Understanding Cyber Risk: Lessons from a Recent Fed Workshop - Liberty Street Economics
Liberty Street Economics

« Did Changes in Economic Expectations Foreshadow Swings in the 2018 Elections? | Main | How Has Germany’s Economy Been Affected by the Recent Surge in Immigration? »

May 17, 2019

Understanding Cyber Risk: Lessons from a Recent Fed Workshop



Understanding Cyber Risk: Lessons from a Recent Fed Workshop

Cyber risk poses a major threat to financial stability, yet financial institutions still lack consensus on the definition of and terminology around cyber risk and have no common framework for confronting these hazards. This impedes efforts to measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats. In this blog post, we describe the proceedings of a recent workshop where leading risk managers, academics, and policy makers gathered to discuss proposals for countering cyber risk. This workshop is part of a joint two-phase initiative run by the Federal Reserve Banks of Richmond and New York and the Fed’s Board of Governors to harmonize cyber risk identification, classification, and measurement practices.

Cyber Risk and Financial Stability
In the keynote address, Patricia Mosser of Columbia University presented her recent work on how cyber events can interact with other financial risks to cause systemic crises and thereby threaten the resiliency and stability of the financial system. To bridge the gap between cyber risk and financial stability, she introduced a general framework to better understand how cyber events at financial institutions can have destabilizing consequences. These effects may arise through interconnectedness and the financial system’s reliance on a few key hubs—electronic trading platforms, exchanges, and clearing houses—that perform crucial functions and provide services for the entire financial industry. Viable workarounds might be hard to find should an incident significantly affect these systems or institutions. Cyber attacks might also result in data integrity concerns, potentially triggering a loss of confidence with systemic consequences. In her concluding remarks, Mosser emphasized the importance of data collection and quantification efforts to further understand and assess the effects of cyber risk.

Identifying and Classifying Cyber Risk
In the first of three panels, Steve Bishop (ORX), Deborah Bodeau (The MITRE Corporation), Todd Waszkelewicz (Federal Reserve Bank of New York), and Dawn Rieth (PNC) discussed the identification and classification of cyber risk. There was consensus among panel participants that the existing frameworks and methodologies—in particular, the Basel operational risk classification—were not designed to address cyber risk threats that pose significant challenges. In addition, financial firms’ risk management frameworks have traditionally focused on direct financial losses as triggers for the identification of cyber events. However, cyber attacks that do not result in direct financial losses may still lead to significant clean-up and reputation costs for the institutions involved. Some participants also noted that IT and risk management teams are not well integrated and do not communicate easily with each other when it comes to cyber risk, creating barriers within individual institutions. Finally, to foster a better understanding of cyber risk, the panelists suggested developing the taxonomy further, standardizing the classification, and improving the recording and benchmarking of data.

Measuring Cyber Risk
In the second panel, Gilles Hilary (Georgetown University), Patrick Naim (Elseware), Denyette DePierro (ABA), Phil Collet (American Express), and John DeLong (Morgan Stanley) discussed the impact and measurement of cyber risk. The discussion highlighted the variety of approaches currently used, with most frameworks using quantitatively driven scenarios to estimate cyber risk exposure. Typically, subject matter experts first assess the parameters associated with various cyber attack scenarios, including the frequency of attacks, the likelihood of a successful attack, and the impact of such a breach. These scenarios are then quantified through statistical frameworks.

One proposal called for financial institutions to each conduct a standardized scenario analysis, then share the (anonymized) results with one another. The panelists had different views on whether a report aggregating those results would yield insights for the participating institutions. On the one hand, panelists agreed that it would be helpful to link a set of observable factors—such as IT applications, third-party vendors, and number of customers—to cyber risk exposure. On the other hand, designing a set of standardized scenarios that are applicable in a consistent way to the entire industry would be a challenging task. An additional impediment is the variety of analytical frameworks that banks use and the potential lack of comparability of outputs across such frameworks. Some panelists also expressed the concern that if regulatory agencies were to collect cyber loss data and design the scenarios, such information could later be used for unrelated supervisory purposes.

