Commentary

Commentary

 
 

Cyber Risk, Financial Stability and the Payments System

I view cyber security as one of the most serious financial stability concerns facing central banks.”
Federal Reserve Bank of Boston President Eric Rosengren, January 30, 2015.

Cyber risk remains at the top of the list of risks to the financial system, and the financial system is well known as the primary target for hackers (see here, here and here). In response, financial institutions expend huge resources on protecting their information systems—by one estimate, well over $100 billion. Yet, the losses may be even larger: a recent European Systemic Risk Board report suggests they could be anywhere from $45 billion to $654 billion annually.

Private sector actions to prevent cyber losses fall short due to a glaring externality: since the damage is likely to spill over to other financial firms and to markets, individual firms cannot reap the full benefits of preventing cyber attacks. And, because the financial system is a network of connections, the failure of an individual institution will almost surely have a negative impact on others. As a result, cyber risk threatens financial stability. (Healey, Mosser, Rosen and Wortman provide a framework for thinking about this linkage.)

To learn about the spillovers from one entity to others, and to get a sense of the financial stability risks associated with cyber fragility, we need to understand the financial system in some detail. Unfortunately, financial networks are highly complex and vary significantly across markets and functions. They also evolve meaningfully over time. On top of these enormous challenges, assessing network vulnerabilities frequently requires institution- or transactions-level information that is normally not publicly available.

This brings us to the important recent work of Eisenbach, Kovner and Lee (EKL), who study the vulnerability of the U.S. large-value interbank payments system, Fedwire, to a cyber attack on one of the principal nodes of the payments network—namely, one of the top five banks. In this post, we highlight EKL’s analysis as a model for the assessment of cyber-driven network risks. We suggest how central bankers should react to a cyber attack on the payments system, and speculate about what is needed to prevent, as well as mitigate, cyber risks.

As background, the Fedwire connects roughly 6,500 institutions that make hundreds of thousands of payments each day. The following chart shows the evolution of payments over the past two decades. Over this period, the average number of payments has increased by about 50% while their average value has more than doubled (see the chart below). As employees of the Federal Reserve Bank of New York, EKL have access to detailed Fedwire data. Specifically, they use all intraday payments and individual banks’ end-of-day balances for the 251 working days of 2018. Over this period, there were an average of 632,000 transfers with a total value of $2.85 trillion.

Fedwire transactions volume (number and value), 2000 Q1 to 2020 Q2

Source: Federal Reserve.

EKL ask what happens if a cyber attack shuts down a leading bank’s outgoing payments. The structure of Fedwire allows banks to continue receive incoming transfers into their reserve account regardless of what they themselves are doing. As a result, if a cyber attack shuts a bank down, then its reserve balance will start to increase.

Indeed, this is exactly what happened when terrorists struck on September 11, 2001. A number of large banks stopped operating. Prior to the attack, end-of-day reserve balances in the entire banking system were $13 billion, while daily Fedwire transfers exceeded $1.6 trillion. This means that banks used each dollar of reserves about 125 times per day. In the aftermath of the attacks, payments continued. But, when the recipient banks were closed, the funds got stuck and couldn’t be reused. To compensate for this shortfall, the Fed injected substantial reserves into the system through purchases of Treasury securities and discount lending (see McAndrews and Potter).

Importantly, Fedwire activity is highly concentrated. The following chart from EKL shows the share of payments sent by the most active 5 and 10 institutions (out of 6,500). The top five account for close to one-half of all payment activity on the Fedwire; on an average day in 2018, this was something like $1.4 trillion.

Concentration of the Fedwire Network

Source: Eisenbach, Kovner and Lee, Figure 2a.

Source: Eisenbach, Kovner and Lee, Figure 2a.

Put slightly differently, we can think of the interbank payments system as a hub-and-spoke network, with a few very large institutions at the center. In the context of cyber risk, this leads to the natural question: What happens to the system on a day that one of the five big banks stops sending payments?

That is the question EKL address. Their results are striking: by the end of the day, between 5% and 10% of banks in their sample suffer some sort of stress (defined as reserves falling by more than two standard deviations below a trailing 30-day average). Weighted by assets, the stressed banks account for 40% of the total. And, if that’s not bad enough, the impact of an invader intent on disrupting the system can be more than 50% greater if they act when the system is especially fragile—say, due to time-of-day congestion patterns or seasonally elevated payments.

