N.Y. Fed Warns of Consequences for Entire Financial System
(Photo: Alan Wu via Flickr/CC)
A cyberattack targeting one of the largest banks in the U.S. that stops the processing of payments likely would have a major ripple effect throughout the financial system, according to a new report from the Federal Reserve Bank of New York.
The study, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis, looks at how a cyberattack could disrupt the entire U.S. financial system if banks lost the ability to process payments among themselves. Under this scenario, nearly a third of all the country’s assets would be affected, according to the researchers.
If banks respond to this type of cyber incident by hoarding money and assets, the potential impact in foregone payments could reach 2.5 times the daily gross domestic product of the U.S., according to the report.
“We estimate that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average,” according to the analysis written by researchers Thomas Eisenbach, Anna Kovner and Michael Junho Lee of the New York Fed.
For hackers looking to inflict the largest possible damage to the financial system and broader economy, the wholesale payment network may be a natural candidate, the study notes.
The study by the New York Fed uses data on payment activity in Fedwire Funds, an electronic funds transfer service, which represents the majority of wholesale payments in the U.S.
Cyberattacks are a major concern for U.S. financial firms because banks and other financial institutions experience up to 300 times more cyber incidents in a year than organizations in other sectors, according to a separate report by the Boston Consulting Group, which is cited in the New York Fed report.
The impact of a cyberattack would increase if the banks strategically responded by not sending out payments and hoarding their money and assets, which the study says is likely. This would lead to a ripple effect because other financial institutions would not receive payments from the bank that was attacked and could fall short on their money reserves, the study shows.
The average effect on the system, as well as the maximal risk to other financial firms, would be amplified under these circumstances, the study notes.
One of the cyberattack scenarios that the researchers considered assumes that the targeted institution can receive payments but is unable to send payments to other banks for one full day. The affected banks would then soak up cash and act in what the researchers call a “liquidity black hole” by stockpiling payments but not sending them out, the study reports.
This could have an effect on other banks that fail to receive large quantities of payments from the institution targeted in the cyberattack, the report notes. If any of the five most active U.S. banks, which account for 50 percent of the country’s total payments, stopped making payments to other banks, then 6 percent of institutions would exhaust their end-of-day reserves, the study finds.
Disruption a Priority
Disruption could be higher in some parts of the U.S. because several counties have a larger concentration of the most active banks, the report notes.
The severity of the crisis also depends on how well planned the cyberattack is and whether the attackers have detailed information about the U.S. payment system and specific banks – and how a targeted financial institution is aligned with the overall financial network, according to the report.
“A defining feature of cyber risk is that attacks may be targeted, with the intent to achieve maximum disruption rather than financial gain,” the report notes.
A hacker with specific knowledge of a targeted institution could devise an attack on a particular day that could cause a greater level of financial disruption. The study notes that “on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.”
Attacks on Smaller Banks
The study also looked at how a cyberattack on a subset of small or midsized banks might affect one of the top five banks. Smaller banks have fewer resources to defend against a sophisticated cyberattack and are easier to infiltrate, according to the report.
The study found that a cyberattack on six small banks or an attack on only one mid-sized bank could have a significant effect on one of the country’s larger banks.
Earlier this month, two members of the U.S. House Financial Services Committee acknowledged the potential Iranian threat to the country’s financial infrastructure in the wake of a U.S. drone attack that killed Iranian Major General Soleimani on Jan. 3. Democratic representatives Emanuel Cleaver II, D-Mo., and Gregory Meeks, D-N.Y., urged federal regulatory agencies to strengthen the cyber protections in case of a Iranian-led cyberattack (see: Congressmen Call for Enhanced Financial Sector Security).