N.Y. Fed Warns Cyber Attack Could Pose Serious Threat to Financial Stability

January 27, 2020

A recent paper from the New York Federal Reserve Bank examines how a cyberattack could spread through the U.S. financial system, particularly the wholesale payments network. The paper estimates that “the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average.” The N.Y. Fed’s research aims to inform possible policy responses and to evaluate current vulnerabilities in the financial system. The N.Y. Fed presents several possible scenarios – e.g. a cyber event affecting the distribution of or access to liquidity or a virus traveling through bank networks from interbank lending or payment systems or through shared service providers. Such threats “could have severe implications on the stability of the broader financial system vis-à-vis spillovers to investors, creditors, and other financial market participants,” according to the paper. In its 2019 annual report the Financial Stability Oversight Council wrote: “The increasing reliance of financial firms on information technology increases the risk that a cybersecurity event could have severe negative consequences for the U.S. economy, potentially impacting financial stability.” FSOC recommended that member agencies, including the SEC, continue to conduct cybersecurity examinations of financial institutions and financial infrastructures to ensure robust and comprehensive cybersecurity monitoring, among other things. Both Congress and bank regulators have been paying attention to the cyber threat. Last October, hearings in the House Financial Services Committee focused on cloud computing and data protection. Lawmakers also discussed the Strengthening Cybersecurity for Financial Sector Act, proposed legislation that would give certain agencies the same oversight of third-party vendors for credit unions, Fannie Mae, Freddie Mac, and FHLBs, that bank regulators have for third-party vendors of banks. Federal bank regulators have issued advanced notice of proposed rulemaking on enhanced cyber risk management standards for large banks with more than $50 billion in total assets that would also apply to services provided by third parties to these banks, however the proposal has not been finalized.