Project on Cyber Risk to Financial Stability

The first virtual workshop on Cyber Risks to Financial Stability discussed the working paper Pirates without Borders: the Propagation of Cyberattacks through Firms’ Supply Chains by Matteo Crosignani, Marco Macchiavelli and André F Silva.

Abstract: We document the propagation through supply chains of the most damaging cyberattack in history and the important role of banks in mitigating its impact. Customers of directly hit firms saw reductions in revenues, profitability, and trade credit relative to similar firms. The losses were larger for customers with fewer alternative suppliers and suppliers producing high-specificity inputs. Internal liquidity buffers and increased borrowing, mainly through bank credit lines, helped affected customers maintain investment and employment. However, the shock led to persisting adjustments to the supply chain network.

The second virtual workshop on Cyber Risks to Financial Stability focused on ongoing research on cyber sources for macroeconomic analysis by Jason Healey, Patricia Mosser, Rachel Adeney, and Danielle Murad Waiss.

The third virtual workshop on Cyber Risks to Financial Stability discussed the working paper The Anatomy of Cyber Risk by Rustam Jamilov, Hélène Rey, Ahmed Tahoun.

Abstract: This paper uses computational linguistics to introduce a novel measure of firm-level cyber-risk exposure based on quarterly earnings conference calls of listed firms. Our data span 13,000 firms from 85 countries over 2002-2021. We show cyber-risk exposure predicts cyber-attacks, affects stock returns and profits, and is priced in the equity option market. Cyber-risks spill over across firms and pass through from firm to sectoral level. The geography of cyber-risk is well approximated by a gravity model in which financial proximity is key. Back-of-the-envelope calculations suggest that the global cost of cyber-risk is over $200 billion per year.

The fourth virtual workshop on Cyber Risks to Financial Stability discussed the paper Financial Markets and Social Media: Lessons From Information Security by Claudia Biancotti and Paolo Ciocca.

Abstract: Discourse on social media increasingly affects personal financial decisions. This may improve market efficiency, yet it may also provide malicious actors with opportunities for disinformation and disruption. Financial authorities, governments, and other stakeholders must work together to counter this threat.

The fifth virtual workshop on Cyber Risks to Financial Stability discussed the paper Cyberattacks and Financial Stability: Evidence from a Natural Experiment by Antonis Kotidis and Stacey L. Schreft.

Abstract: This paper studies the effects of a unique multi-day cyberattack on a technology service provider (TSP). Using several confidential daily datasets, we identify and quantify first- and second-round effects of the event. For banks using relevant services of the TSP, the attack impaired their ability to send payments over Fedwire, even though the Federal Reserve extended the time they had to submit payments. This impairment (first-round effect) caused other banks to receive fewer payments (second-round effect), leaving them at risk of having too few reserves to send their own payments (a potential third-round effect). These innocent-bystander banks responded differently depending on their size and reserve holdings. Those with sufficient reserves drew down their reserves. Of the others, smaller banks borrowed from the discount window, while larger banks borrowed in the federal funds market. These significant adjustments to operations and funding prevented the second-round effect from spilling over into third-round effect and broader financial instability. These findings highlight the important role for bank contingency planning, liquidity buffers, and the Federal Reserve in supporting the financial system’s recovery from a cyberattack.

The sixth virtual workshop on Cyber Risks to Financial Stability discussed the paper When It Rains, It Pours: Cyber Risk and Financial Conditions by Thomas M. Eisenbach, Anna Kovner, and Michael Junho Lee

Abstract: We analyze how systemic cyber risk in the wholesale payments network relates to adverse financial conditions. We show that at the onset of the COVID-19 pandemic, payment activity increased, became more concentrated, and showed intraday liquidity stress. Cyber vulnerability was elevated in late February and early March 2020, with the potential impact of a cyberattack about 40 percent greater than in the remainder of 2020. Policy interventions to stabilize markets mitigated cyber vulnerability, particularly corresponding to large increases in aggregate reserves. We observe that cyber vulnerability and other financial shocks cannot be treated as uncorrelated risks and policy solutions for cyber security need to be calibrated for adverse financial conditions.

The seventh virtual workshop on Cyber Risks to Financial Stability discussed the book Cyber and the City: Securing London's Banks in the Computer Age by Dr. Ashley Sweetman.

Abstract: This book presents the first history of computer security in finance, from the perspective of the banks. It offers a mixture of broad overview chapters that set the scene, alongside more detailed case-study chapters. The chapters provide insights from unseen/unused archival material from various banks, and the London Metropolitan Archives

The eighth virtual workshop on Cyber Risks to Financial Stability discussed the working paper Cyber Security and Ransomware in Financial Markets by Toni Ahnert, Michael Brolley, David Cimon and Ryan Riordan

Abstract: Financial markets face the constant threat of cyber attacks. We develop a principal-agent model of cyber-attacking with fee-paying clients who delegate security decisions to financial platforms. We derive testable implications about clients’ vulnerability to cyber attacks and about the fees charged. We characterize which cyber attacks actors choose. We find that ransomware attacks are more successful than traditional attacks and that platforms underinvest in security when security is unobservable. Regulating security investment (e.g., minimum security standards) or improving transparency (e.g., security ratings) can improve welfare. Our results support regulatory efforts to increase transparency around cyber security and cyber attacks. 

