Understanding Cyber Risk: Lessons from a Recent Fed Workshop
Cyber risk poses a major threat to financial stability, yet financial institutions still lack consensus on the definition of and terminology around cyber risk and have no common framework for confronting these hazards. This impedes efforts to measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats. In this blog post, we describe the proceedings of a recent workshop where leading risk managers, academics, and policy makers gathered to discuss proposals for countering cyber risk. This workshop is part of a joint two-phase initiative run by the Federal Reserve Banks of Richmond and New York and the Fed’s Board of Governors to harmonize cyber risk identification, classification, and measurement practices.
Cyber Risk and Financial Stability
In the keynote address, Patricia Mosser of Columbia University presented her recent work on how cyber events can interact with other financial risks to cause systemic crises and thereby threaten the resiliency and stability of the financial system. To bridge the gap between cyber risk and financial stability, she introduced a general framework to better understand how cyber events at financial institutions can have destabilizing consequences. These effects may arise through interconnectedness and the financial system’s reliance on a few key hubs—electronic trading platforms, exchanges, and clearing houses—that perform crucial functions and provide services for the entire financial industry. Viable workarounds might be hard to find should an incident significantly affect these systems or institutions. Cyber attacks might also result in data integrity concerns, potentially triggering a loss of confidence with systemic consequences. In her concluding remarks, Mosser emphasized the importance of data collection and quantification efforts to further understand and assess the effects of cyber risk.
Identifying and Classifying Cyber Risk
In the first of three panels, Steve Bishop (ORX), Deborah Bodeau (The MITRE Corporation), Todd Waszkelewicz (Federal Reserve Bank of New York), and Dawn Rieth (PNC) discussed the identification and classification of cyber risk. There was consensus among panel participants that the existing frameworks and methodologies—in particular, the Basel operational risk classification—were not designed to address cyber risk threats that pose significant challenges. In addition, financial firms’ risk management frameworks have traditionally focused on direct financial losses as triggers for the identification of cyber events. However, cyber attacks that do not result in direct financial losses may still lead to significant clean-up and reputation costs for the institutions involved. Some participants also noted that IT and risk management teams are not well integrated and do not communicate easily with each other when it comes to cyber risk, creating barriers within individual institutions. Finally, to foster a better understanding of cyber risk, the panelists suggested developing the taxonomy further, standardizing the classification, and improving the recording and benchmarking of data.
Measuring Cyber Risk
In the second panel, Gilles Hilary (Georgetown University), Patrick Naim (Elseware), Denyette DePierro (ABA), Phil Collet (American Express), and John DeLong (Morgan Stanley) discussed the impact and measurement of cyber risk. The discussion highlighted the variety of approaches currently used, with most frameworks using quantitatively driven scenarios to estimate cyber risk exposure. Typically, subject matter experts first assess the parameters associated with various cyber attack scenarios, including the frequency of attacks, the likelihood of a successful attack, and the impact of such a breach. These scenarios are then quantified through statistical frameworks.
One proposal called for financial institutions to each conduct a standardized scenario analysis, then share the (anonymized) results with one another. The panelists had different views on whether a report aggregating those results would yield insights for the participating institutions. On the one hand, panelists agreed that it would be helpful to link a set of observable factors—such as IT applications, third-party vendors, and number of customers—to cyber risk exposure. On the other hand, designing a set of standardized scenarios that are applicable in a consistent way to the entire industry would be a challenging task. An additional impediment is the variety of analytical frameworks that banks use and the potential lack of comparability of outputs across such frameworks. Some panelists also expressed the concern that if regulatory agencies were to collect cyber loss data and design the scenarios, such information could later be used for unrelated supervisory purposes.
The Role of the Federal Reserve System
The third panel spoke to the role of the Federal Reserve System in the cyber risk space. Panelists René Stulz (Ohio State University), Todd Vermilyea (Board of Governors), Keith Gordon (Ally), and Nida Davis (Board of Governors) agreed that the Fed should play a role in mitigating the systemic consequences of cyber risk. Participants pointed out the Fed’s advantages in being able to provide a horizontal perspective and identify best practices; they also highlighted the need for consistency and close collaboration between the private and public sector, both domestically and internationally. Others also noted the current lack of talent in cyber risk, and suggested collaborations with academic institutions to enlarge the pool of talent available to both private companies and government agencies.
Cyber risk and cyber risk resilience are top priorities of the Federal Reserve System, as pointed out by Vice Chair for Supervision Randal K. Quarles in a speech at the Insurance Information Institute’s 2019 Joint Industry Forum. To build on the steps laid out during the workshop, the organizers will prepare a white paper summarizing the proposals and discussions of the workshop. Further discussions on these proposals will occur at a workshop to follow later this year. The Federal Reserve will continue to evaluate cyber risk issues and propose additional initiatives to better measure and assess cyber risk exposure, and enhance the overall robustness and resilience of the financial system.
The views expressed in this post are those of the authors and do not necessarily reflect the position of the Federal Reserve Bank of New York or the Federal Reserve System. Any errors or omissions are the responsibility of the authors.
Gara Afonso is an assistant vice president in the Federal Reserve Bank of New York’s Research and Statistics Group.
Filippo Curti is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.
Ping McLemore is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.
Atanas Mihov is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.
How to cite this blog post:
Gara Afonso, Filippo Curti, Ping McLemore, and Atanas Mihov, “Understanding Cyber Risk: Lessons from a Recent Fed Workshop,” Federal Reserve Bank of New York Liberty Street Economics (blog), May 17, 2019, https://libertystreeteconomics.newyorkfed.org/2019/05/-understanding-cyber-risk-lessons-from-a-recent-fed-workshop.html.