Europe’s systemic risk watchdog has warned that a single cyber incident could escalate from operational disruption into a major liquidity crisis across Europe.
The European Systemic Risk Board (ESRB) oversees banks, insurers, asset managers, financial market infrastructures and other financial institutions.
A cyber incident could “create disruption on such a scale that it has the potential to have serious negative consequences for the internal market and the real economy,” the ESRB warned, in a report that gamed both malicious and accidental incidents.
Systemic Cyber Risk: What’s the Culprit?
The report, published in February, was revisited by Computer Business Review this week apropos growing concerns about software supply chains.
In it, the ESRB particularly emphasised “insufficient industry oversight of third party suppliers and the supply chain” as among the most prominent risks.
It is not alone in identifying this as a growing risk to the economy: The Linux Foundation recently published the results of a major census that aims to pinpoint risks in the open source software supply chain and the structural issues that threaten it.
According to the watchdog, a malicious or redundant line of code in a routine software upload has the potential to corrupt batch scheduling software that underpins payment processing, leading to massive backlogs, cascading into millions of transactions not being processed forcing the closure of the bank and the plummeting of its stocks.
This, in turn, could trigger an industry-wide crisis, it suggests. (The hypothetical scenario, described in detail on page 32 of the report, may strike some as unlikely, but the ESRB claims that “further aggravating circumstances and failing business continuity plans” could rapidly escalate into broader loss of confidence in the industry).
Malicious Attack Hits Continuity Plans
A second scenario sketched out in the report may be more alarming to some.
Emphasising the growing sophistication of financial sector hackers (and pointing to the 2018 attack on Cosmos Bank in India, during which threat actors coordinated across nearly 30 countries to withdraw over $11 million) the ESRB suggests one sophisticated, malicious penetration of a major financial services actor could trigger a liquidity crisis.
Under this scenario, the bank’s continuity plans become ineffective after “malicious actors were able to alter technical recovery procedures.”
If extensive enough, this could make posting collateral to receive emergency liquidity from the central bank more difficult, it speculates: “Further incapacitation of Bank Y’s collateral framework would also render the bank unable to meet margin calls (e.g. from central counterparties (CCPs)) and likely trigger default management procedures and could potentially trigger the intervention of resolution authorities.”
“Unfortunate Alignment of Factors”
Overall, cyber risk has evolved from being an operational risk with a limited potential impact on financial stability “to a systemic risk with the potential for severe impacts on financial stability and the real economy” the ESRB notes, admitting that this would require an “unfortunate alignment of factors” in the industry.
In a bid to tackle such threats the financial industry has pooled its growing knowledge of how to combat cyber threats on several forums, some of which have grown hugely in significance. The Financial Services Information Sharing and Analysis Centre (FS-ISAC), started in 1999, has become the global financial industry’s hub for sharing analysis on threat intelligence on cyber risks. The FS-ISAC now includes 7000 financial institutions.
Central Banks Need to Think About Their Roles
While financial institutions remain at risk from large-scale public cyber threats, they are still incurring smaller cyber-attacks that cost them billions of dollars a year. The ERSB estimate that in 2018 the global economy lost $654 billion to “cyber-incidents”.
Central banks, meanwhile, need to “reflect on the challenges to their traditional tools and emergency plans”, including assessing how emergency liquidity assistance frameworks could be used in the event of a systemic cyber crisis.
They should also explore, it suggests, their role in data recovery when the “transfer of functions” of a crippled organisation is needed.