Cyber Security
Friday, May 31, 2024
By Jeffrey Kutler
It is a sign of the times that wherever business leaders gather, conversations converge on artificial intelligence. The subject came up countless times during the recent Milken Institute Global Conference, with an added twist from State Street Corp. Chairman and CEO Ron O’Hanley.
Asked in a capital markets panel discussion if he thinks more about AI than any other issue, O’Hanley replied, “Except for cyber.”
That aligns with surveys that for years have placed cybersecurity at or near the top of risk management concerns and priorities. A recent spate of financial stability reports from the International Monetary Fund, the Federal Reserve Board and other authorities reflect those perceptions while also delving into the complexities of “polycrisis” (also a Milken Conference topic).
The European Central Bank, for example, in its May 2024 stability review warned of a “variety of channels” through which geopolitical risk could adversely affect the global economy; saw “a greater need to respond to cyber and climate risks, and strong interlinkages with the non-bank financial intermediation sector,” posing challenges to banks in its region; and said the banks “need to press ahead with digital transformation, not least so that they can respond to the growing threat of cyber risks as well as address the opportunities and challenges associated with the rise of artificial intelligence.”
Klaas Knot is chair of the FSB and president of De Nederlandsche Bank.
Along similar lines, Financial Stability Board Chair Klaas Knot, in an April 26 speech to the Systemic Risk Council, pointed to “a financial world that is increasingly interconnected through accelerating digitalization,” which in turn “increases the contagion potential of a cyber or operational incident at a financial institution.”
Two weeks prior, in a speech on Cyber Risk and Its Implications for Financial Stability, Bank of Spain Governor Pablo Hernández de Cos cited the European Systemic Risk Board’s recognition of cyber as “among the main sources of systemic risk.” Per a 2020 ESRB report, a cyber shock “may have the potential for serious negative consequences for the real economy,” capable of “impairing the provision of key economic functions, generating significant financial losses and undermining confidence in the financial system.”
De Cos traced rising cyber risk exposures to digitalization, technology dependencies and financial-ecosystem complexity, noting that cyberattacks are “more sophisticated and have a larger potential impact, regardless of whether they are strictly economically or geopolitically motivated.”
Awareness is spreading that AI can be exploited by bad actors, and is thus intertwined with cybersecurity. And both are connected to the increasingly concerning geopolitical perils due to international hostilities both hot and cold, which have been linked to spikes in cyberattacks as well as trade and supply-chain disruptions. Unfolding within China-U.S. power dynamics is a “tech arms race” encompassing AI, chips and quantum computing.
“Cyber knows no boundaries,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), previously head of firm resilience at Morgan Stanley, has said.
In the World Economic Forum’s 2024 Global Risks Report, cybersecurity was ranked fourth in severity over the next two years (behind misinformation and disinformation, extreme weather events, and societal polarization). “Cyber insecurity” occupied a corner of the WEF’s “interconnections map” (see detail from the map below) – near misinformation and disinformation, and close to adverse AI and “frontier technology” outcomes, and concentration of technological power.
“With the global financial system facing significant and growing cyber risks from increasing digitalization and geopolitical tensions,” said an IMF Blog article referring to the fund’s latest Global Financial Stability Report, “policies and governance frameworks at firms must keep pace.”
“We need to be prepared for emerging challenges and position ourselves to understand them,” JPMorgan Chase & Co. Chairman and CEO Jamie Dimon wrote in his annual shareholder letter this April. The bank “created a new strategic security forum to focus on emerging and evolving risks, including trade wars, pandemics, cybersecurity and actual wars, to name just a few.”
An AI hazard ranked second, and cyberattacks fifth, on a World Economic Forum survey question to “select up to five risks that you believe are most likely to present a material crisis on a global scale in 2024.”
Released on April 19, the Federal Reserve’s semiannual Financial Stability Report headlined “four broad categories and how those categories might interact to amplify stress in the financial system”: valuation pressures, excessive borrowing by businesses and households, excessive leverage within the financial sector, and funding risks.
The central bank extended the narrative into near-term risks with potential systemic or spillover financial-stability consequences. These include higher-for-longer interest rates, worsening geopolitical tensions, and how “weakness in economic activity could compound existing strains in real estate markets, both domestically and abroad, and could amplify risks to the global financial system.”
Among 25 industry-professional contacts asked to identify “salient risks to financial stability” over the next 12 to 18 months, “persistent inflation, monetary tightening” was cited by more than 70%. Only two other risks, policy uncertainty and real estate, were above 50% in the polling by the Federal Reserve Bank of New York. Cyberattacks and severe recession were each under 30% (see graph). Cyberattacks did not appear on the fall 2023 salient list.
Fed Governor Michelle W. Bowman explained at the Texas Bankers Association annual meeting on May 10 that “because the report treats cyberattacks and geopolitical events as shocks, it touches on them only in a cursory way, even though these are important financial stability risks. Instead, the report focuses on key vulnerabilities that are more easily monitored and provides insights into the financial stability outlook as it relates to these factors.”
Governor Lisa D. Cook, however, drilled deeper into cyber risks in a Brookings Institution presentation on financial stability.
