The potential for a massive and well-coordinated cyberattack on critical global financial networks is real and growing daily.
So far the U.S. and other major industrialized nations have avoided a systemic risk event caused directly by cyber-terrorism. Isolated incidents affecting financial and nonfinancial companies tend to catch our attention for a few days when the story unfolds, but in a world of information overload, we eventually move on to the next breaking news item.
Unfortunately, the Financial Stability Oversight Council appears relatively unmoved by such events and the financial surveillance activities by this group remain largely locked on addressing the sins of the past crisis – not on identifying vulnerabilities and threats from cyberattacks on our financial system tomorrow.
Mounting evidence that hostile governments are dedicating resources to covert cyber operations and the recent hacking of two major newspapers should be a wakeup call for those concerned about the vulnerability of our financial systems to a concentrated attack designed to cripple financial markets. This possibility may be starting to sink in among some financial stability regulators; however, these agencies face a daunting task in shifting resources and priorities away from building data and analytic capabilities to understand financial threats to markets and institutions where limited focus existed before the crisis.
For instance, Andrew Haldane, the executive director of financial stability at the Bank of England, testified this month that cyber attacks pose a major threat to the banking system.
In this country, awareness of such risks has been raised at FSOC but so far little has been done to elevate the importance of this threat to the security of our financial system. Of no surprise, however, the Department of Homeland Security seems to be sounding more of an alarm on this issue as it relates to the broader impact of such attacks on critical domestic infrastructure "soft" targets such as the power grid, communications and financial networks. What is not readily apparent is the integration of information-sharing on cyber threats to financial networks between national security agencies and FSOC members, including the Office of Financial Research.
In recent testimony to Congress, Acting Assistant Secretary Stempfley of DHS' National Protection and Programs Directorate laid out the need for further sharing of intelligence and other information between the Departments of Justice, Homeland Security and Defense to coordinate efforts to identify and thwart potential cyber security threats.
The omission of FSOC and OFR from this list seems somewhat surprising given the mandate of these groups to surface impending threats to financial stability. The OFR's annual report from 2012 indicates that cyber threats, while acknowledged in that document briefly, are not a priority focus area for the agency at this time.
Understandably the OFR has concentrated its efforts on assessing risk and vulnerabilities to the financial system, such as shadow banking, interconnectedness among financial counterparties and the impact from derivatives and other financial products. After all, these were major contributing factors to the financial crisis and clearly regulators were ill-prepared to identify emerging threats due to deficiencies in data, analytics and policy. In building its own infrastructure to tackle these issues, the office remains largely staffed with financial data, technology and market experts. As a result, a potential blind spot exists in the OFR's ability to identify and report trends and emerging threats on the cyber security front.
Borrowing from the defense community, it would seem appropriate for FSOC members to periodically engage in a comprehensive cyber security scenario analysis and planning exercise. Understanding the systemic consequences among markets and participants from various types of coordinated cyber attacks on systemically important institutions and market utilities seems prudent given the rising incidence of cyber threats globally.
What for example, would be the consequences of an attack on clearing of financial transactions? How would such a shutdown be transmitted across the financial system? Or, what could happen if a cyber event disrupted the transactions services group at my former employer, Citigroup (NYSE: C)? Given that the bank has $13 trillion in assets under custody and provides a wide array of treasury and trade services to the largest financial institutions and public sector entities across the world, such an event could potentially wreak havoc on the global financial system.
Clearly institutions such as Citi engage in scenario analysis for operational risk management. However, the systemic risk potential of such events is the domain of agencies such as FSOC and DHS actively working together on gathering information and working on solutions to prevent such attacks.
We must address issues that contributed to the last crisis. However, it is imperative that agencies on the front line for safeguarding our financial system maintain a forward thinking stance regarding the emergence of new threats that may not have occurred before but become plausible with time.
Clifford Rossi is the Executive-in-Residence and Tyser Teaching Fellow at the Robert H. Smith School of Business at the University of Maryland.