Cybersecurity

FEMA for Finance

Modern financial systems are inherently vulnerable. The conversion of savings into investment—a basic function of finance—involves substantial risk. Creditors often demand liquid, short-term, low-risk assets; and borrowers typically wish to finance projects that take time to generate their uncertain returns. Intermediaries that bridge this gap—transforming liquidity, maturity and credit between their assets and liabilities—are subject to runs should risk-averse savers come to doubt the market value of their assets.

The modern financial system is vulnerable in a myriad of other ways as well. For example, if hackers were to suddenly render a key identification technology untrustworthy, it could disable the payments system, bringing a broad swath of economic activity to an abrupt halt. Similarly, the financial infrastructure that implements most transactions—ranging from retail payments to the clearing and settlement of securities and derivatives trades—typically relies on a few enormous hubs that are irreplaceable in the short run. Economies of scale and scope mean that such financial market utilities (FMUs) make transactions cheap, but they also concentrate risk: even their temporary disruption could be catastrophic. (One of our worst nightmares is a cyber-attack that disables the computer and power grid on which our financial system and economy are built.)

With these concerns in mind, we welcome our friend Kathryn Judge’s innovative proposal for a financial “Guarantor of Last Resort”—or emergency guarantee authority (EGA)—as a mechanism for containing financial crises. In this post, we discuss the promise and the pitfalls of Judge’s proposal. Our conclusion is that an EGA would be an excellent tool for managing the fallout from dire threats originating outside the financial system—cyber-terrorism or outright war come to mind. In such circumstances, we see an EGA as a complement to existing conventional efforts at enhancing financial system resilience.

However, the potential for the industry to game an EGA, as well as the very real possibility that politicians will see it as a substitute for rigorous capital and liquidity requirements, make us cautious about its broader applicability. At least initially, this leads us to conclude that the bar for invoking an EGA should be set very high—higher than Judge suggests….

Read More

Cyber Instability

When terrorists attacked the World Trade Center on September 11, 2001, they also attacked the U.S. financial system. In addition to destroying critical financial infrastructure, the collapse of the twin towers closed the New York Stock Exchange and disrupted the payments system that links U.S. intermediaries, threatening to shut down banks, ATM machines and credit card operations across the country. Only extraordinary intervention by the Federal Reserve kept the system afloat (see, for example, Rosengren).

We have long argued that financial stability is a vital common resource (see here). As ECB Board member Cœuré suggests in the opening quote, the same applies to financial cybersecurity—the protection of financial information and communications technologies (ICT) and their associated networks from failures and attacks. The events of 9/11 and their aftermath dramatically highlighted the link between stability and cybersecurity. Moreover, because our financial system is so deeply reliant on ICT and on large, global networks, these two objectives are more closely linked than ever before: ensuring one means guarding the other.  

In this post, we highlight the pervasiveness of cyberthreats as a source of operational risk in finance. Consistent with the Presidential Policy Directive 21 and a recent Presidential Executive Order aimed at strengthening cybersecurity, the U.S. government has designated financial services infrastructure as critical to national and economic security (see here). Nevertheless, numerous challenges—ranging from the availability of reliable data to the ever-changing nature of the attacks themselves—make the goal of safeguarding financial ICT networks very difficult. To be effective, cybersecurity efforts require mechanisms for preventing successful attacks, limiting their impact, and promoting quick, reliable recovery. Reducing vulnerability and contagion while boosting cyberresilience is a very tall order….

Read More