The ninth virtual workshop on Cyber Risks to Financial Stability discussed the working paper City Hall Has Been Hacked! The Financial Costs of Lax Cybersecurity by Filippo Curti, Ivan Ivanov, Marco Macchiavelli, and Tom Zimmermann.

Abstract: State and local governments are attractive cybercrime targets because of inadequate cybersecurity and ample access to sensitive information. We show that external data breaches translate to higher financing costs for governments including negative abnormal bond returns in the secondary market and higher offering yields and bond pricing uncertainty in the primary market. We also find that governments increase total spending around cyberattacks, suggesting higher operating costs as the likely channel behind the spike in financing costs. Exploiting state-level variation in the timing of breach notification laws, we show that they have not significantly strengthened cybersecurity.

Discussion Summary: This paper contributes to the ongoing struggle of how cybersecurity plays into understanding of financial stability, propagation of shocks, and pricing of risks.

Cybercrime costs billions of dollars to businesses and the government each year. The cyber criminals monetize cyber vulnerabilities through different vectors however, this paper focuses on data breach specifically with some mention of ransomware. Municipalities are good targets for cybersecurity since they have large amounts of data that are PIIs and inadequate cybersecurity.

The effect of data breaches on municipalities is that after the breach, it leads to 1) increase in financing costs. There are negative abnormal bond returns in the secondary market and higher offering yield at issuance for the primary market.  2) There is an increase in expenditures after breach such as significant remediation and litigation costs. This can mean that there is a room for regulations. However, since 2002, starting with California, until 2021, states have implemented data breach notification laws. Some impose penalties in case of violations. These regulations are found to be ineffective at strengthening cybersecurity posture as there is no effect on incidence of future data breaches though there is a slight increase in expenditure following the implementation of the regulation.

Some of the items discussed for future research include measure of vulnerability by states, geographical spillover effect of data breach incidents, standards on what decent cyber defenses are, impact on different bonds based on different cybersecurity incidents (data breach vs ransomware), relation between those increasing expenditure and ones with large financing cost, consideration of revenue and population for targeted municipalities and others. 

The tenth virtual workshop on Cyber Risks to Financial Stability discussed the paper The Supply of Cyber Risk Insurance by Martin Eling, Anastasia V. Kartasheva, and Dingchen Ning

Abstract: Cyber risk insurance has been introduced for more than two decades in the United States, yet the insurance market for cyber risk is tiny amounting to 1% ($6.5 billion) of premiums in the U.S. property-casualty insurance market in 2021. In this paper, we analyze what constrains the insurance industry from providing larger capacity. We argue that cyber risk is special in that it is both information-intensive to underwrite and heavy-tailed. It leads to the tension between the need to raise large amounts of external capital to finance heavy-tailed risks and the high compensation demanded by capital providers due to information frictions. Hence, the suppliers are large insurance groups with a deep internal capital market, and their capacity is constrained. We start by providing empirical evidence that the cyber risk insurance market is dominated by large insurance groups and that, compared to other types of insurance, cyber insurance relies heavily on the groups' internal capital market. Then, using an exogenous shock on the tax treatment of the non-U.S. affiliated reinsurance in 2017, we establish the causal inference that insurers primarily rely on the internal capital market to supply cyber risk insurance.

Discussion Summary: Cyber risk is becoming a major concern with considerable uncertainty. There are not a lot of discussions around transferring the risk through traditional financial institutions such as insurance. The cyber insurance market is growing however, the premium is very small in the insurance market. This raises the question: what are the supply-side factors that curtail the development of the cyber insurance market? The research finds that the supply of cyber insurance depends on the internal capital market. The insurance groups with large capital markets dominate the market as there is a significant correlation between cyber insurance supply and the reliance of affiliated reinsurance. Moreover, heavy tails, information asymmetry, and risk certainty are characteristics of cyber risk that limit insurers from raising external capital to support the supply of cyber insurance. The impact of cyber lines on the profitability of other lines and entry and exit decisions in the cyber insurance market remain as next steps. 

The participants engaged in lively discussions around characteristics of other insurance vs cyber insurance, incentives for attackers, calculation methods for losses and size effects of cyber insurance.

Published by The Capco Institute Journal in May 2021. It builds on the 2018 "Future of Financial Stability and Cyber Risk" publication, by developing a unique framework to assist analysts trying to assess how specific cyber risks might affect financial stability.

