Embed Size (px)
Citation preview
Quarterly Bulletin2018 Q4
© Bank of England 2018ISSN 2399-4568
Topical articleCould a cyber attack cause a systemic impact in the financial sector?
Topical articles Cyber and systemic risk in the financial sector 1
Could a cyber attack cause a systemic impact in the financial sector?By Phil Warren (Bank of England), Kim Kaivanto (Lancaster University) and Dan Prince (Lancaster University).(1)
• Thereisnotauniformviewofthelinkbetweencyberriskandsystemicrisk:someassumeadirectlinkwhereasothersquerytheconnection.
• Beyondnationstates,thevastmajorityofindependentcyberattackersarecurrentlyunlikelytohavethecapabilitytosystemicallyimpactthefinancialsector.
• Thefinancialsectorhasalargenumberofenvironmentalfeatureswhichareconducivetoasystemiccybercompromise.
• Therearenocurrentexamplesofsystemiccyberriskcrystallisingandimpactingtherealeconomybutthisdoesnotproveanabsenceofrisk.
• Weconcludethereisacrediblecasetolinkcyberrisktosystemicriskinthefinancialsector.
• Recommendationsforfutureconsiderationinclude:
– Furtherdevelopmentoftheintelligence-ledapproachtocybersecurity.
– Policyresponsesthatseektocutthroughsectoral,geographicalandpublic/privateboundaries.
– Organisationsshouldacceptthatcompromisesarelikelytohappenandthereforeprioritise responseandrecoveryactivities.
– Undertakefurtherstudiestobetterunderstandtherelationshipbetweendataintegrityand authenticity,trustinfinancialservicesandthepotentialforreal-economyimpactviaa cyberattack.
– Aspecificfocusonrisksassociatedwiththird-partydependencies.
(1) Theauthorswouldliketothank:theQuarterly Bulletineditors,AndrewHuddart,DavePorter,AnneWetheriltandPaulWilliamsforusefulcomments.
Mechanical production replaces human and animal power.
First Industrial RevolutionWATER AND STEAM
Mass production andassembly line.
SecondIndustrial Revolution
ELECTRICITYIT and networked
production.
ThirdIndustrial Revolution
AUTOMATIONIntelligent, flexible and distributed production.
Driverless cars, smart robotics,artificial intelligence and
3D printing.
FourthIndustrial Revolution
CYBER PHYSICAL SYSTEMS
Summary figure The context of cyber risk: securing information into the digital age
Quarterly Bulletin 2018 Q4 2
Introduction
Overfourbillionpeoplearenowinternetusers.(2)Thisnumberhasnearlydoubledsince2012.(3)Duringthesameperiodthenumberofpeopleusingsocialmediahasmorethandoubled.(4)Thefourthindustrialageisbeingcharacterisedbytheconvergenceofphysical,digitalandbiologicaldomains.Thishasincludedradicaldevelopmentsintechnicalinnovationsuchasthecommodificationofartificialintelligence(AI),mobileinternet,cloudtechnology,nanotechnologyandmachinelearning.
Financialserviceshavebeencentraltothedigitalrevolution:demonstratedthroughtheadventoffintech,mobilebanking,digitalstart-upsandcryptocurrency.Aswellasthebenefititbrings,thedigitalrevolutionhasunleashedchangesintheoperationalrisklandscape.
Cyberriskisfrequentlycitedasatopprioritynotjustforindividualinstitutionsbutforthefinancialsystemasawhole.TheBankofEngland’s2018H2Systemic Risk Survey(5)referencedcyberattackasthesecondmostcitedsourceofrisktotheUKfinancialsystem.(6)
Nevertheless,adetailedunderstandingofsystemiccyberriskwithinthefinancialsectorremainsembryonic.Commentariesaredivided.Ononeside,thereisapopularandalarmistdiscoursewhichassumesadirectlinkbetweencyberriskandsystemicrisk.Proponentsciteadiversemedleyofattackersandassumeasuccessfulattackwouldhaveacatastrophicimpact:‘alossrankingsomewherebetweenthoseofHurricanesSandyandKatrina’.(7)Conversely,othersclaim‘thereisnodirectconnectionbetweenthefailureofcomputersystems,nomatterhowsevere,andthebehaviourofthoseeconomicagentswhichultimatelyculminatesinasystemiccrisis’.(8)
Given the diversity of views, this paper will critically evaluate the link between cyber risk and systemic risk within the financial sector. Our approach will analyse common features of existing definitions for systemic risk and test their applicability to cyber risk.
ThisisthefirstQuarterly BulletinarticleaboutcyberriskandreflectsitsemergenceasaprioritysubjectlinkedtotheBank’smissionformaintainingfinancialstability.Ascyberriskisaglobal,cross-cuttingandtopicalsubject,thispaperwillincludereferencetoattackswhichmayhavetakenplaceoutsideoffinancialservicesbutwherelearningpointscanstillbesurmised.Cyberattacksarefrequentlyagnosticofsectoralboundaries;ouranalysiswillbetoo.
What is systemic cyber risk?
