Stanford's Darrell Duffie co-authors a paper that looks beyond big-bank resiliency to payment-system vulnerability
Friday, July 12, 2019
By Ted Knutson
In January 2015, at a Bank for International Settlements (BIS) forum in South Africa, Federal Reserve Bank of Boston president Eric Rosengren spoke on the subject of Cyber Security and Financial Stability. He described the former as “a serious financial stability concern.”
The cyber-stability connection has since gotten thorough and systematic attention from high-level risk monitoring bodies. The U.S. Treasury's Office of Financial Research declared cybersecurity to be a key threat to financial stability in 2016 and fleshed it out in a February 2017 Viewpoint paper.
The BIS-hosted Financial Stability Board, which published a “stocktake” of financial sector cyber regulations, guidance and supervisory practices in October 2017, “is currently developing effective practices for cyber incident response and recovery. The objective is to identify a set of tools that the private sector and authorities can use in designing incident response and recovery policies,” secretary general Dietrich Domanski said in a May 2019 speech.
In 2016, the Financial Services Information Sharing and Analysis Center (FS-ISAC), which has been coordinating financial-sector threat intelligence activities since 1999, established the Financial Systemic Analysis and Resilience Center (FSARC) “to proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cybersecurity threats through focused operations and enhanced collaboration between participating firms, industry partners and the U.S. government.”
“Cyber Run” Hazard
Stanford Graduate School of Business professor Darrell Duffie and JPMorgan Chase & Co. managing director Joshua Younger have now weighed in with a paper that harkens back to the focus of Rosengren's systemic concerns in 2015: payments.
In Cyber Runs, a Brookings Institution Hutchins Center working paper published in June, Duffie and Younger acknowledge that there have been “significant attention from policy makers” and documents that “have noted the threat of cyber attacks on financial market infrastructure and bank deposits.” The authors refer to an earlier Brookings paper, which said, “Some of the most direct initiatives on these questions began in 2013, after a White House Executive Order instructed the Department of Homeland Security, in consultation with the Department of Treasury, to identify those financial institutions for which 'a cyber incident would have far reaching impact on regional or national economic security.'”
But Duffie and Younger believe there has not been “prior work on the nature of a cyber run, including its propagation dynamics, potential scale, and ancillary effects on the payment system” - in other words, the consequences of a liquidity crisis stemming from large institutional depositors' seeking access to their funds on short notice.
“The ensuing liquidity crisis could be contagious,” they write. “Credible reports of a serious cyber attack on Bank A could lead wholesale customers of Bank B to immediately withdraw their deposits at Bank B, in light of the heightened conditional probability that Bank B may also be under attack. Even if Bank B is not under attack, there could be a self-fulfilling expectation that other large depositors in Bank B will make precautionary withdrawals, thus generating the threat of a liquidity crisis for Bank B that is itself a rationale for any large depositor to run.
“This kind of herding behavior has been observed during credit events - most recently the run on prime money market mutual funds after the Lehman bankruptcy, including prime funds with limited or no direct exposure - and would likely be triggered by cyber incidents as well.”
Wholesale Payment Slowdown
There could also be exacerbating effects, such as a node of the payment system becoming even temporarily inoperable, or “a sudden reduction in the maximum attainable velocity of circulation of cash could have serious macroeconomic repercussions.”
An analysis of 12 systemically important U.S. financial institutions leads Duffie and Younger to conclude that “these firms have sufficient stocks of high quality liquid assets to cover wholesale funding runoffs in a relatively extreme cyber run.
“Beyond their own stocks of liquid assets, these institutions have access to substantial additional emergency liquidity from Federal Reserve banks,” they explain. “The resiliency of the largest banks to cyber runs does not, however, ensure that the payment system would continue to process payments sufficiently rapidly to avoid damage to the real economy.”
They say that “a sufficiently extreme cyber run could dangerously slow down the processing of wholesale payments, even if every systemically important bank has ample liquidity for its own survival.”
Potential remedies could involve digital tokenization of payments or “emergency temporary central-bank accounts for non-banks such as money market funds that could become de-facto payment nodes,” the paper says. But, it adds, “These approaches bring significant costs and benefits.”
Emergency Payment Node
Duffie and Younger raise the alternative idea of an emergency payment node (EPN), “a narrow payment-bank utility.”
When activated during an emergency, the EPN would process payments “within a prescribed wholesale payment network consisting of eligible banks and non-bank financial firms, such as primary dealers, money market funds, and government sponsored enterprises.”
“Although an EPN would not be perfectly immune to a cyber event,” according to the Cyber Runs paper, “under normal safeguards it would be significantly more resistant to cyber risk than a large operating bank, given the extremely narrow function of an EPN, the highly proscribed set of eligible account holders, the limited points of network access, and the lack of normal account activity outside of an operational payment crisis.
“On the other hand, it would be costly to maintain an EPN in a constant state of operational readiness. Potential users would also bear costs for maintaining durable, albeit dormant, account access. Moreover, running periodic stress tests of an EPN increases the risk that the EPN itself could become infected with latent cyber viruses.”
Duffie and Younger suggest that the EPN could be “operated and governed as an industry utility, in the spirit of the New York Clearing House Association, which was a crisis backstop to the bank deposit system before the Fed existed. Like an EPN, the NYCHA was not only an inter-bank clearinghouse - it also provided direct access to non-bank depositors who were concerned about holding their funds in conventional bank accounts.”
Payments and Stress Tests
The paper closes with a section on scenario analysis and stress testing, noting, “bank regulators could include cyber scenario analyses into their Dodd-Frank mandated stress tests, within the existing frameworks for operational risk.
“Given the interactions that we have outlined between cyber runs, financial stability, payment systems, and the macro-economy, holistic scenarios incorporating cyber runs could reveal some of the most pertinent systemic interactions.”
It cites a principle in a 2018 Centre for Economic Policy Research discussion paper regarding “cyber stress tests that explore common vulnerabilities that may amplify the impact of a cyber shock,” and points out that “the Bank of England, set in motion by its Financial Policy Committee, plans to conduct cyber stress tests in 2019 with this principle in mind, and with a focus on payments.”
FSB Working Group
For its part, the Financial Stability Board said that after agreeing in October 2018 “on the importance of having in place effective practices relating to a financial institution's response to, and recovery from, a cyber incident,” it formed a Cyber Incident Response and Recovery (CIRR) working group. Its objective: “to develop a toolkit of effective practices to assist financial institutions, as well as for supervisors and other relevant authorities, in supporting financial institutions, before, during and after a cyber incident,” FSB said in a May progress report.
The first phase of work on the toolkit “will continue until October 2019 and focuses on identifying and developing effective practices.” The second phase “will likely commence during the last quarter of this year and will focus on drafting of the toolkit. It will subsequently involve a public consultation to be conducted in early 2020.”
“The toolkit is not intended to be an international standard nor a prescriptive approach for financial institutions or their supervisors,” FSB said. “This project seeks to mitigate the implications of cyber incidents on financial stability, by taking into account their cross-border and cross-sectoral nature.”
GARP Editor-in-Chief Jeffrey Kutler contributed to this article.