all of which are greatly unpleasant to the institution, its counterparties, and the system as a whole. With the asset holdings, a cyber-attack can target a specific asset class and spread to other institutions that hold the same (kind of) assets. Not surprisingly, for banks, the loan book is the most exposed asset class, whereas non-banks, such as mutual funds, get hit hardest on equities.
The Fed paper is empirical and synthesizes data from 2021 to 2024. Therefore, it does not take the whole AI tsunami into account. So far, one can only speculate how, for example, Anthropic’s new Mythos model, said to be so powerful that it has only been released to a few major technology and finance firms for security reasons, could fuel systemic cyber risk.
This week, Bloomberg disclosed that the Treasury Secretary, Scott Bessent, and the Federal Reserve Chair, Jerome Powell, had the heads of said major technology and finance firms over for a hot beverage and a little parental reminder of the (systemic cyber) risks and responsibilities of being the biggest/oldest siblings in the industry.
Regitze Ladekarl, FRM, is FRG’s Director of Company Intelligence. She has 25-plus years of experience where finance meets technology.
This article is part of the FRG Risk Report, published weekly on the FRG blog. To read other entries of the Risk Report, visit frgrisk.com/category/risk-report/.