On December 14 and 15, in partnership with the Federal Reserve Bank of New York (FRBNY), SIPA hosted its second annual Cyber Risk to Financial Stability: State of the Field Conference. During the virtual event, academic and industry experts in cybersecurity and financial sectors, came together to discuss the current state of the field, and considered three guiding questions: “What We're Learning?”, “What We're Doing?”, and “What's Next?” in addressing the current and future cybersecurity challenges to the financial sector.
The conference opened with a fireside chat between Dean Merit Janow and Arthur Lindo, Deputy Director for Policy in the Federal Reserve Board's Division of Supervision and Regulation. The second day featured introductory remarks by Jason Witty, Global Chief Information Security Officer for JPMorgan Chase. The two sessions highlighted the importance of collaboration between the public and private sector to stay ahead of technology and regulation, the need for information sharing and awareness of globally occurring incidents, and improvements to loss measurements to assess cyber impacts. Discussants considered the impact of the new COVID-19 remote work environment and the importance of operational collaboration, regulatory harmonization, and operational resilience to meet the rising challenge of frequent and sophisticated ransomware attacks.
The event was a timely discussion on the current state of the field and future steps to be taken, held just days after the disclosure of the Solar Wind cyberattack, in which a hacker group, believed to be affiliated with the Russian government, gained access to the computer systems of multiple U.S. government departments, including the Treasury and Commerce department.
What We’re Learning
Panelists emphasized that cyber risks have become an increasingly relevant component of operational risk. Discussing the implications of increased reliance on digital infrastructure and the new work-from-home environment caused by COVID-19, Leonardo Gambacorta, Head of the Innovation at the Digital Economy unit at the Bank for International Settlements, highlighted that the financial sector has faced more cyberattacks than any other sector since the start of the pandemic. Michael Lee, Financial Economist in the Research and Statistics Group of the FRBNY, added that the systemic features of cyber risks can help propagate those risks throughout the financial system. An attack on a top-five firm, where payment activity is highly concentrated, could translate into a sizable impact on the whole financial network.
The panelists further stressed that cyberattack motives are becoming more complex, a shift from primarily financially motivated attacks. With sufficient motivation and information, an attacker could disrupt financial sector activity and cause significant damage. Jonathan Welburn, Operations Researcher at RAND, also emphasized that in addition to the cascading systemic cyber risks, the presence of common technology across financial institutions introduces common-cause systemic risks that can cause simultaneous effects across the financial network and magnifies a cyberattack’s impact.
What We’re Doing
Reflecting on the increasing challenges from the greater adoption of digital technology and digitized financial service, Arthur Nelson, Research Analyst for the Cyber Policy Initiative at the Carnegie Endowment for International Peace, and Greg Rattray, Senior Fellow and Research Scholar at SIPA, spoke about the need for improved clarification of roles and responsibilities to protect financial systems. International collaboration is critically needed, given the global interdependence of the financial system, and will require regulatory harmonization to ensure a common response. There are current initiatives underway to meet these objectives.
Yeow Seng Tan, Executive Director of Technology Risk and Payments Department and Chief Cyber Security Officer, Monetary Authority of Singapore (MAS), offered that the MAS has increased its oversight of financial Institutions’ IT outsourcing to mitigate third-party cyber risk. The Carnegie Endowment is also working to implement recommendations established in its International Strategy to Better Protect the Financial System Against Cyber Threats. Tan highlighted how intelligence sharing has continued to increase through the FS-ISAC and other like-minded authorities.
Columbia SIPA’s New York Cyber Task Force, led by Rattray, has worked with multi-sector industry experts for the last year to issue a report that identifies improvements to operational collaboration between the U.S. government and the private sector. Operational resilience continues to be an important goal and engaging in exercises to identify severe scenarios can help improve collaboration, risk assessments, and cybersecurity investment decisions. Building resilience will also require building relationships between international organizations to link response efforts and manage shocks in the global financial system.
The events of the next five post-pandemic years will greatly impact cyber risk to financial stability. Speaking on the panel, Barry Pavel, Director of the Scowcroft Center for Strategy and Security at the Atlantic Council, cautioned that while we may be moving towards the end of the pandemic, there may be secondary and tertiary shocks that could impact the financial system in the years to come. The role of the U.S. in the international arena has been shifting for years and authoritarian regimes, including Russia and China, have increasingly challenged U.S. power and will be further emboldened to use cyber tools like influence, information, and covert operations. The response by the incoming Biden administration towards these regimes will dictate the future outcomes in this field.
Examining future operational trends in cyber risk, Jeremy Brotherton, member of the National Incident Response Team of FRBNY, pointed out that the accelerated adoption of digital technology and increasing reliance on third-party vendors and providers have increased risks. Incoming innovations, like instant payments services that operate around the clock, 365-days a year, will bring significant changes in cyber threats. The adoption of cloud computing across organizations will create single-points-of-failure with potentially wide-reaching effects if faced with a disruptive attack. Risks from ransomware to the financial sector are also increasing as the attackers shift towards targeted and covert intrusions.
The financial sector will continue to face growing challenges and cyber risks; however, through continued discussions, such as those held by this conference, and collaboration, the cybersecurity and financial sector community can move towards collectively shouldering the burden of ensuring the security and stability of financial systems.
The event was hosted in partnership with the FRBNY and Columbia SIPA’s Project on Cyber Risks to Financial Stability. The CRFS project works to foster dialogue between experts in academia, industry, and government at the intersection of cybersecurity and financial stability to strengthen resilience in the financial industry. It is led by Jason Healey, director of the Program on Future Cyber Risks and a senior research scholar at SIPA; and Patricia Mosser, director of the Initiative on Central Banking and Financial Policy and a senior research scholar and senior fellow at SIPA.
—Danielle Murad Waiss MIA ' 21
View all event recordings here.