Thereareanumberofcommonfeaturespresentinexistingliteraturewhichhelptodefinesystemicrisk.Mostoftheseoriginatefromanalysisoffinancialriskwhichproliferatedfollowingthe2008crisis:
(2) See‘WeareSocial’and‘Hootsuite’(2018).(3) SeeStatista(2018).(4) See‘WeareSocial’and‘Hootsuite’(2018)andStatista(2018).(5) TheSystemic Risk Surveyisconductedonabiannualbasis,toquantifyandtrack
marketparticipants’viewsofrisksto,andtheirconfidencein,thestabilityoftheUKfinancialsystem.
(6) SeeBankofEngland(2018a).(7) SeeMeeandSchuermann(2018).(8) SeeDanielsson,FouchéandMacrae(2016).(9) SeeSmaga(2014),KaufmanandScott(2003).(10) SeeBloomfieldandWetherilt(2012).(11) SeeGennaioli,ShleiferandVishny(2012),(2013).(12) SeeFSB(2009),Eijffinger(2010),ECB(2009)andKaufmanandScott(2003).(13) SeeFSB(2009)andSmaga(2014).(14) SeeFSB(2009).(15) KaufmanandScott(2003).(16) SeeFSB(2009)andWEF(2016).(17) SeeEijffinger(2009),FSB(2009),Smaga(2014)andBloomfieldand
Wetherilt(2012).
Common features
of systemic
risk
asystemicimpactistriggeredviaashock(9)(egafirmfailure);
itscausescangraduallybuildup(10)(egviaacreditbubbleortheneglectoftailrisk);(11)
asignificantpartorparts(12)ofthesectorareimpacted;
theeventpropagatesthroughandisamplifiedbytheinterconnected(13)natureoftheaffectedbusinessenvironment;
thereisalackofsubstitutability(14)tocontainthedisturbance;
humanbehaviourfuelstheimpactasconsumersreacttochangesinconfidenceandtrustinthefinancialsector(eghoardingorflight);(15)
theconsequenceisafailureoftheprovisionofservices(16)(egaccesstocredit);andtheimpactisfeltintherealeconomy(17)(egeconomicgrowthorwelfare).
Topical articles Cyber and systemic risk in the financial sector 3
Inotherwords,systemicriskis‘ariskofdisruptiontofinancialservicesthatis(i)causedbyanimpairmentofallorpartsofthefinancialsystemand(ii)hasthepotentialtohaveseriousnegativeconsequencesfortherealeconomy.Fundamentaltothedefinitionisthenotionofnegativeexternalitiesfromadisruptionorfailureinafinancialinstitution,marketorinstrument’.(18)
Howdodefinitionsforsystemiccyberriskrelatetothefeaturesofsystemicfinancialrisk?First,itisimportanttoreflectontheboundariesoftheterm‘cyber’thathas‘becomeanounandaprefixmeaninganythingincludingorrelatingtocomputers’.(19)Ofcoursethetermcyberisnotsimplyareferencetoadesktopdevicebutrathertotheubiquitousandconnectednatureoftechnologywithinthedigitalage:‘[it]isincreasinglythemeansbywhichwecommunicateineverysphereofourlives,locallyandglobally’.(20)Ratherthansimplyfocusingonthestand-alonetechnology,cyberriskshouldbeanalysedwithinthisbroadersetting.
Relatedtothiscontext,wemustalsoconsiderthecomplexandopaquenatureofdata.Consequently,theforensicanalysisofacyberattackcanrarelyattaindefinitiveconclusionsorattribution,asittypicallyreliesonincompleteinformation.
Systemsarealsoautomatedanddependentonhyper-connecteddatasourcesandfeeds.Henceattackscanpropagatewithouthumanawarenessorintervention.
Inaddition,comparedtofinancialrisk,thereisnotawell-developedhistoricalrecordandaccompanyingempiricalevidencebasetosupportstandardstatisticalquantificationandinference.
Finally,incontrasttofinancialrisk,cyberriskinvolvesthepresenceofamaliciousentity:somebodyseekingtocorruptorupsetnormaloperatingequilibria.Importantly,thismeansthatanattackermaybeabletochoreographtheattacksoastomaximisesystemicimpact.Forexample,bytiminganattackonakeyinstitutiontocoincidewithaperiodofheighteneduncertainty.
Forreference,wewillmakeuseofthefollowingcyber-specificterminology:
• A‘threatagent’isamaliciousactorwhoseintentionsaretoattackasocio-technicalasset(egsystem,network,person).
• A‘vulnerability’isaflawinasocio-technicalinformationassetthatmaybeexploited(eitherviaaperson,aprocessortechnology).
• A‘cyberattack’istheactofamaliciousagentexploitingavulnerabilitytocompromisethesocio-technicalinformationasset.
• A‘control’isacountermeasuretoidentify,protect,detect,respondandrecoverfromacyberattack.
• An‘impact’isaresultoftheattack.Thisistypicallyseenasabreachofconfidentiality,integrity,availability,utility,possessionorauthenticityoftheinformationasset.
External shock…‘know the enemy’
Acommonfeatureofsystemicriskisthepresenceofexternal‘shocks’thatmaybecomeasystemicevent(21)suchasthebankfailures(egBearSterns,LehmanBrothersandNorthernRock)in2007–8.Couldacyberattackshockthefinancialsectorinacomparablemanner?