“I should emphasize at the outset,” Cook asserted, “that the Federal Reserve’s role in managing cyber vulnerabilities is focused primarily on ensuring the institutions we supervise effectively manage the cyber risks they face, including from key technology service providers to those institutions, and safeguarding the resilience of the services provided by the Federal Reserve and the financial system more broadly in the event of a successful attack.
“We also work with our partners across the government, including the U.S. Department of the Treasury, and with the private sector to understand and address cyber risks.”
Fed Governor Lisa Cook
In view of “an accelerating tempo of cyberattacks,” both criminal and nation-state, “we are examining cyber incidents carefully to make sure we have a fuller understanding of how attacks can affect the financial system, including through banks, non-bank financial firms, digital service providers, and critical infrastructure,” Cook stated. “In this work, we focus heavily on the operational resilience of the institutions we supervise, the service providers used by such institutions, and the financial services provided by the Federal Reserve.
“We have also begun to incorporate analysis of timely data on firm-level cyber vulnerabilities and interconnections across firms and with service providers to monitor cyber vulnerabilities at the system level.”
Relating financial resilience to cyber risk mitigation, Cook said, “Cyberattacks erode the confidence that investors and institutions have in each other and in the financial sector. While strong capital and liquidity positions will not, by themselves, prevent an intrusion, they leave the affected institution in a better position to rejoin the system once the attack is resolved and, most importantly, promote confidence among its counterparties.
“Moreover,” Cook continued, “the effects of chaotic markets may impact other institutions that suddenly face losses whose magnitudes might be hard to judge. Well-capitalized, highly liquid and well-managed institutions will be best positioned to manage such difficult circumstances.”
The rise in threats since the pandemic led the IMF to publish, as a chapter in its April Global Financial Stability Report, “Cyber Risk: A Growing Concern for Macrofinancial Stability.” Extreme losses “could potentially cause funding problems for companies and even jeopardize their solvency,” according to the team of authors, while reputational damage and security upgrades can take an additional toll.
“The financial sector is uniquely exposed to cyber risk,” they found. “Financial firms – given the large amounts of sensitive data and transactions they handle – are often targeted by criminals seeking to steal money or disrupt economic activity. Attacks on financial firms account for nearly one-fifth of the total, of which banks are the most exposed.”
Source: IMF (with data from Advisen)
The European Central Bank included in its May stability review a special feature offering “a conceptual framework for assessing the systemic implications of AI for the financial system.” AI and financial stabiity will be further examined June 6-7 in a Washington, D.C., conference co-hosted by the Brookings Institution and Financial Stability Oversight Council, where U.S. Treasury Secretary (and FSOC Chair) Janet Yellen and Acting Comptroller of the Currency Michael Hsu are scheduled keynote speakers.
The ECB article, credited to Georg Leitner, Jaspal Singh, Anton van der Kraaij and Balázs Zsámboki, said, “The emergence of generative artificial intelligence tools represents a significant technological leap forward, with the potential to have a substantial impact on the financial system. Conceptually, AI brings both benefits and risks to the financial system.
“Practically,” it went on, “the overall impact will depend on how the challenges related to data, model development and deployment are addressed – both at the level of financial institutions and for the financial system as a whole.” The ECB stability experts raised such issues as over-concentration of AI suppliers, operational risk including cyber, increased “market concentration and too-big-to-fail externalities,” and the potential for “herding behavior and market correlation.”
During a SAFE Policy Center-CEPR webinar on May 22, Zsámboki suggested that U.S.-China computer chip competition is an arena where geopolitical and AI risks come together.
As summed up in the April 30 risk update of the European Supervisory Authorities (European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority): “Risks remain elevated in a context of slowing growth, an uncertain interest rate environment and ongoing geopolitical tensions,” while strong financial market performance entailed “elevated risks of market corrections linked to unexpected events.”
The ESAs joined the chorus regarding the geopolitical-digitalization-cybersecurity nexus:
“The number of attacks and cyber threats is increasing, and while the impact of these attacks so far has been limited, cyber-related insurance claims keep increasing, and the (re)insurance industry is further strengthening pricing techniques and risk-transfer mechanisms. In the banking sector, the findings from the cyber resilience testing currently underway will be important.”
They underlined the importance of the EU Digital Operational Resilience Act (DORA) now coming into force, and said “crypto risk levels remain very high.”
The Bank of England Financial Policy Committee stability report in December (the next one is due in July) deemed the U.K. financial system stable amid a challenging risk environment, with banks well capitalized, and banks and businesses broadly resilient to higher interest rates.
The FPC flagged ongoing geopolitical risks affecting energy and commodity prices and volatility, and potentially “the macroeconomic outlook in the U.K. and globally through trade and other channels.” Financial market volatility could increase and particularly affect internationally focused U.K. banks.
“We cannot know the next shock that will test the resilience of the financial system,” Fed Governor Cook remarked. “That is why we focus on the resilience of the financial sector in our regulatory and supervisory work concerning banking organizations and in our engagement with other regulators.” She added that continuous monitoring and the reports on financial stability contribute “to the transparency and accountability of our efforts,” and that regulators value “public discussion of vulnerabilities to financial stability.”
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals