European Central Bank (ECB) President Christine Lagarde, citing a report by the European Systemic Risk Board (ESRB), outlined how a successful attack on a major financial institution could quickly create financial instability.
According to The Independent, Ms. Lagarde said, “History shows that liquidity crises can quickly become systemic crises. The ECB is well aware that it has a duty to be prepared and to act pre-emptively.” She went on to cite the existence of “several plausible channels” through which a cyber attack could trigger a financial crisis.
Prior to this, outgoing Bank of England Governor Mark Carney prioritized cyber as a systemic risk, resulting in cyber resilience tests over the past two years to gauge how the UK financial system might withstand and react to a major attack.
Lagarde could be signaling an early prioritization of cyber as a key systemic risk that deserves greater attention from the ECB considering the potential $645 bn risk. Last year, the BoE admitted to being under daily attack by hackers. The BoE alone settles $500bn in transactions every day, making it among the most critical of critical infrastructure. An operational disruption would cause deep and wide-ranging economic losses. Disruption for a single day would cause a financial impact equal to the fifth-largest company in the world (Facebook), and that is just the immediate impact. (see September 2019 Cyberhedge Research)
The U. S. Fed’s foray into cyber risk follows a similar path taken by the Bank of England in 2018. Its recognition of cyber as a systemic risk to the financial system is encouraging. Other Fed members, such as Loretta Mester in Cleveland, have also been outspoken about the systemic nature of the threat. But, the attempts to model the risk should not be limited to only resilience efforts, as is the case in the UK. Regulators should put more effort into encouraging transparency that will reduce the occurrence of breaches in the first place. This starts with better understanding the nature and scale of the risk faced in financial terms and treating it like regulators treat any systemic financial risk, such as liquidity risk.
Chaired by the U. S. and UK, the G7 Cyber Expert Group is due to report on steps the G7 could take to better protect the financial services sector at the 2020 summit in June. Some of the past work of this group focused on better proactive assessment of risk.
Fortunately, the financial services sector overall is a high-performing one from a cyber governance perspective. But, weak links and underperformers exist across all sectors, and the prospect of a financial crisis should prompt governments to require that companies provide more than just voluntary guidance.