The Role of the Federal Reserve System
The third panel spoke to the role of the Federal Reserve System in the cyber risk space. Panelists René Stulz (Ohio State University), Todd Vermilyea (Board of Governors), Keith Gordon (Ally), and Nida Davis (Board of Governors) agreed that the Fed should play a role in mitigating the systemic consequences of cyber risk. Participants pointed out the Fed’s advantages in being able to provide a horizontal perspective and identify best practices; they also highlighted the need for consistency and close collaboration between the private and public sector, both domestically and internationally. Others also noted the current lack of talent in cyber risk, and suggested collaborations with academic institutions to enlarge the pool of talent available to both private companies and government agencies.

Next Steps
Cyber risk and cyber risk resilience are top priorities of the Federal Reserve System, as pointed out by Vice Chair for Supervision Randal K. Quarles in a speech at the Insurance Information Institute’s 2019 Joint Industry Forum. To build on the steps laid out during the workshop, the organizers will prepare a white paper summarizing the proposals and discussions of the workshop. Further discussions on these proposals will occur at a workshop to follow later this year. The Federal Reserve will continue to evaluate cyber risk issues and propose additional initiatives to better measure and assess cyber risk exposure, and enhance the overall robustness and resilience of the financial system.


Disclaimer
The views expressed in this post are those of the authors and do not necessarily reflect the position of the Federal Reserve Bank of New York or the Federal Reserve System. Any errors or omissions are the responsibility of the authors.





Gara AfonsoGara Afonso is an assistant vice president in the Federal Reserve Bank of New York’s Research and Statistics Group.


Filippo CurtiFilippo Curti is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.


Ping McLemorePing McLemore is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.


Atanas MihovAtanas Mihov is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.


How to cite this blog post:
Gara Afonso, Filippo Curti, Ping McLemore, and Atanas Mihov, “Understanding Cyber Risk: Lessons from a Recent Fed Workshop,” Federal Reserve Bank of New York Liberty Street Economics (blog), May 17, 2019, https://libertystreeteconomics.newyorkfed.org/2019/05/-understanding-cyber-risk-lessons-from-a-recent-fed-workshop.html.
Posted by Blog Author at 07:00:00 AM in Banks, Central Bank, Federal Reserve, Systemic Risk
Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

About the Blog
Liberty Street Economics features insight and analysis from New York Fed economists working at the intersection of research and policy. Launched in 2011, the blog takes its name from the Bank’s headquarters at 33 Liberty Street in Manhattan’s Financial District.

The editors are Michael Fleming, Andrew Haughwout, Thomas Klitgaard, and Asani Sarkar, all economists in the Bank’s Research Group.

The views expressed are those of the authors, and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.


Economic Research Tracker

Liberty Street Economics is now available on the iPhone® and iPad® and can be customized by economic research topic or economist.


Most Viewed

Last 12 Months
Useful Links
Comment Guidelines
We encourage your comments and queries on our posts and will publish them (below the post) subject to the following guidelines:
Please be brief: Comments are limited to 1500 characters.
Please be quick: Comments submitted after COB on Friday will not be published until Monday morning.
Please be aware: Comments submitted shortly before or during the FOMC blackout may not be published until after the blackout.
Please be on-topic and patient: Comments are moderated and will not appear until they have been reviewed to ensure that they are substantive and clearly related to the topic of the post. We reserve the right not to post any comment, and will not post comments that are abusive, harassing, obscene, or commercial in nature. No notice will be given regarding whether a submission will or will not be posted.‎
Disclosure Policy
The LSE editors ask authors submitting a post to the blog to confirm that they have no conflicts of interest as defined by the American Economic Association in its Disclosure Policy. If an author has sources of financial support or other interests that could be perceived as influencing the research presented in the post, we disclose that fact in a statement prepared by the author and appended to the author information at the end of the post. If the author has no such interests to disclose, no statement is provided. Note, however, that we do indicate in all cases if a data vendor or other party has a right to review a post.
Archives