The Federal Reserve Bank of New York (“FRBNY”) analyzed the potential impact of a cyberattack transmitted through a payment system against a (i) single large bank, (ii) group of smaller banks and (iii) common service provider.
In a report entitled “Cyber Risk and U.S. Financial System: A Pre-Mortem Analysis,” the FRBNY warned that an attack on a bank’s ability to send payments “would likely be amplified to affect the liquidity of many other banks in the system.” According to the FRBNY, the U.S. financial system would be impaired by such an attack on (i) any one of the five most active U.S. banks, (ii) several small to midsize banks that are associated through a shared vulnerability or (iii) a bank with a small number of total assets but a heavy payment flow.
Additionally, the FRBNY:
– compared cyber risk against the “broader theoretical literature on bank runs,” such as cyber and other shocks modeled in the theoretical literature;
– investigated the quantitative impact that a cyberattack can have on the financial system by studying the impairments of a cyberattack on a set of banks’ payment activities in Fedwire Funds Service;
– conducted a baseline scenario to highlight the high concentration of payments between large institutions within the wholesale payment network, and the great imbalance in liquidity that follows if a large institution does not remit payments to its counterparties; and
– considered scenarios involving multiple institutions that would be directly affected due to technological or other commonalities.
Presumably, the bad guys know how to do this anyways, and the issues raised will focus the good guys on the risks.