Commentary

Commentary

 
 
Posts tagged Cyber risk
Comments on Fed CBDC Paper

Last month, the Federal Reserve issued a long-awaited discussion paper on the possibility of introducing a central bank digital currency (CBDC) for retail use. The Fed paper calls for comments on the benefits and risk of introducing a U.S. CBDC, as well as on its optimal design. In this post, we respond to each of the 22 questions posed in the discussion paper. For the most part, these responses are based on our previous analyses of CBDC (here and here).

At the outset, we highlight our doubt that the benefits of a U.S. CBDC will exceed the risks. In our view, other, less risky, means are available to achieve all the key benefits that CBDC advocates anticipate. Moreover, we are not aware of sustainable design features that would reduce the risks of financial instability that many analysts agree will accompany the introduction of a digital U.S. dollar.

However, this overall judgment regarding a CBDC’s benefits and risks is sensitive to two considerations that appear in the Fed’s analysis either explicitly or implicitly. First, CBDC may be a less risky alternative to stablecoins, should regulation of the latter prove politically infeasible (see our earlier post). Second, if other highly trustworthy financial jurisdictions (with convertible currencies, credible property rights protections, and free cross-border flow of capital) offer their own CBDC, the case for a U.S. CBDC—as a device to sustain widespread use of the dollar—would become stronger.

Against this background, we applaud the Fed’s conservative approach. Most important, the U.S. authorities are not rushing to act. Instead, they are thinking carefully about the design elements, are actively engaged in public outreach, and have committed not to proceed without first securing broad public support….

Read More
Cyber Risk, Financial Stability and the Payments System

Cyber risk remains at the top of the list of risks to the financial system, and the financial system is well known as the primary target for hackers (see here, here and here). In response, financial institutions expend huge resources on protecting their information systems—by one estimate, well over $100 billion. Yet, private sector actions to prevent cyber losses fall short due to a glaring externality: since the damage is likely to spill over to other financial firms and to markets, individual firms cannot reap the full benefits of preventing cyber attacks.

To get a sense of the financial stability risks associated with cyber fragility, we need to understand the financial system in some detail. Unfortunately, financial networks are highly complex and vary significantly across markets and functions. They also evolve meaningfully over time. On top of these enormous challenges, assessing network vulnerabilities frequently requires institution- or transactions-level information that is normally not publicly available.

This brings us to the important recent work of Eisenbach, Kovner and Lee (EKL), who study the vulnerability of the U.S. large-value interbank payments system, Fedwire, to a cyber attack on one of the principal nodes of the payments network—namely, one of the top five banks. In this post, we highlight EKL’s analysis as a model for the assessment of cyber-driven network risks. We suggest how central bankers should react to a cyber attack on the payments system, and speculate about what is needed to prevent, as well as mitigate, cyber risks….

Read More
Cyber Instability

When terrorists attacked the World Trade Center on September 11, 2001, they also attacked the U.S. financial system. In addition to destroying critical financial infrastructure, the collapse of the twin towers closed the New York Stock Exchange and disrupted the payments system that links U.S. intermediaries, threatening to shut down banks, ATM machines and credit card operations across the country. Only extraordinary intervention by the Federal Reserve kept the system afloat (see, for example, Rosengren).

We have long argued that financial stability is a vital common resource (see here). As ECB Board member Cœuré suggests in the opening quote, the same applies to financial cybersecurity—the protection of financial information and communications technologies (ICT) and their associated networks from failures and attacks. The events of 9/11 and their aftermath dramatically highlighted the link between stability and cybersecurity. Moreover, because our financial system is so deeply reliant on ICT and on large, global networks, these two objectives are more closely linked than ever before: ensuring one means guarding the other.  

In this post, we highlight the pervasiveness of cyberthreats as a source of operational risk in finance. Consistent with the Presidential Policy Directive 21 and a recent Presidential Executive Order aimed at strengthening cybersecurity, the U.S. government has designated financial services infrastructure as critical to national and economic security (see here). Nevertheless, numerous challenges—ranging from the availability of reliable data to the ever-changing nature of the attacks themselves—make the goal of safeguarding financial ICT networks very difficult. To be effective, cybersecurity efforts require mechanisms for preventing successful attacks, limiting their impact, and promoting quick, reliable recovery. Reducing vulnerability and contagion while boosting cyberresilience is a very tall order….

Read More
Operational Risk and Financial Stability

Recent disasters—both natural and man-made—prompt us to reflect on the relationship between operational risk and financial stability. Severe weather in sensitive locations, such as Hurricane Irma in Florida, raises questions about the resilience of the financial infrastructure. The extraordinary breach at Equifax highlights the public goods aspect of data protection, with potential implications for the availability of household credit.

At this stage, it’s important to pose the right questions about these operational shocks and, over time, to draw the right lessons. We expect that systemic financial intermediaries’ risk managers, members of their boards, their regulators, and their ultimate legislative overseers are currently in the midst of an intensive review of exposures (and that of the financial system as a whole) to these risks.

So, what is operational risk (OR)? The Basel Committee for Banking Supervision (BCBS) defines OR as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”....

Read More