Commentariesofcyberriskfrequentlycitetheoffensiveactivitiesofcybercriminals,hacktivists,maliciousinsidersandhostilestatestoevidencethetransmissionchannelsofshock.Conversely,Danielsson,FouchéandMacrae(2016)contendthat‘theonlyactorswithsufficientresourcestocauseasystemiccrisisarethelargestsovereignstates’andthattheymust‘beverylucky’.Theysuggestit‘mightbejustaseasyto…[make]crediblethreatstoworldtrade’.(22)
Weagreethatbeyondnationstates,thevastmajorityofindependentcyberattackersarecurrentlyunlikelytohavethecapabilitytocauseashockwiththemagnitudetosystemicallyimpactthefinancialsector.
Yetweneedtobecarefulnottopigeon-holeouranalysis.Acyberattackfrequentlycombinesdifferentgroupsofattackers;theiractivitiesstimulatedbyablack-marketeconomywheretheexchangeoftoolsandknowledgecutsthroughtraditionallydefinedboundaries.Asanexample,theWannaCryglobalransomwareattackwhichimpactedlegacytechnologywithintheNHSwasreportedlyrootedinacompromiseofUSgovernmentintelligencetools,wasmonetisedbyRussian-linkedcriminalsandweaponisedbytheNorthKoreanstate(DPRK)(seeFigure 1).(23)
Ouranalysismustalsoconsiderthatstate-sponsoredcybercapabilitiesareshroudedinsecrecyandcasesbroughtintothepublicviewoftenprovideonlyglimpsesofthefacts.Wemustassumethatmoreoffensivecapabilityexistsbeyondourreach.
Thereare,however,someindicatorsofnation-statecybercapability.Forexample,USintelligenceofficialstestifiedinJanuary2017thatasoflate2016,morethan30governmentswereactivelydevelopingoffensivecyberattackcapabilities.(24)
(18) SeeFSB(2009).(19) SeeWright(2018).(20)SeeWright(2018).(21) SeeIMF,BISandOECD(2001).(22) SeeDanielsson,FouchéandMacrae(2016).(23) SeeUKForeignOffice(2017)andThe Telegraph(2017).(24) SeeClapper(2017).
Quarterly Bulletin 2018 Q4 4
Thereisalsoevidenceoftheiruse.TheRussianwarinUkraine(2014–present)hasseenthedeploymentoftraditionalkineticweaponsbuthasalsoreportedlyincludedthedestructiveSandworm(25)cyberattacksagainstUkrainianpowernetworks.Therefore,somenationstateshavetheoffensivecapabilitytosupplanttheneedtorelyonluckforachievingasystemicimpact.Comparableoutcomescouldbeachievedviaconventionalmeanssuchastradesanctions.Yetwiththeirrelativelowcostandeaseofdeniabilitycomparedtotradeormilitaryforce,itseemslogicalthatcybercapabilityisanincreasinglyviablechoicefornation-stateattackers.
Howdoesthisthreatrelatetofinancialservices?Evenwhenthecapabilitymaybepresent,therealsoneedstobeanintentionbyattackerstouseit.Whilenationstatesprobablyrecognisetheattackingopportunities,evidencesuggestscurrentoffensivecyberresourcesareheavilydeployedagainsttraditionalgovernmenttargets,suchasmilitaryandpoliticalestablishments,ratherthanthefinancialsector.(26)State-sponsoredattackersalsoprobablyunderstandanattackwhichhasasystemicimpactwouldbreakinternationallaw.(27)Offensivecybercapabilities,therefore,maycurrentlybeheldinastateofreadinessasdeterrence,giventheirknowncapabilitiesintheeventofescalation.However,wemustnotconfusereadiness-for-deterrencewithanabsenceofrisktofinancialservices.
Gradual build-up…‘death by a thousand cuts’
Beyondshock,causesofsystemicriskcangraduallybuildup‘suchascreditandassetmarketbubblesthat…mayunravelsuddenly’.(28)Discussionsofcyberriskhave,todate,primarilyfocusedonthetriggersofdestructiveordisruptiveattacks,ratherthanfocusingontheircauses.Ouranalysisshouldreferencethesecontributoryfactors.Forexample,manypartsofthefinancialsectorcontinuetodependonlegacytechnology.Thisissteadilyincreasingthelikelihoodofasubsequentcybercompromiseasservicesbecometechnically
obsoleteandthereforemorevulnerabletoanattack.Similarly,thereisanemergingskillsgapinthecybersecuritysector;(29)graduallyreducingthecapabilityamongdefendersandthereforeincreasingthechancesofsuccessforwould-beattackers.
Datalossisanotherexampleofcyberriskwhichisbuildingupinfinancialservices.Thesecaseshavethepotentialtograduallyunderminetheconfidenceandtrustinidentitiesusedtoaccessfinancialservices,suchascreditprovision.ThebreachofEquifaxofMay2017,compromised15.2millionpersonalrecordsandaccordingtotheNationalCyberSecurityCentre(NCSC),‘themajorityofthese…[contained]…thenameanddateofbirthofcertainUKconsumers’.(30)
Inisolation,exampleslikedatalossarenotcurrentlysystemicrisksbuttheseinstancesmayaggregatetocontributetosystemiceventsinthefuture.Forexample,ifanattackwereabletousethesecredentialsaspartofaconcurrentwidespreadcompromiseofretailbanks,thiscouldcompromiseconsumerconfidenceandleadtoarunonservices.
