2023 State‑of‑the‑Field Conference on Cyber Risk to Financial Stability

Nitansha Bansal, Jason Healey, Anna Kovner, Michael Lee, Patricia Mosser, and Virpratap Vikram Singh

The Federal Reserve Bank of New York and Columbia University’s School of International and Public Affairs (SIPA) co-organized the fourth annual State-of-the-Field Conferences on Cyber Risk to Financial Stability, on April 14, 2023.  The conference builds on joint activity by the New York Fed and SIPA since 2017. Each year, the conference convenes panels to confront the same three questions: What are we learning about cyber risk to financial stability? What are we doing to improve resilience and stability? And what’s next? This blog post reviews some of these conversations from the 2023 conference.

Can Deglobalization Threaten Financial Stability?

Jason Healey, Senior Research Scholar in the Faculty of International and Public Affairs, and Anna Kovner, Director of Financial Stability Policy Research at the New York Fed, opened the conference. Neal Pollard, Partner, Ernst & Young and Adjunct Professor at Columbia University’s School of International and Public Affairs, delivered additional opening remarks.

A central theme of the conference concerned the effects of deglobalization on cyber risks and financial stability, ongoing public- and private-sector efforts to identify cyber risk and build resiliency, and possible next steps that the cybersecurity and financial sectors can take in managing and mitigating cyber threats.

What Are We Learning?

In the first panel, moderated by Anna Kovner, participants discussed ongoing research on financial stability considerations arising from cyber risk.

Antonis Kotidis (Economist at the Federal Reserve Board) drew lessons from an attack on a technology service provider that serves a broad set of financial firms. The paper quantified the impact of the efforts taken to mitigate the attack, finding that official and private sector responses, bank liquidity buffers, and support from the Federal Reserve Bank help to diminish financial instability risks from cyber attacks.

Michael Lee (Financial Research Economist at the New York Fed) shared insights into the correlated nature of cyber and financial risks. The study found that a cyber attack that occurs during a period of financial stress could significantly increase the potential for systemic disruption. Lee highlighted how liquidity interventions mitigated potential cyber spillovers in March 2020, and emphasized the need to take into account interactions between cyber risk and financial conditions in cyber contingency planning for times of heightened economic and financial uncertainty.

Joe Lyons (Senior Director, Signals & Ratings Research at BitSight) emphasized the importance of integrating cyber risks into credit decisions. He explained that cyber risk has become a central part of enterprise risk, but noted that modeling losses from cyber incidents is challenging due to a lack of comprehensive data on the nature of these losses.

Finally, Neal Pollard (Partner at Ernst & Young) shared insights from the 12th Annual EY-IIF Bank Risk Management Survey. The survey found that the banking industry is focused on boosting defensive capabilities against cyber risks.

What Are We Doing?

In the second panel, moderated by Greg Rattray (co-founder of Next Peak), experts discussed ongoing efforts to address cyber risks to financial stability. The panel’s participants included Todd Sullivan (Chief Risk Officer for Financial Services Sector at Analysis and Resilience Center), James Wiener (Vice Chairman at Oliver Wyman), and Katheryn Rosen (Managing Director, Global Head, Regional Information Security and Supervisory Engagement at JPMorgan Chase & Co.).

One of the biggest challenges highlighted during the discussion was the distinction between individual firms’ cyber risk and systemic cyber risk. The panelists emphasized that while individual firms can adopt measures to safeguard themselves from cyber attacks, systemic cyber risk poses a threat to the entire financial system. The industry and official sectors are working to develop resiliency solutions that can effectively mitigate risks that are beyond the scope of individual firms.  

Also discussed were challenges to private-public sector collaboration efforts, including the lack of clearances for industry experts to collaborate with government agencies. Panelists acknowledged that the Treasury’s collaboration with intelligence communities has improved, particularly since the Russia–Ukraine war, and emphasized the importance of effective information sharing. Panelists were also attentive to regulatory gaps in the cyber risk space. They argued that regulations have the potential to function as both dampeners and amplifiers, depending on their design and cohesiveness.

Regulation, Resilience, and National Cyber Strategy

A fireside chat moderated by Katheryn Rosen (Managing Director, Global Head, Regional Information Security and Supervisory Engagement at JPMorgan Chase & Co.) featured Dmitri Alperovitch (Co-Founder and Chairman of Silverado Policy Accelerator) and Harry Krejsa (Deputy Assistant National Cyber Director of the Executive Office of the President). Panelists discussed the importance of resilience and cyber regulation, and the impact of geopolitics on emerging technologies and national cyber strategy.

Speakers described how geopolitical factors had impacted the national cyber strategy and the need for a systemic approach to deal with cyber risks. The financial sector leads efforts to strengthen its cyber stance through public-private collaboration, and speakers noted the need for other critical infrastructure sectors to advance cyber resilience. The importance of raising costs for attackers and encouraging companies to do the right thing was also raised.

What’s Next?

In the final panel, moderated by Jason Healey, discussants considered how their proposed policies and solutions could change given the outlook for the coming year, in light of emerging technologies and associated cyber risks. The panelists—Chris Giancarlo (Founder of the Digital Dollar Foundation and former CFTC Chairman); Danny Brando (Cybersecurity Policy Program Director, Supervision Group at the New York Fed); Steven Silberstein (CEO of Financial Services Information Sharing and Analysis Center); and Naveen Zaidi (former principal, U.S. Regulatory Strategy at AWS)—offered a diverse set of perspectives on the risks and opportunities ahead. 

One panelist looked to future technological innovations that could strengthen resilience, particularly with regard to the architecture of the financial system. Others suggested that while there is currently a strong disincentive for policymakers to disrupt the global economy, this may change in the future due to decoupling of countries or deglobalization. Many agreed that it was important for financial institutions to focus on daily cyber hygiene and to be prepared for the potential risks posed by emerging technologies such as artificial intelligence.

Fintech and future technology risks were also discussed, including the need to be quantum-ready and crypto-agile. Panelists discussed fintech regulatory solutions and the Treasury Report, which identified cloud computing as a key area of concern, highlighting that information from cloud service providers was insufficient to meet regulatory standards.

Overall, the experts agreed that the architecture of finance is changing, and financial institutions must be prepared to adapt to the new era of finance. They stressed the importance of internal defense, daily cyber hygiene, and resilience in the face of disruption. As the rise of central bank digital currencies and digital currency continues, it is increasingly important for financial institutions and regulators to work together to address the potential risks and challenges posed by these emerging technologies.

In her closing remarks, Anna Kovner observed that the financial services industry is currently grappling with the challenge of meeting the demands for intermediation services while also ensuring the necessary level of security and resilience.

Nitansha Bansal is a cybersecurity consultant.

Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs specializing in cyber conflict, competition, and cooperation.

Patricia C. Mosser is director of the MPA Program in Economic Policy Management at Columbia University’s School of International and Public Affairs and leads the school’s Initiative on Central Banking and Financial Policy.

Virpratap Vikram Singh is the research and program coordinator for the Cyber Program at Columbia University’s School of International and Public Affairs.

How to cite this post:
Nitansha Bansal, Jason Healey, Anna Kovner, Michael Lee, Patricia Mosser, and Virpratap Vikram Singh, “2023 State‑of‑the‑Field Conference on Cyber Risk to Financial Stability,” Federal Reserve Bank of New York Liberty Street Economics, June 16, 2023, https://libertystreeteconomics.newyorkfed.org/2023/06/2023-state-of-the-field-conference-on-cyber-risk-to-financial-stability/.