Indeed, one should expect that a sophisticated attacker will have detailed knowledge about the network they are attacking. The reason is that malicious actors can lurk inside of a system for long periods, collecting information to identify the optimal time to attack. Using data from a well-known cyber consultant, the following chart plots the share of attacks that go undetected for a given number of days in 2019. Importantly, one fifth of the attacks go undetected for 300 days or more.

Share of cyber attacks that are not detected within the specified number of days (percent), 2019

Source: M-Trends 2020.

Source: M-Trends 2020.

It gets worse. So far, the EKL results assume that—aside from the bank that is shut down—everyone else proceeds with business as usual. Even within a day, this is extraordinarily unlikely. If they come to suspect a payments problem, other firms will hoard liquidity, and they may run on firms that are perceived as dysfunctional (see Duffie and Younger.) At the level of an individual bank, this makes sense. But for the system as a whole, it creates a destabilizing cascade. Indeed, EKL examine a case where banks halt payments if their minute-by-minute imbalance exceeds their 2018 peak. Based on this simple mechanical rule, the result is a cascade in which up to one-third of a typical day’s payments may not occur.

EKL’s work is a milestone in using network analysis to examine financial resilience. Yet, while the interbank payments system is critical to the flow of funds, banks are not the only important actors in the payments system and the Fedwire is only a piece of a much larger network. Money market funds and large institutional asset managers are also important. EKL highlight the role of foreign banking organizations and how they can be a source of systemic stress that can arise from abroad.

Other sources of risk also come to mind. Consider, for example, the central clearing parties (CCPs) that clear and settle transactions for equities, bonds and derivatives. As we discuss in an earlier post, in addition to being too big to fail, CCPs share members in common, so any fragility can quickly be transmitted across borders to the global financial system. Another source of fragility is the common exposure of payments providers to key vendors of financial services: for example, one-third of financial businesses purchase data and computing services from cloud service providers (a highly concentrated industry). These examples are reminders that what may be best practice from the perspective of an individual institution can create systemic risk when everyone adopts the same strategy.

What should policymakers do? Kashyap and Wetherit consider regulatory principles that can mitigate the systemic risks arising from a cyber attack. They argue that regulators should encourage firms to avoid common vulnerabilities, as well as develop and maintain a plan for delivering critical services on the assumption that there will be an attack and that it will create system-wide disruption.

In the circumstances that EKL study, where the central bank knows what is happening, the contingent policy is clear: inform all Fedwire participants about the attack, offer discount loans without limit and suspend the liquidity coverage ratio (LCR). Making loans available for the duration of the attack will comfort any banks facing shortfalls. Ideally, there also would be an automatic mechanism to reduce the discount rate. And, suspending the LCR is equivalent to an instant injection of several trillion dollars of reserves into the system.

A more general disruption of the interbank system, where the Fedwire itself might become impaired, would require a different response. Here, Duffie and Younger suggest the creation of emergency payment nodes that could be activated to clear payments between nonbanks. The point is that resilient financial systems have backups to prevent failures of groups of institutions or critical infrastructure from becoming catastrophic.

From our perspective, the details of contingency plans may be less important than the fact that they exist, that they can be activated automatically, and that they are widely known. The suspension of the LCR is a clear example: knowing that a cyber attack will lead the Fed to suspend liquidity requirements will reduce banks’ incentive to hoard liquidity and encourage them to make payments. The resulting actions should help to stabilize the entire financial system. But such cases are the easy ones. More threatening scenarios are those where the sources of the problem are unknown and are difficult to identify quickly.

Ultimately, we are in an arms race against malicious actors. No mechanism to prevent and mitigate attacks will be successful unless it anticipates hostile innovations. The unfortunate metaphor we have in mind is the case of the Maginot line, a costly system of immobile French fortifications that failed notoriously in 1940 when German invaders simply went around them.

The lesson from the Maginot Line is that the battle against cyber risk—also a matter of national security—requires defenses that evolve continuously with the threats. To make financial networks more resilient, to counter the attacks that will inevitably come and that are surely coming now, we must develop automatic mechanisms that ensure continuity of business operations. This will be neither easy nor cheap.

Acknowledgements: We thank Thomas Eisenbach, Anna Kovner and Michael Junho Lee for providing their figure, and Anil Kashyap for sharing his discussion of their paper.