Cyber Risk as Systemic Risk

By Jon Danielsson, Director of the ESRC-funded Systemic Risk Centre, London School of Economics, Morgane Fouché, Researcher at the Systemic Risk Centre, London School of Economics, and Robert Macrae, CFA. .

The threat to the financial system posed by cyber risk is often claimed to be systemic. This column argues against this, pointing out that almost all cyber risk is microprudential. For a cyber attack to lead to a systemic crisis, it would need to be timed impeccably to coincide with other non-cyber events that undermine confidence in the financial system and the authorities. The only actors with enough resources to affect such an event are large sovereign states, and they could likely create the required uncertainty through simpler, financial means.

Various public and private authorities have come to see cyber risk — risk emanating from computer systems and computer networks — as a significant channel for systemic risk. Recent examples include the Bank of Canada (2014), the BIS (2014), the Bank of England (2015) and the SEC (Ackerman 2016).

Cyber risk is certainly a real and growing threat to the well-being of financial institutions, with most months bringing news of a major systems failure, hack, or outright theft, like the recent $81 million theft from the Bangladeshi Central Bank. While obviously a microprudential issue, is it really a systemic concern?

As the argument goes, yes, because the increasing threat of failure of critically important computer systems threatens the internal operations of financial institutions and the plumbing of the system. Since everybody is interconnected, if systems fail the consequence is a loss of confidence, disappearence of liquidity, and hence ultimately a systemic crisis.

We disagree. While one can certainly envision a cyber event so severe that it would cause a systemic crisis under the right circumstances, in normal times it is highly unlikely, almost no matter what the severity of the cyber event.

Financial Systemic risk

Systemic risk is generally seen as the potential for a major financial crisis adversely affecting the real economy, as defined by the IMF-BIS-FSB in 2009. Addressing such systemic risk – macroprudential policy – is one of the three planks of government financial policy, the others being monetary policy and microprudential policy – the protection of bank clients.

Systemic crises do not happen frequently. By studying the IMF-WB crisis database (Laeven and Valencia 2012), we find they happen once every 42 years for OECD members. If anything, that is an overestimate, as the database includes relatively non-extreme events, like October 1987 and August/September 1998.

The fundamental cause of financial systemic risk is excessive risk-taking by financial institutions, where perhaps the best indicator of a future crisis is large credit growth, as shown by Taylor and Schularick (2009). This is especially dangerous when the resulting risk is undetected or ignored by the powers that be, creating the potential for an abrupt fall in confidence as discussed here on Vox by Danielsson and Zigrand (2015).

The Root Cause of Systemic Crises Is Risk-Taking Behaviour of Economic Agents

In turn, the behaviour of these economic agents is directly motivated by confidence. It is a fundamental element of financial markets because we only participate willingly in the markets if we believe the financial system will continue to function in the same way as we have always seen it function. In particular, we need to have faith in what is often called the plumbing of the financial system, such as the payment system and the ability to trade and clear financial assets.

Conversely, the disappearance of confidence is a strong and often early indication of crisis. We have to believe that the financial edifice is at real risk of collapsing for a crisis to really turn systemic. The best example of this is 1914, where the assassination of the Archduke Ferdinand triggered a systemic crisis in global financial markets long before the actual war broke out. It was the anticipation of a war and failure of cross-border payments that was the main trigger of the crisis (Danielsson 2013).

Timing Matters

When it comes to identifying the origins of cyber risk as systemic risk, it is important to distinguish between a trigger and a root cause, where in general triggers are irrelevant for policy purposes, since there are a very large number of potential triggers, unless both the timing is fortuitous and no other triggers exist.

We do not see how cyber risk could be the root cause of a systemic crisis because there is no direct connection between the failure of computer systems, no matter how severe, and the behaviour of those economic agents which ultimately culminates in a systemic crisis.

A cyber event could act as a trigger provided the timing is just right. An exogenous crisis event, like a cyber attack, that results in a fall in confidence and liquidity would not be systemic provided the levels of excessive risk-taking had already not reached a tipping point. If not, we can expect to recover on a timescale that makes real-world impact moderate, as in October 1987, LTCM in 1998 and the 2010 flash crash.

Consider a potential disaster scenario – the total failure of a country’s ATM system, or even the payment system, for a few days. Would that be systemic?

Well, it depends. If it happened today, it is highly unlikely because people would recognise that the disruption was temporary, and the end result would only be a frustrating and costly temporary disruption. The failure would not trigger a crisis provided that people believed the authorities would react appropriately.

