People often speculate that the next financial crisis might be triggered by a cyber attack.
Considering how the dependence of the financial sector on interconnected digital and online platforms is deepening, and how the capabilities of cyber attackers are becoming more sophisticated, this risk is plausible enough for public authorities to be taking the issue very seriously in their work this year.
But just how could it be done? How could a cyber attack endanger not only the operations of a targeted firm, but jeopardise the stability of the entire financial system?
An interesting new paper from the Brookings Institution takes a stab at answering this question. Looking at the recent methods of cyber attackers, Brookings sees three ways that cyber attacks could threaten financial stability:
- Slow burn: where cyber adversaries cause repeated, low-level disruptions that try to erode confidence in the market and its key institutions. Distributed denial-of-service (DDoS) attacks are hallmarks of this method.
- A well-timed push: where a cyber attack is used to exacerbate existing instability in the financial sector. Think what might have happened had a cyber attack hit US financial markets the day after Lehman Brothers failed in 2008...
- The master-plan: a well-planned cyber attack on critical financial or IT infrastructures designed to trigger market instability and cause maximum economic harm. The level of sophistication and expertise needed for such an attack means that these would likely have to be carried out by state or state-backed adversaries.
As we wrote about in a report earlier this year, regulators and other public authorities are scaling-up their efforts to understand how these attacks might occur and what can be done to bolster the resilience of the financial system to them.
In the UK, the Bank of England's Financial Policy Committee has announced that it will begin stress-testing firms in 2019 against a range of cyber risk scenarios.
We expect this to become a key area of regulatory activity in the coming years. Given the speed at which the cyber threat is evolving, public authorities that want to stay one step ahead have little choice but to act fast.