How to Focus Cybersecurity Efforts on Financial Stability

Financial firms fight malicious cyber threats all the time. They’re choice targets. They rely on information technology to move money. They are linked to each other, to markets, and to the rest of the economy. Breaches can cause real harm to operations and customers. In response, regulators and financial firms have made significant progress in addressing cyber risks for individual firms.

Firms and regulators widely agree that cybersecurity incidents can also threaten the stability of the financial system as a whole. Less understood is how to address these broader financial stability risks.

In a new paper in the OFR Viewpoint Series, the OFR concludes that regulators can build on their progress with a broader approach to cyber resilience that focuses on links among financial firms and on all points along financial networks. Collaboration is essential because regulatory boundaries may limit regulators’ views into key parts of financial networks. Potential blind spots include third-party vendors, overseas counterparties, and cross-border service providers. The viewpoint describes how a cyber incident could threaten financial stability through three channels:

1. Lack of substitutability. In many financial services networks, a few firms and utilities are hubs. Their services would be hard to replace. These hubs include central banks; custodian banks; and systems for payment, clearing, settlement, and messaging. Policies that foster substitutes can reduce systemic risk.
2. Loss of confidence. Hackers target customer account data, as well as financial assets. So far, most hacks have been one-off events, hurting just the victim firm and its customers. A bigger theft, however, could damage confidence in the system.
3. Loss of data integrity. The integrity of financial data is critical. Firms need robust systems to back up data so they can recover soon after a cyber incident. But tension can exist between recovering quickly and making sure recovered data are safe and accurate and do not spread cyber risks.

The viewpoint also looks at how U.S. financial firms and regulators deal with cyber threats. More and more, firms report in their public filings that cybersecurity is a key risk.

Industry and regulators are working together to build resilience and capacity to recover. One industry program, Soltra, is creating a platform firms can use to share threat news. Industry, government, and academia have held exercises to prepare for systemwide incidents. After these exercises, the industry set up a data protection program called Sheltered Harbor. That effort covers retail activities of U.S. banks and brokers. It supports a distributed data storage system. That is, data are not stored centrally. Through Sheltered Harbor, a firm can store customer account data and reconstitute those data, even if a hack disrupts the firm’s operations.

U.S. regulators recognize the threat of cyber incidents to the firms they supervise. They take varied approaches to that threat:

• Bank regulators factor cybersecurity preparedness into stress tests, resolution plans, and safety-and-soundness supervision. Standards include third-party vendors and contractors that provide key services. Bank regulators also offer a voluntary tool that banks may use to assess risk and preparedness. Regulators issued a proposed rule in October 2016 to set enhanced cybersecurity standards for large firms.
• The Securities and Exchange Commission sets expectations for recovery times after a cybersecurity incident or other operational risk event. These requirements apply to registered clearing agencies, alternative trading systems, and plan processors. Compared with bank regulators, the SEC has more limited authority over third-party vendors that sell services to its regulated firms. The SEC has also issued a draft rule that would set cybersecurity expectations for investment advisers.
• Insurance regulators focus on securing customer data. Criminals have targeted customer records in hacks on health insurance firms. The National Association of Insurance Commissioners has drafted a model law for states that would raise standards for data protection. A final model law has not been published.
• The Commodity Futures Trading Commission finalized a rule in September 2016 setting cybersecurity testing requirements for derivatives clearing organizations, designated contract markets, swap execution facilities, and swap data repositories. The plans call for recovery by the next business day after a disruption.

These steps are all important to improve firms’ resilience and ability to recover from cyber incidents. More work is needed to address the many links among firms and markets. Those links occur through systems for payments, clearance, and settlements; counterparties; IT systems and platforms; and financial-market pricing. Regulators and firms also need to keep working together to build capacity across the financial system to recover from cyber incidents.

Richard Berner is the Director of the Office of Financial Research