Financial services…‘a complex system’
TheFinancialStabilityBoard(FSB)outlinesthreecriteriatodeterminethesusceptibilityofabusinessenvironmenttoasystemicimpact:size,substitutabilityandinterconnectedness.(31)
Howdoesthisrelatetocyberriskinthefinancialsector?Sizereflects‘the volume of financial services provided by the
2013–16
January 2017
May 2017
ImpactNSA tools compromised
Russian criminals auction NSA tools
DPRK weaponise the tools and WannaCry
outbreak begins
200,000 computers were infected
across 150 countriesincluding parts of the NHS
Figure 1 The anatomy of the WannaCry attack: spooks, criminals and the NHS
(25) TheSandwormcyberattacktookplaceon23December2015andisconsideredtobethefirstknownsuccessfulcyberattackonapowergrid.FormoreinformationseeWired(2017).
(26) SeeNCSC(2018a).(27) SeeWright(2018).(28) SeeSchwaab,KoopmanandLucas(2011).(29) SeeJointCommitteeontheNationalSecurityStrategy(2018).(30) SeeNCSC(2017).(31) SeeFSB(2009).
Topical articles Cyber and systemic risk in the financial sector 5
individual component of the financial system’.(32)Inshort,asinglehammerblowtoakeyinstitutioncouldresonatethroughoutthesector.Acyberattackcouldtheoreticallycrystalliseinthisway,althoughtobypassallthecontrols,itwouldprobablyhavetobeextremelysophisticated.
Asimilaroutcomecouldbeachievedwithgreatereaseviaamorerudimentaryattackonmultipleinstitutions.Commonsector-widetechnologycomponentshavemadethiseasier.AnNCSCadvisoryofApril2018detailedRussianstate-sponsoredcyberactorstargetingnetworkinfrastructuredevices.Inthereport,NCSCstated‘ThecurrentstateofUSandUKnetworkdevices—coupledwithaRussiangovernmentcampaigntoexploitthesedevices—threatensthesafety,security,andeconomicwell-beingoftheUnitedStatesandtheUnitedKingdom’.(33)AndalthoughfinancialserviceswerelargelyimmunefromtheWannaCryattackwhichtargetedMicrosoftoperatingsystems,itdemonstratedhowtheexploitationofacommonvulnerabilitycanhaveasevere,widespreadandrapidimpactacrossmultipleorganisations.
Substitutabilityrelatestothe‘extenttowhichothercomponentsofthesystemcanprovidethesameservicesintheeventofafailure’.(34)Analystsoffinancialriskciteexamplesofkeyassetsthatcannotbereplacediflostorinterruptedsuchaspaymentsystems,messagingsystemsandclearingandsettlementsystems.Intheory,asuccessfulcyberattackagainstthesetypesofcriticalassetshasthepotentialtocauseasystemicimpact.However,ouranalysisshouldnotbelimitedtotheseclassicexamples.Representingthechangingshapeofthesector(seeFigure 2),weshouldalsofocusoncommondependenciessuchasthosethird-partyprovidersofferingcloudcomputingandotherutilityservices.A2018
Lloyd’sofLondonreportforecasts‘acyberincidentthattakesatopthreecloudproviderofflineintheUSfor3–6dayswouldresultinground-uplosscentralestimatesbetweenUS$6.9billionandUS$14.7billion’.(35)Yetthepotentialforconcentrationriskofcloudservicesneedstobebalancedagainstthelikelysecuritybenefitstheybring‘becausethescaleandexpertiseofcloudserviceprovidersallowedthemtobuildresilienceinawaythatexceededthecapabilityofindividualfirms.’(36)
Theimportanceofinterconnectedness(‘linkages with other components of the system’(37))iswellunderstoodandwellstudiedinfinancialriskliterature:‘systemic risk involves spillovers of risk from one institution to many others’.(38)Beyondthefinancialview,interconnectednessalsoneedstobeviewedfromadata-centricperspective.Asthesectorhasusedtechnologytobroadenaccesstoitsservices,ithasintroducedanincalculablenumberofnewconnections.Bankscannotjustcentralisetheirsecurityaroundtheircashvaults,theirdigitalassetsarenowspreadglobally.Fromacyber-riskstandpoint,thishashugelyincreasedthenumberofattackvectors,aseachnewnodeisapotentialsourceofinfection.Andwhilefinancialservicesmaywishtoprioritisesecurity,theirservicesarenecessarilysituatedwithinabroadertechnologyenvironmentwheremanufacturersarechallengedtobalancethecompetingprioritiesofconvenienceandconnectivitywithsecurity.
