Various public and private authorities have come to see cyber risk — risk emanating from computer systems and computer networks — as a significant channel for systemic risk. Recent examples include the Bank of Canada (2014), the BIS (2014), the Bank of England (2015) and the SEC (Ackerman 2016).
Cyber risk is certainly a real and growing threat to the well-being of financial institutions, with most months bringing news of a major systems failure, hack, or outright theft, like the recent $81 million theft from the Bangladeshi Central Bank. While obviously a microprudential issue, is it really a systemic concern?
As the argument goes, yes, because the increasing threat of failure of critically important computer systems threatens the internal operations of financial institutions and the plumbing of the system. Since everybody is interconnected, if systems fail the consequence is a loss of confidence, disappearence of liquidity, and hence ultimately a systemic crisis.
We disagree. While one can certainly envision a cyber event so severe that it would cause a systemic crisis under the right circumstances, in normal times it is highly unlikely, almost no matter what the severity of the cyber event.
Financial systemic risk
Systemic risk is generally seen as the potential for a major financial crisis adversely affecting the real economy, as defined by the IMF-BIS-FSB in 2009. Addressing such systemic risk – macroprudential policy – is one of the three planks of government financial policy, the others being monetary policy and microprudential policy – the protection of bank clients.
Systemic crises do not happen frequently. By studying the IMF-WB crisis database (Laeven and Valencia 2012), we find they happen once every 42 years for OECD members. If anything, that is an overestimate, as the database includes relatively non-extreme events, like October 1987 and August/September 1998.
The fundamental cause of financial systemic risk is excessive risk-taking by financial institutions, where perhaps the best indicator of a future crisis is large credit growth, as shown by Taylor and Schularick (2009). This is especially dangerous when the resulting risk is undetected or ignored by the powers that be, creating the potential for an abrupt fall in confidence as discussed here on Vox by Danielsson and Zigrand (2015).
The root cause of systemic crises is risk-taking behaviour of economic agents
In turn, the behaviour of these economic agents is directly motivated by confidence. It is a fundamental element of financial markets because we only participate willingly in the markets if we believe the financial system will continue to function in the same way as we have always seen it function. In particular, we need to have faith in what is often called the plumbing of the financial system, such as the payment system and the ability to trade and clear financial assets.
Conversely, the disappearance of confidence is a strong and often early indication of crisis. We have to believe that the financial edifice is at real risk of collapsing for a crisis to really turn systemic. The best example of this is 1914, where the assassination of the Archduke Ferdinand triggered a systemic crisis in global financial markets long before the actual war broke out. It was the anticipation of a war and failure of cross-border payments that was the main trigger of the crisis (Danielsson 2013).
When it comes to identifying the origins of cyber risk as systemic risk, it is important to distinguish between a trigger and a root cause, where in general triggers are irrelevant for policy purposes, since there are a very large number of potential triggers, unless both the timing is fortuitous and no other triggers exist.
We do not see how cyber risk could be the root cause of a systemic crisis because there is no direct connection between the failure of computer systems, no matter how severe, and the behaviour of those economic agents which ultimately culminates in a systemic crisis.
A cyber event could act as a trigger provided the timing is just right. An exogenous crisis event, like a cyber attack, that results in a fall in confidence and liquidity would not be systemic provided the levels of excessive risk-taking had already not reached a tipping point. If not, we can expect to recover on a timescale that makes real-world impact moderate, as in October 1987, LTCM in 1998 and the 2010 flash crash.
Consider a potential disaster scenario – the total failure of a country’s ATM system, or even the payment system, for a few days. Would that be systemic?
Well, it depends. If it happened today, it is highly unlikely because people would recognise that the disruption was temporary, and the end result would only be a frustrating and costly temporary disruption. The failure would not trigger a crisis provided that people believed the authorities would react appropriately.
However, if the failure had happened on 1 October 2008, things could have been different. At that time, people everywhere were converting bank balances into cash in response to the Global Crisis and both the Eurozone and the UK were not too far away from running out of cash, perhaps only hours. Any disruption to the delivery of cash could have drained confidence, potentially turning existing problems into a systemic event.
The crucial role of timing means that any attacker must either be able to create a heightened state of financial market vulnerability, be very lucky, or else both be capable of maintaining her attack vectors in place for years or decades and be sufficiently patient to wait.
The origins of cyber risk
There are four broad origins of cyber risk: technical computer system failures, theft, hacktivists and terrorists, and state actors.
Systems failures and theft can be expected at any time, and have a very large microprudential impact. However, since the timing and victims are likely to be idiosyncratic, it is practically impossible for them to act as a trigger for a systemic crisis and they certainly cannot be a root cause.
Hacktivists and terrorists could subvert IT systems to promote a political agenda, possibly with multiple targets and as part of a broader strategy of disruption. They are very unlikely to have systemic consequences because they would have to combine the attack with other forms of aggression, and can at best trigger a systemic crisis provided the timing is absolutely right.
The only actors with sufficient resources to cause a systemic crisis are the largest sovereign states. They can spend years developing and deploying attacks, keeping them hidden until in a coordinated fashion it attacks multiple IT systems. However, even in this case, a cyber attack would not be sufficient unless it was on a colossal scale, involving multiple computer systems and their backup mechanisms.
For a state actor with the necessary resources, however, it might be just as easy to manufacture the necessary uncertainty through financial means by, for example, making credible threats to world trade, the sequestration of foreign assets, or by the repudiation of international liabilities. If carried out on a sufficiently large scale, in our highly connected world these could easily lead to a repeat of the experiences of 1914. All these attacks require is enough international connectedness to allow trust in domestic institutions to be destroyed by a foreign actor.
While financial warfare of this type would presumably be accompanied by a cyber attack it is not clear that the cyber element would really be necessary, and even then it would likely only play a secondary role.
While systemic risk is frequently invoked as a key reason to be on guard for cyber risk, such a connection is quite tenuous. A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.
From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue. To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.
After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.