When asked during congressional testimony last week, Federal Reserve Chairman Jerome Powell, who was appearing in front of the House Committee on Financial Services, told lawmakers that the number one threat to the stability of the U.S. financial system is its ability to respond and mitigate a large-scale cyberattack against the financial system.
“The clear answer to me would be cyber risk,” Powell said in response to a question from Rep. Jim Himes, D-Conn. Himes asked Powell what unnoticed threats may be lurking. Powell added that the current state of the threat is about normal, but that Congress should double down on possible remedies.
Powell also said that banks should update their protections and improve their security hygiene. The risks to the financial system have gained renewed interest recently, along with the rising concerns of nation-state hacking and similar capabilities against the critical infrastructure.
Last month, Christine Lagarde managing director of the International Monetary Fund wrote about estimating cyber risk for the financial sector in an IMF blog post. Based on a recent IMF study, Lagarde estimated potential annual losses from cyberattacks against the financial sector could reach about 9 percent of banks’ net income globally, or $100 billion. “In a severe scenario — in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion — losses could be 2½-3½ times as high as this, or $270 billion to $350 billion,” she wrote.
According to her post, the modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. “This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses,” Lagarde wrote.
The losses are based on real-world recent losses from cyberattacks in 50 countries. “The framework could be used to examine extreme risk scenarios involving massive attacks,” she wrote. “The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.”
While there have yet to be any real-world losses stemming from wide-scale cyberattacks on the financial sector, more observers in industry and government are growing concerned.
In a survey conducted by the Depository Trust and Clearing Corporation and published as the DTCC Systemic Risk Barometer More, than a third (36 percent) of survey respondents view cyber risk as the number one threat to the broader economy in 2018, with 78 percent of respondents ranking it as a top 5 risk — a 7 percent increase from the previous survey.
“Cyber risk continues to intensify across all sectors of the financial ecosystem, and it’s becoming increasingly clear that no area is immune to this threat,” Michael Leibrock, DTCC’s Chief Systemic Risk Officer, said in a news release. “As a result, it is critical that firms prepare response plans, maintain playbooks and practice cyber-attack simulations as key components of their risk management efforts,” he added.
On those points, I don’t think many would disagree.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2018/07/26/cyberattack-biggest-threat-against-u-s-financial-system/