AswellastheFSB’sthreecharacteristicswhichinformvulnerabilitytoasystemicimpact,weshouldalsoreferencetherelatedissueoftechnologydependency.Exposureofabusinessenvironmenttocyberrisksisdirectlycorrelatedtoabusiness’relianceontechnology.Conversely,anenvironmentwithoutsuchtechnologydependencyhasareducedcyberriskexposure:youcannothackatypewriter.Nobodywouldchallengetheassertionthatfinancialserviceshavebecomedependentontechnologytofulfiltheirbusinessfunctions.Nonetheless,theubiquityoftechnologywithinfinancialservicesneedstobeunderstoodfromtheperspectiveofcyberrisk.CyberriskcannotbesimplyhivedofftotheITdepartmenttofix;itisacorecomponentofeverybusinessfunction.Whilenotthevictimsofacyberattack,theTSBITfailureofApril2018demonstratestheoverallpoint:afailureoftechnologycanalsoleadtoafailureofabusinessservice.(39)
Asoutlined,certaindatacharacteristics(complexity,opacity,hyper-connectivityandautomation)canimpactthemanagementofcyberrisk.Thesecharacteristicsbecomeforce-magnifiersforattacksondataintegrity.Suchanattack‘cancausespecialproblemsforrecovery,inparticularwhenit
Figure 2 Cloud computing — transforming the model of IT service
(32) SeeFSB(2009).(33) SeeNCSC(2018b).(34)SeeFSB(2009).(35) SeeLloyd’sofLondon(2018).(36)SeeBankofEngland(2018b).(37) SeeFSB(2009).(38)SeeECB(2009).(39)SeeBBC(2018).
Quarterly Bulletin 2018 Q4 6
isnotknownwhetherandwhentheintegrityofdatahasbeencompromised’.(40)Thesecompromisescanautomaticallyspreadcorruptionintothebroadersystem.Andathoroughforensicinvestigationofadataintegritycompromisecanfrequentlytakedaysorweekstofullyinvestigate.AddedtothisistheCPMI-IOSCOguidanceforservicesprovidingfinancialmarketinfrastructure(FMI).‘AnFMIshoulddesignandtestitssystemsandprocessestoenablethesaferesumptionofcriticaloperationswithintwohoursofadisruption…’Thisleavessystemoperatorswithadifficultdecision:resumeserviceswhicharepotentiallycorrupted,orkeeptheservicedownandmissthetarget(seeFigure 3).CPMI-IOSCOrecognisethisuniquechallengeandencourageoperatorsto‘exercisejudgementineffectingresumptionsothatriskstoitselforitsecosystemdonottherebyescalate,whilsttakingintoaccountthatcompletionofsettlementbytheendofdayiscrucial’.(41)Therehavebeensomeexamplesdemonstratingthepotencyofadataintegrityattack.In2015,BNYMellonhadatechnicalglitchthatmispricedsomesecurities.ThesystemfailurecausedpanicamongBNYMellon’sUSfundmanagementclientsoverconcernsthathundredsoffundsmayhavebeentradedatinaccurateprices.Asitwasadataintegrityissue,theback-upfacilitycorruptedpreventinganautomaticfailover.(42)
Human factors…‘fear, uncertainty and doubt’
Thefinancialsystemreliesontrusttosupportitsfunction.Whenthattrustisshattered,confidenceinthefinancialsystemcanfalterleadingtofallsinmarketorfundingliquidity.Fearthataninstitutionmaybeorhasbecomeinsolventleadstocapitalflightandultimatelyleadstothenegativespillovers
weassociatewithsystemicevents.TheNorthernRockrunof2007providesastarkexample.
Howdoesthisrelatetocyberrisk?Importantly,cyberriskneedstobeviewedfromasocialaswellasatechnicalperspective.Thereisadirectlinkbetweentrustintheauthenticityofdataandhowpeoplebehave.Thismeansthataknowledgeableattackerwhounderstandsthefragilityofthesocio-technicalrelationshipiswellplacedtounderminethesystem.Asanexample,on27June2014,Bulgaria’slargestdomesticbankFIBexperiencedadepositorrun,amidheighteneduncertaintyduetotheresolutionofanotherbank.ThisfollowedspuriousemailsandsocialmediacoverageimplyingthatFIBwasexperiencingaliquidityshortage.Depositoutflowsonthatdayamountedto10%ofthebank’stotaldepositsandthebankresortedtousealiquidityassistanceschemeprovidedbytheauthorities.(43)
Consumertrustinfinancialserviceshasalwaysbeenlinkedtomediacoverage.However,therapiddevelopmentsoftechnologyhavebroadenedthetriggerpointsforinfluenceofconsumerbehaviour.Thisincludesthecompromiseofmediaoutletsbyattackers.In2013,ahackertookovertheTwitteraccountoftheAssociatedPressandtweeted‘Breaking:TwoExplosionsintheWhiteHouseandBarackObamaisinjured’.TheDowJonesstockmarketinstantlyfell140points.(44)Nolongercanfinancialinstitutionssimplyrelyondefendingtheirimmediateperimetertomitigatesystemicrisk;technologyadvanceshavetransformedthescale,spananddiversityofpotentialattackvectors.
