Cyber runs: How a cyber attack could affect U.S. financial institutions

Researchers of Hauri, an IT security software company investigating computer viruses, work at their lab in the company in Seoul March 22, 2013. This week's cyber-attack on South Korean broadcasters and banks may not have originated in China after all as the IP address has been traced to one of the victim banks, the communications regulator said on Friday.  REUTERS/Lee Jae-Won (SOUTH KOREA - Tags: SCIENCE TECHNOLOGY CRIME LAW BUSINESS TELECOMS) - GM1E93M1BKH01

Cyber risks to financial stability have received significant attention from policy makers. These risks are worsened by the increasing diversity of perpetrators—including state and non-state actors, cyber terrorists, and “hacktivists”—who are not necessarily motivated by financial gain. In fact, for some actors, the potential of exploiting a cyber event to inject systemic risk into our highly interconnected global financial system may actually be an enticement. Beyond general concerns about cyber risks that are common to many firms, discussion papers and official-sector policy documents have noted the threat of cyber attacks on financial market infrastructure and bank deposits. Some reports mention the implications for confidence in financial institutions and the potential for runs. We are not aware, however, of prior work on the nature of a cyber run, including its propagation dynamics, potential scale, and ancillary effects on the payment system.

Could a cyber attack on a large bank’s wholesale depositors morph into a serious and contagious bank run? This Hutchins Center working paper by Darrell Duffie of Stanford University and Joshua Younger of J.P. Morgan Chase & Co. analyzes the financial-stability implications of such a “cyber run.”

They consider scenarios in which a significant cyber attack on a bank’s deposits, whether by theft, data corruption, or denial of access, may lead wholesale depositors in the same and other large banks to withdraw their funds rapidly enough to threaten the liquidity of these institutions or the effectiveness of the payment system. After a brief review of potential triggering cyber events, they outline run dynamics and magnitudes.

Their analysis of a sample of twelve systemically important U.S. financial institutions suggests that these firms have sufficient stocks of high quality liquid assets to cover wholesale funding runoffs in a relatively extreme cyber run. Beyond their own stocks of liquid assets, these institutions have access to substantial additional emergency liquidity from Federal Reserve banks. The resiliency of the largest banks to cyber runs does not, however, ensure that the payment system would continue to process payments sufficiently rapidly to avoid damage to the real economy. During a severe cyber event, especially one whose reach into the banking system is uncertain, non-banks may be reluctant to send funds through customary bank payment nodes. As a potential safeguard, they raise the idea of an “emergency payment node,” a narrow payment-bank utility that could be activated during operational emergencies to process payments between a key set of non-bank financial firms. The paper ends with an overview of other forms of preparedness, including cyber-run stress tests.

Read the full paper here

The authors did not receive financial support from any firm or person for this article or from any firm or person with a financial or political interest in this article. Joshua Younger is currently a managing director for J.P. Morgan Chase & Co.