Learn more here »

Published by the Brookings Institution in October 2018. It provides a general review of cyber risk to financial stability, contains a primer on financial stability and cyber risks, and highlights how cyber risks are different from other systemic financial risks. It also summarizes previous reports and efforts of policymakers and industry addressing these issues.

Learn more here »

Examines the growing momentum around the world to bring the cybersecurity and financial stability communities closer together to be better able to manage cyberattacks on banks and other institutions of the global financial system.

Learn more here »

Susan Hennessey spoke to Katheryn Rosen, Jason Healey, and Patricia Mosser. They talked about how to understand financial stability, the unique risks that cyber threats pose to it, and what gaps remain in how to mitigate those risks.

Learn more here »

June 13-14, 2019: Katheryn Rosen participated in the SEACEN Policy Summit on Central Bank Leadership in Combating Cyber Risk that brought together senior central bank and monetary authority officials, private sector representatives, chief information security officers (CISOs), and academics with regional and global thought-leaders to discuss pressing issues relating to cybersecurity, identify challenges and possible solutions, and foster networks that will help put central banks and monetary authorities in the vanguard against these looming threats.

October 10, 2018: the Atlantic Council’s Cyber Statecraft Initiative convened key stakeholders from the financial, governmental and academic communities to convene for the release of a joint report by the Brookings Institution and Columbia University’s School of International and Public Affairs, The Future of Financial Stability and Cyber Risk. The panel was moderated by Katheryn Rosen, a Senior Fellow at the Atlantic Council’s Cyber Statecraft Initiative and a Senior Research Scholar at Columbia University School of International and Public Affairs. 

July 10, 2018: workshop further developed the conceptual framework established in the previous gathering and explored amplifiers and dampeners of risk by focusing on a single market - the US treasury securities market.

May 10, 2018: SIPA hosted the first of two workshops that began the process to devise and refine a cyber risk and financial stability framework, emphasizing three pillars: financial stability, cyber risk, and transmission channels between the two. 

April 18, 2017: workshop intended to tie together the work on cybersecurity conducted by the financial sector with the long-existing work of academics and financial experts on financial stability and resilience. The output of this workshop would create the agenda for needed research and policy analysis in the field of financial stability implications of cyber risks.

The Fourth State-of-the-Field Conference on Cyber Risk to Financial Stability was held on 14 April 2023 at Columbia University's School of International and Public Affairs. The 2023 conference explored the impact of deglobalization on cyber risks and financial stability.

Key Takeaways on Liberty Street Economics.

28-29 April 2022: The CRFS hosted its third annual State-of-the-Field Conference, in partnership with the Federal Reserve Bank of New York.

The conference will begin with a keynote by Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency. This will be followed by a panel discussion on “Geopolitical Cyber Risks to Financial Stability” which will consider the changing landscape ten years after Iran’s ‘Operation Ababil’. Day one will conclude with a fireside chat with Phil Venables, the Chief Information Security Officer for Google Cloud. Day two will focus on industry perspectives, commencing with a keynote by Tammy Hornsby-Fink, the Chief Information Security Officer for the Federal Reserve System.

14-15 December 2020: The CRFS hosted its second annual  State-of-the-Field Conference partnership with the Federal Reserve Bank of New York.

During the virtual event, academic and industry experts in cybersecurity and financial sectors, came together to discuss the current state of the field, and considered three guiding questions: “What We're Learning?”, “What We're Doing?”, and “What's Next?” in addressing the current and future cybersecurity challenges to the financial sector. The event was a timely discussion on the current state of the field and future steps to be taken, held just days after the disclosure of the Solar Wind cyberattack, in which a hacker group, believed to be affiliated with the Russian government, gained access to the computer systems of multiple U.S. government departments, including the Treasury and Commerce department. Read more about the event on Liberty Street Economics.

12 April 2019: The CRFS hosted its inaugural State-of-the-Field Conference hosted in partnership with the Federal Reserve Bank of New York.

The day’s discussion focused on the need for a common lexicon to define and classify cyber threats and incidents. That way, the industry as a whole can assess their systemic impact and devise macroprudential risk mitigation solutions. They also highlighted the importance of collaboration and information sharing in this field. Remarks were delivered by Mr. Kevin Stiroh, Executive Vice President of the Financial Institution Supervision Group of the Federal Reserve Bank of New York.

Synopsis's Software Integrity Blog: Mentioned "The Future of Financial Stability and Cyber Risk" on April 25, 2019. Read here.

Forbes: Katheryn Rosen quoted on the Cyber Threat to US Finance on March 20, 2019. Read here.

International Cybersecurity Dialogue: “The Future of Financial Stability and Cyber Risk” paper featured in the dialogue and praised as “a major contribution to the academy” on November 25, 2018.