Liberty Street Economics

« | Main | »

May 17, 2019

Understanding Cyber Risk: Lessons from a Recent Fed Workshop

Understanding Cyber Risk: Lessons from a Recent Fed Workshop

Cyber risk poses a major threat to financial stability, yet financial institutions still lack consensus on the definition of and terminology around cyber risk and have no common framework for confronting these hazards. This impedes efforts to measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats. In this blog post, we describe the proceedings of a recent workshop where leading risk managers, academics, and policy makers gathered to discuss proposals for countering cyber risk. This workshop is part of a joint two-phase initiative run by the Federal Reserve Banks of Richmond and New York and the Fed’s Board of Governors to harmonize cyber risk identification, classification, and measurement practices.

Cyber Risk and Financial Stability

In the keynote address, Patricia Mosser of Columbia University presented her recent work on how cyber events can interact with other financial risks to cause systemic crises and thereby threaten the resiliency and stability of the financial system. To bridge the gap between cyber risk and financial stability, she introduced a general framework to better understand how cyber events at financial institutions can have destabilizing consequences. These effects may arise through interconnectedness and the financial system’s reliance on a few key hubs—electronic trading platforms, exchanges, and clearing houses—that perform crucial functions and provide services for the entire financial industry. Viable workarounds might be hard to find should an incident significantly affect these systems or institutions. Cyber attacks might also result in data integrity concerns, potentially triggering a loss of confidence with systemic consequences. In her concluding remarks, Mosser emphasized the importance of data collection and quantification efforts to further understand and assess the effects of cyber risk.

Identifying and Classifying Cyber Risk

In the first of three panels, Steve Bishop (ORX), Deborah Bodeau (The MITRE Corporation), Todd Waszkelewicz (Federal Reserve Bank of New York), and Dawn Rieth (PNC) discussed the identification and classification of cyber risk. There was consensus among panel participants that the existing frameworks and methodologies—in particular, the Basel operational risk classification—were not designed to address cyber risk threats that pose significant challenges. In addition, financial firms’ risk management frameworks have traditionally focused on direct financial losses as triggers for the identification of cyber events. However, cyber attacks that do not result in direct financial losses may still lead to significant clean-up and reputation costs for the institutions involved. Some participants also noted that IT and risk management teams are not well integrated and do not communicate easily with each other when it comes to cyber risk, creating barriers within individual institutions. Finally, to foster a better understanding of cyber risk, the panelists suggested developing the taxonomy further, standardizing the classification, and improving the recording and benchmarking of data.

Measuring Cyber Risk

In the second panel, Gilles Hilary (Georgetown University), Patrick Naim (Elseware), Denyette DePierro (ABA), Phil Collet (American Express), and John DeLong (Morgan Stanley) discussed the impact and measurement of cyber risk. The discussion highlighted the variety of approaches currently used, with most frameworks using quantitatively driven scenarios to estimate cyber risk exposure. Typically, subject matter experts first assess the parameters associated with various cyber attack scenarios, including the frequency of attacks, the likelihood of a successful attack, and the impact of such a breach. These scenarios are then quantified through statistical frameworks.

One proposal called for financial institutions to each conduct a standardized scenario analysis, then share the (anonymized) results with one another. The panelists had different views on whether a report aggregating those results would yield insights for the participating institutions. On the one hand, panelists agreed that it would be helpful to link a set of observable factors—such as IT applications, third-party vendors, and number of customers—to cyber risk exposure. On the other hand, designing a set of standardized scenarios that are applicable in a consistent way to the entire industry would be a challenging task. An additional impediment is the variety of analytical frameworks that banks use and the potential lack of comparability of outputs across such frameworks. Some panelists also expressed the concern that if regulatory agencies were to collect cyber loss data and design the scenarios, such information could later be used for unrelated supervisory purposes.