Real-economy impact…‘wages, welfare and wallets’
Attheheartoftheconceptofsystemicriskisrealeconomicimpact:afailureoftheprovisionofserviceswhichcaneffecteconomicgrowthorwelfare.Thosechallengingthelinkbetweencyberriskandsystemicriskarguethat,todate,thereislittleevidencetodemonstratesuchimpactsoccurring.
Nevertheless,thereareclear,directandrecentinstancesofcyberattackscausingsystemicimpactoutsideofthefinancialsector.AprimeexampleistheStuxnet(45)attackwhichreportedlydamagedonefifthofIran’snuclearcentrifuges.Theabsenceofsuchexamplesinthefinancialsectormaysimplybebecausetherehasnotyetbeenthecorrectsynchronisationofattacksattherighttimeandplacetocreatesuchanimpact.Instead,proponentsofsystemiccyberriskanalysissuggest
(40) SeeKashyapandWetherilt(2018).(41) SeeBIS(2016).(42) SeeFinextra(2018).(43)SeeBouveret(2018).(44)SeeCNBC(2013).(45) Stuxnetisamaliciouscomputerworm,firstuncoveredin2010.Formore
information,seeWired(2014).
Data integrity
Cyberattack
Outage recoveryin <2 hours
Systemavailability
Trust inthe
system
Figure 3 The triangle of trust: integrity, availability and recoverability
Topical articles Cyber and systemic risk in the financial sector 7
usingtheoreticalscenarios.Forexample,co-ordinatedattacksacrossmultipleorcoresystems,orevenspoofingtheGlobalNavigationSatelliteSystemtiming,whichunderpinsthetimingintegrityofalltradesandATMtransactions.(46)
Weshouldalsoreferencecybercrime.Inaggregateform,itisanexampleofanissueaffectingeconomicactivityandwelfare.InApril2018,aUKFinanceandKPMGreportclaimedthatcybercrimehada‘globalimpactexceeding$450billionayearascrime,extortion,blackmailandfraudmoveonline’.(47)Yet,atpresent,cybercrimehasnotcurrentlyledtoanobviousfailureintheprovisionofservice.Therefore,whileitisavitallyimportantsystem-wideissue,atpresentitisnotasystemicone.
Finally,ouranalysisofreal-economyimpactshoulddifferentiatebetweeneventswhichmayhappenfromthosethathavehappened.Justbecausetherehasnotbeenaclearexampleofasystemicimpactinthesectoryet,itdoesnotmeanitcannotorwillnothappeninthefuture.
Systemic uncertainty…‘the unknown unknowns’
Beyondtheoutlinedcharacteristicsofcyberriskthroughthelensoffinancialsystemicrisk,cyberriskalsohassomeuniquecharacteristicswhichmaycontributetoasystemicimpactinitsownright.
Forexample,bothinthefinancialsectorandbeyond,thereisthegrowinggulfbetweenthecomplexityofthetechnologyenvironmentweareoperatingandourabilitytounderstandit.Thismakesthemitigationofcyberattacksincreasinglychallenging.Legacyinfrastructure,complextechnologyenvironmentsandanincreasinglymobileworkforcearepreventingdefendersfromeffectivelyunderstandingormanagingtheassociatedrisks.Traditionalriskassessmentrequiresaknownoutcome;characterisedaroundstructuredtaxonomies,riskregisters,definedappetitesandassessedimpacts.However,thetechnologyenvironmentisahighlycomplexandopaquesystem.Theresultisthatwecannotexpecttodiscerncauseandeffect;cyberriskoutcomesareemergentratherthanresultant.
Althoughnotfundamentallyimpactingthefinancialsector,thedestructiveNotPetyaattackisillustrative.ThisattackwasreportedlycarriedoutbytheRussianstateagainstgovernmenttargetsinUkraine.Yetaswellastheintendedtargets,therewasconsiderablecollateraldamage:‘thewormracedbeyondUkraineandouttocountlessmachinesaroundtheworld…itcrippledmultinationalcompaniesincludingMaersk,pharmaceuticalgiantMerck,[and]TNTExpress…itevenspreadbacktoRussia,strikingthestateoilcompanyRosneft’.(48)
Whatwasthecommonfactor?Reportedly,theattackwasdeliveredviaanupdatetoanaccountancyprogramme.Victimsweresimplychosenbecauseoftheirchoiceofsoftware.
Conclusion
Necessarily,thispaperhasexaminedeachofthecharacteristicsofsystemicriskinisolation.Ofcourse,capableattackerscouldsynchronisetheseelementsinordertomaximisetheirimpact.Therefore,weshouldavoidtryingtoseekabinaryanswerforeachcharacteristic;insteadweshouldseekanoverallassessment.
Inourview,thereisacrediblecasetolinkcyberrisktosystemicriskinthefinancialsector.Theconnection,however,isnotself-evident.Thisconclusionisbasedoncontextandsignalratherthanaglutofclearevidentialexamples.Itisalsobasedonanincreasingrisktrajectory.Manyoftheexamplescitedinthispaperhavetakenplaceoververyrecentyears.Astechnologydependencykeepsincreasing,weexpectthenumberofcyberattackstoincreasecommensurately.
