On October 10, 2018, the Atlantic Council’s Cyber Statecraft Initiative convened key stakeholders from the financial, governmental and academic communities to convene for the release of a joint report by the Brookings Institution and Columbia University’s School of International and Public Affairs, The Future of Financial Stability and Cyber Risk. The panel was moderated by Katheryn Rosen, a Senior Fellow at the Atlantic Council’s Cyber Statecraft Initiative and a Senior Research Scholar at Columbia University School of International and Public Affairs. Despite the unique threats that cyber risks pose to the finance industry, they remain misunderstood and fail to be well-managed. A central issue concerning businesses and policy makers is discerning how cyber risks differ from the shocks that have traditionally impacted the financial market.
All speakers agreed that the major problem facing the industry was the disconnect between cyber and financial risk management. Dr. Mosser, Director of the Initiative on Central Banking and Financial Policy at Columbia University School of International and Public Affairs, explained that this disconnect ranged from the vocabulary used by the industry – vulnerability has a different meaning in both finance and cyber risk – to how ‘risk’ itself is studied. Financial markets focus on a system wide study of risk instead of trying to stop individual shocks. Due to the inherently fragile nature of financial markets, “shocks come from everywhere” and are hard to predict. On the other hand, cyber professionals try to prevent each individual shock from happening. Mr. Healey, Senior Fellow with the Atlantic Council’s Cyber Statecraft Initiative and Senior Research Scholar at Columbia University School of International and Public Affairs, stated that one main difference that is important to understand is the intent of the attacker. Unlike cyber-attacks, financial crises aren’t caused by entities who are actively trying to cause a crisis. Moreover, Mr. Healey went on to dispel the myth that cyber attackers would be unwilling to “upset the applecart” of the financial markets that they themselves integrated in, calling it a “1914 kind of argument.” He also noted that it is easy for malicious cyber actors to make mistakes or miscalculate the impact of their attack, such as in NotPetya and WannaCry.
Turning from problems to solutions, the panel identified key steps that the industry should take to better understand cyber risk. Dr. Rattray, Senior Fellow with the Atlantic Council’s Cyber Statecraft Initiative and the Managing Director of JP Morgan Chase’s Global Cyber Partnerships & Government Strategy noted that a multi-level approach would be necessary. At the enterprise level it starts with asking, “is our company doing all the right things” to mitigate risk? Companies need to invest in adopting a good cyber program and ensuring compliance with regulators. Additionally, as the finance sector is so interdependent, Dr. Rattray stated it was fundamental that entities engage in “operational collaboration” – jointly identifying the risks to the system, establishing public-private information sharing, and protecting each other against attacks. Further to this, Dr. Mosser suggested an important first step would be to develop a lexicon that is able to translate terms and practices between the finance and cyber worlds.
Mr. Healey stated that a common lexicon was necessary to develop an analytical framework, so professionals can understand how to approach cyber risk in the finance sector. To this end, Dr. Rattray suggested that financial stability professionals should leverage existing knowledge by developing such a framework that focusses on financial stability. Professionals know what makes the financial sector vulnerable and should start analyzing how cyber plays into that, rather than simply thinking what a ‘bad cyber day’ would look like. For example, as the finance industry is vulnerable to loss of faith in the system, cyber could impact that through manipulation of stock prices or trading numbers, or the leaking of altered finance reports. Finally, the panelists agreed that a successful framework would have to be transparent. Having an analytical methodology that can be discussed by professionals means it can be constantly refined and adapted to new challenges posed by the ever-evolving world of cyber risk.