The Role of the Federal Reserve System

The third panel spoke to the role of the Federal Reserve System in the cyber risk space. Panelists René Stulz (Ohio State University), Todd Vermilyea (Board of Governors), Keith Gordon (Ally), and Nida Davis (Board of Governors) agreed that the Fed should play a role in mitigating the systemic consequences of cyber risk. Participants pointed out the Fed’s advantages in being able to provide a horizontal perspective and identify best practices; they also highlighted the need for consistency and close collaboration between the private and public sector, both domestically and internationally. Others also noted the current lack of talent in cyber risk, and suggested collaborations with academic institutions to enlarge the pool of talent available to both private companies and government agencies.

Next Steps

Cyber risk and cyber risk resilience are top priorities of the Federal Reserve System, as pointed out by Vice Chair for Supervision Randal K. Quarles in a speech at the Insurance Information Institute’s 2019 Joint Industry Forum. To build on the steps laid out during the workshop, the organizers will prepare a white paper summarizing the proposals and discussions of the workshop. Further discussions on these proposals will occur at a workshop to follow later this year. The Federal Reserve will continue to evaluate cyber risk issues and propose additional initiatives to better measure and assess cyber risk exposure, and enhance the overall robustness and resilience of the financial system.

Disclaimer

The views expressed in this post are those of the authors and do not necessarily reflect the position of the Federal Reserve Bank of New York or the Federal Reserve System. Any errors or omissions are the responsibility of the authors.



Gara AfonsoGara Afonso is an assistant vice president in the Federal Reserve Bank of New York’s Research and Statistics Group.

Filippo CurtiFilippo Curti is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.

Ping McLemorePing McLemore is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.

Atanas MihovAtanas Mihov is a financial economist in the Federal Reserve Bank of Richmond’s Quantitative Supervision & Research Group.

How to cite this blog post:

Gara Afonso, Filippo Curti, Ping McLemore, and Atanas Mihov, “Understanding Cyber Risk: Lessons from a Recent Fed Workshop,” Federal Reserve Bank of New York Liberty Street Economics (blog), May 17, 2019, https://libertystreeteconomics.newyorkfed.org/2019/05/-understanding-cyber-risk-lessons-from-a-recent-fed-workshop.html.

About the Blog

Liberty Street Economics features insight and analysis from New York Fed economists working at the intersection of research and policy. Launched in 2011, the blog takes its name from the Bank’s headquarters at 33 Liberty Street in Manhattan’s Financial District.

The editors are Michael Fleming, Andrew Haughwout, Thomas Klitgaard, and Asani Sarkar, all economists in the Bank’s Research Group.

Liberty Street Economics does not publish new posts during the blackout periods surrounding Federal Open Market Committee meetings.

The views expressed are those of the authors, and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.

Economic Research Tracker

Image of NYFED Economic Research Tracker Icon Liberty Street Economics is available on the iPhone® and iPad® and can be customized by economic research topic or economist.

Economic Inequality

image of inequality icons for the Economic Inequality: A Research Series

This ongoing Liberty Street Economics series analyzes disparities in economic and policy outcomes by race, gender, age, region, income, and other factors.

Most Read this Year

Comment Guidelines

 

We encourage your comments and queries on our posts and will publish them (below the post) subject to the following guidelines:

Please be brief: Comments are limited to 1,500 characters.

Please be aware: Comments submitted shortly before or during the FOMC blackout may not be published until after the blackout.

Please be relevant: Comments are moderated and will not appear until they have been reviewed to ensure that they are substantive and clearly related to the topic of the post.

Please be respectful: We reserve the right not to post any comment, and will not post comments that are abusive, harassing, obscene, or commercial in nature. No notice will be given regarding whether a submission will or will
not be posted.‎

Comments with links: Please do not include any links in your comment, even if you feel the links will contribute to the discussion. Comments with links will not be posted.

Send Us Feedback

Disclosure Policy

The LSE editors ask authors submitting a post to the blog to confirm that they have no conflicts of interest as defined by the American Economic Association in its Disclosure Policy. If an author has sources of financial support or other interests that could be perceived as influencing the research presented in the post, we disclose that fact in a statement prepared by the author and appended to the author information at the end of the post. If the author has no such interests to disclose, no statement is provided. Note, however, that we do indicate in all cases if a data vendor or other party has a right to review a post.

Archives