Nordoesthismeanthatwehaveconcludedthatthereisacataclysmiclevelofriskwithinthesector;thecurrentrealityismorenuanced.Forexample,nationstatesareprobablytheonlythreatactorswiththecurrentcapabilitytocauseasystemicshockwithinthesector.However,weexpectthethreattoincreaseascapabilityisfuelledbythedevelopmentoftheblackmarketforattacktools.Asacaseinpoint,theStuxnetwormwhichwaslaunchedasaweapons-gradecapabilitywasfreelyavailabletodownloadjustmonthslater.Withincreasedaccess,sophisticatedcapabilitieswillreachabroadersetofattackers,includinggroupssuchasterroristswhomayhaveastrongerintenttodisruptthefinancialsector.
Likefinancialrisk,cyberriskalsohasfeatureswhichintherightcircumstancescouldcontributetosystemicoutcomes.Asjustoneexample,theresultsofmassdatalossarebeingusedbyattackerstocompromisetheauthenticityoffinancialtransactionsinthesector.Thisriskisgrowing:datalossnumbersarestaggeringlylargeandattackershaveprobablyonlyjuststartedtoexploititspotentialvalue.(49)
Thenwelookatthebusinessenvironmentoffinancialservices.Itisacomplexsystemwithanincalculablenumberofcompromisepointsfordata,atotaldependencyontechnology,atime-boundrelianceondataintegrityandanumberoffunctionswithoutsubstitutability.Thisisalandscapewithalargenumberoffeatureswhichareconducivetocompromise.
(46) SeeBloomberg(2018).(47) SeeUKFinance(2018a).(48)NotPetyawasaglobalransomwareattackinJune2017.Formoreinformationsee
Wired(2018).(49) SeeVerizon(2018).
Quarterly Bulletin 2018 Q4 8
Therearealsothehumanfactors.Thesectorhasalwaysbeenimmenselyreliantontrustandconfidencetofulfilitsfunctions.Andwithtechnologyadvances,thetriggerpointsforbehaviouralinfluencearewidening.Weareprobablyonlyjustbeginningtounderstandtherelationshipbetweentheauthenticityofinformationanditsrolewithinfinancialservices.Theearlysignssuggestarelationshipwhichcouldbeeasilyunderminedbyasavvyattacker;leadingtotypicalbehaviouralresponsesseeninfinancialrisk,suchascapitalflight.
Finally,weareseeingafurthergrowinggapbetweenthetechnologyenvironmentweoperateandourabilitytounderstandandsecureit.Aswebuildautomatedprocessesandartificialintelligenceintoitsservices,thiswill,bydefinition,compoundtheproblem;makingthemitigationofattackssignificantlymorechallenging.
Therearefewobviousandcurrentexamplesofcyberriskimpactingtheprovisionoffinancialservicestotherealeconomy.Theabsenceofexamplesmaysimplybebecausethecontributingfactorstoasystemicriskhavenotyetsynchronisedtocauseacrisis.Thismaybedowntoluckor,morelikely,thatthosewiththecapabilityhaveyettopullthetrigger.
Next steps
Thispaperhassoughttoexplorethelinkbetweencyberriskandsystemicriskratherthansuggestingspecificmitigationactions.Nevertheless,ourfindingsshouldactasbothaprimer
forfuturestudyandasareferencetoinformourpolicyresponses.Forcompleteness,thefollowingrecommendationsaresuggestedforconsideration:
• Defendersofvitalservicesshouldcontinuetodeveloptheirintelligence-ledapproachtocybersecurity.Animprovedunderstandingofourattackerswillhelptocalibratethefiniteresourcestoimproveourdefenceofthesector.
• Asreflectedinthesupervisoryauthority’sOperationalResilienceDiscussionPaper,(50)organisationsshouldreflecttherealityofsystemicuncertaintyandacceptthatcompromisesarelikelytohappenandthereforeprioritiseresponseandrecoveryactivitiesratherthanjustprotectivesecurity.
• Reflectingthechangingandglobalbusinessenvironment,policyresponsesshouldseektocutthroughsectoral,geographicalandpublic/privateboundaries.TheprogressivevisionofUKFinance’sFinancialServicesCyberCo-ordinationCentreexemplifiesthisapproach.(51)
• Undertakefurtherstudiestobetterunderstandtherelationshipbetweendataintegrityandauthenticity,trustinfinancialservicesandthepotentialforreal-economyimpactviaacyberattack.
• AspertheJune2018Financial Stability Report,thereshouldbeaspecificfocusonrisksassociatedwiththird-partydependencies;specificallythose‘that are outside the regulatory perimeter’.(52)
(50) SeeBankofEngland(2018c).(51) SeeUKFinance(2018b).(52) SeeBankofEngland(2018d).
Topical articles Cyber and systemic risk in the financial sector 9
References
Bank for International Settlements (BIS) (2016),‘Guidanceoncyberresilienceforfinancialmarketinfrastructures’,CommitteeonPaymentsandMarketInfrastructures,BoardoftheInternationalOrganizationofSecuritiesCommissions.
Bank of England (2018a),‘SystemicRiskSurveyResults’,2018H2.
Bank of England (2018b),‘RecordoftheFinancialPolicyCommitteeMeetingson20and27November2018’,5December2018.
