Until today Semi-Annual Monetary Policy Report to Congress, Senator Jon Ossoff asked Federal Reserve Jerome Powell chair what he deemed “to be the greatest systemic threats to medium-term financial stability, limited to the United States or globally.” Powell’s response deserves serious attention from lawmakers and regulators around the world. “I have to say that what worries me the most is really cyber risk. You know this is a constant concern. And we put a lot of resources into it, just like the private sector. We have a bad loan and risk mismanagement playbook. He is certainly right. Both in the United States and abroad, many banks have gone bankrupt, or virtually failed, due to significant credit or operational risks. Regulators and lawmakers have certainly learned a lot from the financial crisis of 2007-2009.
President Powell went on to say that “we have a lot of capital in the system”. This is also correct. Thanks to Basel III rules, the world’s most systemically important banks not only have more capital, but the capital is of much better quality and absorbs losses than was required before the completion of Basel III in 2010. In addition, global systemically important banks now have liquidity rules that require them to have high quality liquid resources to withstand credit and market crises.
Cyber risk, however, is very different. “… As you can see, with the ransomware issues… now it’s just a running race to keep pace. And we haven’t had to deal with a major cyber event from a financial stability perspective, and I hope we haven’t. But that’s the thing that worries me the most. Powell had recently expressed similar concerns about cyber risk during an interview on 60 minutes of CBS.
Powell is right to be worried! Cyber attacks have increased in recent years, but especially since COVID-19 struck. According to a report published by the Financial Stability Board earlier this week, “Although cyber activities such as phishing, malware and ransomware are not new, they have increased with the spread of the pandemic, from less than 5,000 per week in February 2020 to more than 200,000 per week by the end of April 2021. The financial sector is the recipient of most cyber attacks from all sectors of the economy.
Financial institutions certainly know that cyber risk is a major concern. In a study published by ORX last month, information security, including cybersecurity, was cited as “the industry’s biggest concern that can impact organizations financially, operationally, and reputation.”
According to the Financial Stability Board, “Ongoing investments and maintenance of cybersecurity, such as firewalls, anti-virus software, intrusion detection systems and security operations centers, are essential. At the same time, financial institutions must recognize the human factor as a central part of the cybersecurity chain (for example, the handling of confidential information by employees working from home). Common attack methods, such as phishing, target both employees and consumers. “
In April, the Basel Committee on Banking Supervision (BCBS) published Principles of operational resilience. One of the key principles concerns information and communication technologies (ICT), including cybersecurity. The BCBS recommends that banks ensure resilient ICTs, including cybersecurity, subject to regularly tested protection, detection, response and recovery programs, incorporating appropriate situational awareness and delivering relevant information in a timely manner to risk management and decision-making processes. The aim is to fully support and facilitate the delivery of critical bank operations.
Importantly, here in the United States, the Federal Financial Institutions Examination Council (FFIEC) recently updated the FFIEC Information Technology Examination Handbook ‘Architecture, infrastructure and operations (AIO). ‘ Many parts of this important bank review manual are devoted to instructing bank examiners what to look for in managing bank cybersecurity risks. All surveillance officer each Federal Reserve Bank has been informed of the AIO. Professionals with IT responsibilities in banks would be doing themselves a big favor if they read this manual before examiners go to their banks.