The unnerving reality of systemic cyber risk

The increased interconnectedness in financial systems facilitates a single cyber-attack to have far-reaching consequences

The danger of systemic cyber risk is now more significant than ever due to the increasing interconnectivity of our world through digital works and systems. Systemic cyber risk refers to the possibility of a cyber-attack or breach spreading quickly through interdependent systems resulting in extensive and severe harm to individual entities and sometimes entire industries. This risk raises the possibility that a single tremor in cyberspace could cause flaring contagion effects with cataclysmic consequences. Although idiosyncratic cyber risk episodes have attracted regulators’ attention, systemic cyber risk is still at an early stage of understanding. This article explores the potential consequences of this growing threat to financial systems and discusses mitigatory measures to address its impact. 

The World Economic Forum defines systemic cyber risk as the possibility that multiple interconnected systems, operating within and across sectors, could fail in a way that creates a catastrophic event that cascades across multiple industries, markets, and regions. Systemic cyber risk is triggered when a single cyber-attack affects multiple entities at once, leading to a chain reaction of consequences that are difficult to control. Technology risk has now become a leading driver of financial instability. According to Kindlelberger, major financial or technical advances play a more catalytic role than debt accumulation in eliciting financial crises. The destructional impacts of cyber risk spread to the broader economy, entire financial system, and national security.

An actual systemic cyber risk event has not yet tested financial systems. Christine Lagarde posits that the average potential losses could reach half of banks’ net income in extreme cyber-attacks. A 2022 survey of 130 global financial institutions has discovered that 74% experienced at least one ransomware attack over the past year. The inherent lack of transparency concerning highly integrated operations and interdependencies of systems makes a prior assessment of this risk difficult. It is also unclear whether macro-prudential supervisory authorities consider systemic cyber risk in their surveillance. Proper capabilities for scrutinising tech vendors and digital companies affiliated with banks are necessary for financial regulators if these entities come under their remit. The rare measurement of cyber risk in terms of economic cost highlight that more work remains to be completed to deal with this subject.

Meanwhile, digital financial transformation is happening at an unprecedented rate, mounting the probability of cyber risk becoming a critical systemic risk. The increased digitisation of banks’ operations makes them more susceptible to systemic cyber risk. One may contend that cyber risk is associated chiefly with individual banks, and the possibility of its propagation to systemic scale is remote. However, the current geopolitical tensions suggest that economies, crucial financial entities and payments and settlements systems can be vulnerable to cyber risk scenarios such as hacking, cyber thefts, and cyber-terrorism. During the last week of January 2023, a ransomware attack on a data group called Ion Markets prevented the US Commodity Futures Trading Commission from publishing data on derivatives markets, such as oil futures.

It is important that recovery planning process of banks captures the systemic dimensions of cyber risk to mitigate potential threats. The loss of substitutability and data integrity are cyber risk transmitting channels. Global central clearing platforms and transfer systems like SWIFT provide examples of risk concentration exposures due to the lack of substitutability. Idiosyncratic cyber threats can lead to the loss of confidence that prompts liquidity risk to an entity. This scenario can grow into market liquidity risk and eventually to a solvency risk. Defaults by cyber risk hit institutions and cause counterparty credit risks. 

More than a decade after the Great Financial Crisis, the global financial system landscape has moved into even more complex territories due to the emergence of new fintech (technology-enabled innovation in financial services) intermediaries. Large IT platform providers called ‘Bigtechs’ and small fintech startups have entered the financial services arena. Nevertheless, these advances are not risk-free. Procedures followed by novel fintech lenders can deteriorate credit standards and even form credit bubbles threatening financial system stability. 

The Financial Stability Board (FSB) has warned that Bigtech firms can also elicit systemic risks through leverage, maturity transformation, liquidity mismatches and operational risk. The advents of fintech entities that have revolutionised the financial services industry can also pose competitive challenges for traditional banking business models. Such increased competition in the banking sector can have both consequences of stability and fragility. The rapid progression of technology can accelerate the transmission speed at which local shock travels across financial systems.

From a financial stability standpoint, there should be measures to control the detrimental effects rising when traditional banks adopt risky business strategies to compete with fintech firms. However, existing regulatory regimes are not yet ready to deal adequately with the risks posed by Bigtech operations. The FSB suggests segregating groups’ financial and non-financial activities or imposing group-wide regulatory requirements on Bigtechs that engage in substantial financial activities. 

Countries have not been able to implement bank structural reforms to ring-fence deposit-taking and investment banking as suggested under the post financial crisis regulatory corrections. Hence, instigating segregation rules for tech companies will not be a smooth task. More so would be the imposition of a separate regulatory framework for these establishments. It will lead to create further complications for financial regulatory architecture.

Decentralised finance or ‘Defi’ is another addition to the fintech non-bank ecosystem. They function as a new form of intermediation in the crypto market by operating through automated protocols on blockchains. The exponential growth in the Defi market has hit $ 24 billion  worth of assets. Paypal also comes under the category of a non-banks operating like deposit mobilisation. The turmoil reported in the crypto asset market earlier this year revealed several structural fragilities associated with these markets. Moreover, the FSB has cautioned about risk from the crypto-asset markets to traditional finance due to the growing correlations between these two segments. A comprehensive regulatory action commensurate to the risk posed by the crypto asset market is necessary before this threat escalates to a severe danger to global financial stability. 

There are suggestions that ‘complexity theory’ could provide a helpful tool for dealing with financial market issues. According to complexity theory, some systems are too intricate to predict their future accurately. However, they show underlying detectible patterns enabling policymakers to identify the complex workings of those systems. More importantly, complexity theory focuses on the evolution of systems in a holistic approach. This feature can be helpful in devising stability regulation to cope with relentless challenges associated with the mounting sophistication of non-bank intermediaries. Since non-bank intermediaries contain features like traditional finance, the FSB’s proposal to introduce regulations for crypto assets has been based on the principle of ‘same activity, same risk, same regulation.’ The aforesaid regulatory approach will provide useful parameters to control financial stability risks posed by disruptive technologies.

Allowing fintech companies to flourish rapidly without being subject to a proper regulatory framework will create the enabling conditions for another systemic crisis. Proposals for bank structural reforms have not yet been implemented successfully to downsize the intricate organisational structures of large banks. In such a context, leaving space for fintech intermediaries to grow exponentially to become too-big-to-fail companies would be a scourge to financial stability. Further research under the financial stability policy domain should focus on large fintech entities to detect their harmful impacts. 

Systemic cyber risk severely threatens to individual financial entities and the entire system. The increased interconnectedness in financial systems facilitates a single cyber-attack to have far-reaching consequences. The rapid digitalisation of financial services does not guarantee that banks will have sound risk governance mechanisms. Banks must adopt a proactive approach underpinned by robust internal controls and policies to protect against systemic cyber risk. Greater collaboration between regulatory authorities and the banking industry can enhance cybersecurity research and development to safeguard financial system resilience. 

“Everyone thinks they have a plan until they get punched in the face” – Vicki Gavin

(The writer is an Attorney-at-Law, LLM. The views and opinions expressed in this article are those of the writer and do not necessarily reflect the official policy or position of any institution.)