Bank of England (2018c),‘BuildingtheUKfinancialsector’soperationalresilience’,July2018.
Bank of England (2018d),‘Financial Stability Report’,June2018.
BBC (2018),‘TSB:Howitallwentsowrongforthebank’,28April.
Bloomberg (2018),‘TheworldeconomyrunsonGPS.Itneedsabackupplan’,25July.
Bloomfield, R E and Wetherilt, A (2012),‘Computertradingandsystemicrisk:anuclearperspective’,Foresight Driver Review DR26,GovernmentOfficeforScience.
Bouveret, A (2018),‘Cyberriskforthefinancialsector:aframeworkforquantitativeassessment’,IMF Working Paper WP/18/143.
Clapper, J R (2017),‘JointStatementfortheRecordtotheSenateArmedServicesCommittee—ForeignCyberThreatstotheUnitedStates’,theDirectorofIntelligence,5January.
CNBC (2013),‘FalserumorofexplosionatWhiteHousecausesstockstobrieflyplunge;APconfirmsItsTwitterfeedwashacked’,23April.
Danielsson, J, Fouché, M and Macrae, R (2016),‘Cyberriskassystemicrisk’,CEPR Policy Portal.
Eijffinger, S C (2010),‘Definingandmeasuringsystematicrisk’,Banking and Finance,January(1).
European Central Bank (ECB)(2009),‘Definingandmeasuringsystemicrisk’,DirectorateGeneralforInternalPolicies,PolicyDepartmentA:EconomicandScientificPolicies,EconomicandMonetaryAffairs,23November.
Financial Stability Board (FSB) (2009),‘Guidancetoassessthesystemicimportanceoffinancialinstitutions,marketsandinstruments:initialconsiderations’,IMF-BIS-FSB,October.
Finextra (2018),‘SunGardapologisesforBNYMellonsystemglitch’,28August.
Gennaioli, N, Shleifer, A and Vishny, R W (2012),‘Neglectedrisks,financialinnovation,andfinancialfragility’,Journal of Financial Economics, Vol.104.
Gennaioli, N, Shleifer, A and Vishny, R W (2013),‘Amodelofshadowbanking’,Journal of Finance,Vol.68,No.4.
International Monetary Fund (IMF), Bank for International Settlements (BIS) and Organisation for Economic Co-operation and Development (OECD) (2001),‘ReportonConsolidationintheFinancialSector’.
Joint Committee on the National Security Strategy (2018),‘CybersecurityskillsandtheUK’scriticalnationalinfrastructure:GovernmentresponsetotheCommittee’ssecondreportofSession2017–19’,13November2018.
Kashyap, A and Wetherilt, A (2018),‘Someprinciplesforregulatingcyberrisk’,Centre for Economic Policy Research Discussion Paper DP13324.
Kaufman, G G and Scott, K E (2003),‘Whatissystemicrisk,anddobankregulatorsretardorcontributetoit?’.
Lloyd’s of London (2018),‘CloudDown—ImpactsontheUSeconomy’.
Mee, P and Schuermann, T (2018),‘Howacyberattackcouldcausethenextfinancialcrisis’,Harvard Business Review,14September.
National Cyber Security Centre (NCSC)(2017),‘LatestinformationontheEquifaxcyberincident’,10October.
National Cyber Security Centre (NCSC)(2018a),‘RecklesscampaignofcyberattacksbyRussianmilitaryintelligenceserviceexposed’.
Quarterly Bulletin 2018 Q4 10
National Cyber Security Centre (NCSC)(2018b),‘Advisory:Russianstate-sponsoredcyberactorstargetingnetworkinfrastructuredevices’.
Schwaab, B, Koopman, S and Lucas, A (2011),‘Systemicriskdiagnostics—coincidentindicatorsandearlywarningsignals’,ECB Working Paper No. 1327.
Smaga, P (2014),‘Theconceptofsystemicrisk’,Special Paper No. 5,SystemicRiskCentre,LondonSchoolofEconomics.
Statista (2018),‘Numberofinternetusersworldwidefrom2005to2017(inmillions)’.
The Telegraph (2017),‘NHScyberattack:everythingyouneedtoknowabout‘biggestransomware’offensiveinhistory’,20May.
UK Finance (2018a),‘Stayingaheadofcybercrime’.
UK Finance (2018b),‘Newsinbrief’,18October.
UK Foreign Office (2017),‘ForeignOfficeMinistercondemnsNorthKoreanactorforWannaCryattacks’,pressrelease,19December.
Verizon (2018),‘DataBreachInvestigationsReport’.
We are Social and Hootsuite (2018),‘DigitalYearbook’.
Wired (2014),‘AnunprecedentedlookatStuxnet,theworld’sfirstdigitalweapon’,11March.
Wired (2017),‘YourguidetoRussia’sinfrastructurehackingteams’,7December.
Wired (2018),‘TheuntoldstoryofNotPetya,themostdevastatingcyberattackinhistory’,22August.
World Economic Forum (WEF)(2016),‘Understandingsystemiccyberrisk’.
Wright, J (2018),‘Cyberandinternationallawinthe21stcentury’,23May.