However, if the failure had happened on 1 October 2008, things could have been different. At that time, people everywhere were converting bank balances into cash in response to the Global Crisis and both the Eurozone and the UK were not too far away from running out of cash, perhaps only hours. Any disruption to the delivery of cash could have drained confidence, potentially turning existing problems into a systemic event.

The crucial role of timing means that any attacker must either be able to create a heightened state of financial market vulnerability, be very lucky, or else both be capable of maintaining her attack vectors in place for years or decades and be sufficiently patient to wait.

The Origins of Cyber Risk

There are four broad origins of cyber risk: technical computer system failures, theft, hacktivists and terrorists, and state actors.

Systems failures and theft can be expected at any time, and have a very large microprudential impact. However, since the timing and victims are likely to be idiosyncratic, it is practically impossible for them to act as a trigger for a systemic crisis and they certainly cannot be a root cause.

Hacktivists and terrorists could subvert IT systems to promote a political agenda, possibly with multiple targets and as part of a broader strategy of disruption. They are very unlikely to have systemic consequences because they would have to combine the attack with other forms of aggression, and can at best trigger a systemic crisis provided the timing is absolutely right.

The only actors with sufficient resources to cause a systemic crisis are the largest sovereign states. They can spend years developing and deploying attacks, keeping them hidden until in a coordinated fashion it attacks multiple IT systems. However, even in this case, a cyber attack would not be sufficient unless it was on a colossal scale, involving multiple computer systems and their backup mechanisms.

For a state actor with the necessary resources, however, it might be just as easy to manufacture the necessary uncertainty through financial means by, for example, making credible threats to world trade, the sequestration of foreign assets, or by the repudiation of international liabilities. If carried out on a sufficiently large scale, in our highly connected world these could easily lead to a repeat of the experiences of 1914. All these attacks require is enough international connectedness to allow trust in domestic institutions to be destroyed by a foreign actor.

While financial warfare of this type would presumably be accompanied by a cyber attack it is not clear that the cyber element would really be necessary, and even then it would likely only play a secondary role.

Conclusion

While systemic risk is frequently invoked as a key reason to be on guard for cyber risk, such a connection is quite tenuous. A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.

From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue. To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.

After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.

References

Ackerman, A (2016) “Cyberattacks Represent Top Risk, SEC Chief Says”, The Wall Street Journal, 8 May.  

Bank of England (2015) Financial Policy Report, July.

Bank of Canada (2014) “Cyber security: Protecting the resilience of Canada’s financial system”, Financial System Review, December.

BIS (2014) “Cyber resilience in financial market infrastructures”, BIS Committee on Payments and Market Infrastructure, November.

Danielsson, Jon (2013) Global financial systems, Pearson.

Danielsson, J and J P Zigrand (2015) “”, VoxEU.org, 7 August.

International Monetary Fund, Bank for International Settlements and Financial Stability Board (2009) “Report to G20 finance ministers and governonrs. Guidance to assess the systemic importance of financial institutions, markets and instruments: Initial considerations”, Technical report.

Laeven, L and F Valencia (2012) “Systemic banking crises database: An update”, IMF Working Paper.

Taylor, A and M Schularick (2009) “”, VoxEU.org, 8 December.

Print Friendly, PDF & Email
This entry was posted in Banking industry, Infrastructure, Macroeconomic policy, Regulations and regulators, Risk and risk management on by .

About Lambert Strether

Readers, I have had a correspondent characterize my views as realistic cynical. Let me briefly explain them. I believe in universal programs that provide concrete material benefits, especially to the working class. Medicare for All is the prime example, but tuition-free college and a Post Office Bank also fall under this heading. So do a Jobs Guarantee and a Debt Jubilee. Clearly, neither liberal Democrats nor conservative Republicans can deliver on such programs, because the two are different flavors of neoliberalism (“Because markets”). I don’t much care about the “ism” that delivers the benefits, although whichever one does have to put common humanity first, as opposed to markets. Could be a second FDR saving capitalism, democratic socialism leashing and collaring it, or communism razing it. I don’t much care, as long as the benefits are delivered. To me, the key issue — and this is why Medicare for All is always first with me — is the tens of thousands of excess “deaths from despair,” as described by the Case-Deaton study, and other recent studies. That enormous body count makes Medicare for All, at the very least, a moral and strategic imperative. And that level of suffering and organic damage makes the concerns of identity politics — even the worthy fight to help the refugees Bush, Obama, and Clinton’s wars created — bright shiny objects by comparison. Hence my frustration with the news flow — currently in my view the swirling intersection of two, separate Shock Doctrine campaigns, one by the Administration, and the other by out-of-power liberals and their allies in the State and in the press — a news flow that constantly forces me to focus on matters that I regard as of secondary importance to the excess deaths. What kind of political economy is it that halts or even reverses the increases in life expectancy that civilized societies have achieved? I am also very hopeful that the continuing destruction of both party establishments will open the space for voices supporting programs similar to those I have listed; let’s call such voices “the left.” Volatility creates opportunity, especially if the Democrat establishment, which puts markets first and opposes all such programs, isn’t allowed to get back into the saddle. Eyes on the prize! I love the tactical level, and secretly love even the horse race, since I’ve been blogging about it daily for fourteen years, but everything I write has this perspective at the back of it.

