On September 14th 2007, British lender Northern Rock announced that the Bank of England had stepped in to provide emergency support to keep the bank afloat.
Many more such government bailouts followed over the following months as the Global Financial Crisis unfolded.
Public markets plunged, global economies went into recession, layoffs and unemployment spiked. Ten years later the world looks to be back on solid footing.
Yet the next catastrophe may be just around the corner.
While the financial industry, regulators and central banks have been busy cleaning up the mess of the crisis ten years ago, the financial system has undergone significant change.
Technology has transformed the industry in unprecedented ways, presenting great opportunities to both consumer and financial institutions; but at the same time it has introduced risks that neither the industry nor central banks and regulators know how to manage.
The most worrisome risk of all: cyber.
A complex, hard-to-detect cyber-attack could bring down not just a single institution, but also large parts of financial markets, potentially causing damage far in excess of the 2007/2008 crisis.
Ten years after the Northern Rock bailout, stock markets trade at or near all-time highs, volatility measures – also known as fear indicators – at or near all-time lows, and global growth has been steady.
Investors seem so worry-free that they are once again embracing the opaque and often risky investments at the core of the crisis ten years ago.
And while investors’ complacency and exuberance in borrowing as a result of ultra-low interest rates are certainly concerning, the true cause of the next financial crisis may be lurking where only few would think to look.
Since the crisis ten years ago, the Financial Services landscape has changed dramatically.
Financial technology firms like Nutmeg or Omise have entered the financial ecosystem, providing services at often lower cost while emphasizing an outstanding customer experience.
At the same time, traditional financial services providers have not stood idle, developing their own digital platforms. Innovation is occurring at a tremendous pace, generating significant benefits for the consumer as well as for the financial system. Costs are decreasing, while efficiency and effectiveness of financial transactions are improving.
Simultaneously, the current wave of technology-enabled transformation is making the already-complex financial system even more complex, and the new technology actors are driving fragmentation.
While a customer in the past had a deep relationship with one bank, which in turn would provide that customer with a range of products and services, consumers now have the ability to utilize a host of providers, each for a specific service.
The fuel that drives all this innovation is data.
Innovation incentivizes and facilitates the collection of large amounts of customer data and enables the transfer and sharing of that data between providers more easily.
The reliance on data and the increase of the volume, variety and concentration of the data collected makes financial services providers valuable targets for cyber-attacks.
Banks have historically always been preferred prey for criminals and now, as they increasingly substitute cash holdings for data holdings, they continue to be attractive targets.
The mode of attack shifts from the classical bank robbery to an attack on its digital infrastructure, with the payout of successful attacks surely many times greater.
The growing interconnectedness and velocity of data further increase vulnerability by widening the attack surface. Often, many of the new technology actors entering financial services lack the capacity to develop sophisticated cyber defence, as they tend to be lean-run ventures with the business priority of getting to market as quickly as possible.
As attackers will usually look for the weakest link in the chain, these new actors provide relatively easy targets for entering and compromising the system.
While the attractiveness of, and opportunity for, attacks continues to grow, so, too, does the technical sophistication of criminals.
Artificial intelligence and machine learning have led to more sophisticated attack capabilities and have enabled new criminal usage of captured data.
While attackers in the past might have looked to steal data to use it in fraudulent transactions, or to hold it hostage in order to extract ransom, they may now look to manipulate data within the system, which has the potential to dramatically intensify the impact of a successful attack.
Gone are the days in which attackers seek to gain access to an institution’s system and, once inside, grab information, then leave and commit fraud.
Today’s cyber attackers aren’t seeking quick results. Rather, they endeavour to enter networks silently, probe vulnerabilities and use their host’s trusted connections to spread into other institutions’ networks. It is this new threat that holds the potential for a large- scale financial crisis.
A disruption of the larger financial system could bring down a host of financial institutions and halt financial markets and transactions networks.
More significantly, it would severely undermine the lifeblood of financial services: trust.
Customers wouldn’t trust service providers, service providers wouldn’t trust customers, and institutions wouldn’t trust each other.
If this sounds like a bad horror story, then the recent breach of Equifax affecting the personal data of 143 million Americans is a timely reminder of the severity of the challenge.
Fortunately, it’s not all doom and gloom.
Financial institutions comprehend the risks that sophisticated cyber-attacks pose and have beefed up defence. But developing new security strategies is expensive and labour-intense. Banks run complex operations and tend to rely on legacy systems that cannot easily be upgraded or replaced, and so often require less-than-ideal workarounds.
Ultimately, the most powerful risk mitigation will not come from improvements in individual institutions’ defence capabilities. Rather, the industry and regulators should come together to develop systemic solutions to the growing cyber-threat. Such a systemic effort could result in better threat-information sharing, allowing for the faster identification of potential cyber threats and quicker development of solutions.
Similarly, the industry could develop a transparent and independent quality assessment applicable to all financial services players.
Just like a consumer in New York City can decide whether or not to dine at a certain restaurant based on the restaurant’s hygiene rating, such a quality assessment would allow customers to make educated decisions on whether or not to use a certain financial service based on the provider’s cyber score.
Another idea is for innovators and existing service providers to come together and agree on a framework for innovation control by mandating a greater focus on cyber security throughout the innovation process.
There are numerous other ideas on how to improve cyber defence and system stability, and none of the proposed solutions are perfect by themselves. They come at a price —either through high business cost to financial institutions, or through their potentially negative implications for innovation or financial inclusion.
In the end, the very technology that might bring the system down can also – if in the right hands – be a source of powerful protection from attacks.
Artificial Intelligence, for example, can detect malicious activity well before humans realize criminals have entered, or are trying to enter, the financial system.
Whether it is through joint public-private efforts to improve system security and stability, or through technology solving the very challenges it created in the first place, the time to think about and develop solutions is now.
It took ten years and counting to work our way out of the last major financial crisis. Putting sound frameworks in place today might spare us a far more difficult recovery effort in the future.