11 comments

  1. Howard Beale IV

    I concur with this analysis. Even with creaky old systems that may be hard to maintain (and with retirements of the creators), most financial systems (at least in the retail/commercial space) practice defense-in-depth when it comes to the external-facing side of their systems. Internal attacks by disgruntled employees is a much bigger risk as the bad actor can slip in code that can bypass normal security checks, which, once it gets installed, can remain undetected for years until such time that a security rule changes that may expose the bypass.

  2. Synoia

    What is the meaning of “microprudential?”

    It has the appearance of fabricated jargon, designed to confuse and avoid critical questioning.

    1. Watt4Bob

      Micro prudential policies as concerns cyber security are those policies and practices aimed at securing individual organizations from cyber threats, as opposed to macro prudential policies which would be policies/practices that protect the web as a whole, or maybe the web as it exists within a nations borders.

      I’d say all efforts at micro-prudential security are being continually thwarted by our government’s security services behavior that has been degrading the security of the web at the macro level for some time now to enable its ability to surveil the whole world.

      When the NSA bullies IT manufacturers into degrading encryption and building back-doors into every chip on the planet, all efforts at micro-prudential security should be considered provisional at best.

  3. Synoia

    If there is systemic risk, it will take the form of action taken by humans in the face of “loss of confidence,” which is just another way of saying “fear of loss.”

    Probably the consequence is capital flight, either by moving deposits to a trusted bank or country, or a sudden large sale of some form of securities.

    The question is what cyber incident would cause such a fear of loss, and that probably requires a set of currently unknown, or casually dismissed conditions, and a currently undefined event.

    What we have here is another discussion of an undefined set of circumstances in a chaotic system, written by some dunderhead who has no understanding of Chaos Theory, and it’s strong mathematical foundation.

    1. Watt4Bob

      The failure would not trigger a crisis provided that people believed the authorities would react appropriately.

      Well, that puts my mind to rest, enough said.

  4. craazyman

    what about the risk computers get so complicated nobody knows how to use them anymore?

    that happens all the time where i work. the computer doesn’t’ work and nobody knows why. Even the IT guys, they sit down for 5 or 10 minutes and mess around, clicking all around. Once I had an Excel file. I’d click on the file icon and it wouldn’t open. Every week something like that happens, something that never happened before. It’s like the computer likes to find new ways to fkk with yyou.

    Then the IT guy gets up and shrugs, “I don’t know. That’s strange.” they say.

    usually you reboot the computer and sometimes that fixes it. But nobody knows why it went wrong in the first place.

    I think all of this could get so complicated that eventually nothing works at all. Even a cyberattack wouldn’t work. The computers would be too complicated to even be able to tell they were being attacked. They just wouldn’t work. Even the attackers would be frustrated. Their IT guys would be sitting there for 10 or 20 minutes, while the attackers — whether they were from a govermint somewhere or just like the dudes in a James Bond movie — themselves were furious, and then their IT guys would say “I don’t know. That’s strange.”

    That seems to me the real cyber risk. The risk that the entire system collapses from the burden of an oppressive, unrelenting black hole of total confusion,

    1. craazyboy

      The real risk is if a hacker hacks into a nuclear power plant in New Yawk and turns the cooling system off and then Wall Street has 3 days to contemplate if $1 x 10^15 derivatives are any good until the nuke plant melts down.

      Other than that, hard to imagine what the problems could be.

      1. craazyman

        If you raise 1 to the 10^15 power it’s still 1. :-)

        Thank God it isn’t 2. :-0

        You had me worried there for a second!

        Maybe somebody could run down to the 7-11 and get lots of bags of ice. Sometimes they have a whole freezer section full of them.

        (Just kiddinig, I know 10^15 when I see it.)

        1. craazyboy

          I was gonna type out 15 zeros, but then I got lazy.

          Lots of Indian programmers at the 7-11. I’m sure they’d be happy to carry the ice out to the car.

  5. Knute Rife

    But declaring cyber risks systemic is so useful. It allows you to declare anyone conducting computer activity you don’t like a terrorist.

Comments are closed.