Regulators urged to promote cyber security investment
Public interest in stopping cyber attacks that could trigger bank runs, says Bundesbank researcher
![](/sites/default/files/styles/landscape_750_463/public/article_copied_files/Cyber%20attack%20Getty%201467227409.jpg.webp?h=c0ba0fb8&itok=vcNayEVB)
Policies designed to generate increased spending on cyber security could help to reduce the risk of bank runs that might follow a major cyber attack, according to a German regulatory official.
“Despite the growing interest in the topic, we don’t have a framework to think through how cyber attacks might impact banks, and what they might do in terms of investing in cyber security,” said Kartik Anand, an economist at the Deutsche Bundesbank’s research centre.
He was presenting a paper he had co-written at the 2024 European Central Bank annual banking supervision research conference in Frankfurt on June 12. The paper argues that banks need to find the right balance between the cost of protection and the added resilience from being better able to withstanding attacks. If a severe attack resulted in a loss of confidence and a bank run, then regulatory policies that increased spending on cyber security would result in better outcomes for the public good, even if they reduced bank profitability in the short term.
Cyber security has been dominating the agenda for operational risk, especially after the crime spree by hacking group LockBit, which claimed 71 attacks in 2023 alone.
Creating regulations and policies for cyber security can prove difficult because of the ever-evolving nature of cyber risk. Some supervisors, such as the ECB, have homed in on resilience stress tests for banks as a way to manage the consequences of cyber attacks when they happen, rather than necessarily trying to reduce the risk of a successful attack.
Investing more in cyber security improves protection … [but] at the same time, it will reduce investments in profitable assets
Kartik Anand, Deutsche Bundesbank
“Operational resilience standards will help us to make sure that we have adequate security investment, although they are hard to calibrate,” said Ryan Riordan, a professor at LM University of Munich, responding to Anand’s paper.
Anand developed a new model – together with co-authors Chanelle Duley and Prasanna Gai, both from the University of Auckland – to understand the potential impact of cyber attacks on banks, and what policies would be best to mitigate this.
“The key trade-off is that investing more in cyber security improves protection … and the chances of finding and patching up the vulnerability before the attacker [exploits it],” said Anand. “At the same time, it will reduce investments in profitable assets – this is going to apply irrespective of who wins this tournament.”
The model offers a fairly straightforward mechanism to try to identify the optimum balance. The bank and attacker both invest money into their cyber security and their attack respectively. The model then sets out how badly the bank’s performance is impaired as a result of the cyber attack and sets a threshold for whether the losses result in illiquidity or insolvency. From this, a bank can decide how to distribute its investments in order to balance profitability, resilience and protection.
Protection is defined as putting money into cyber security measures. These can include establishing ‘red teams’ to probe the bank’s defences and find any holes in their armour, or ‘bug bounties’, where staff are rewarded for identifying errors and vulnerabilities in the IT architecture. Resilience is understood as the ability to withstand losses that result from a cyber attack and restore operations quickly.
Liquidity risk
The model predicts that the probability of a bank becoming insolvent because of a cyber attack is too low to justify additional investment in defences. If the bank faces a sophisticated attacker and finds itself to be at a disadvantage, then spending on resilience instead would result in larger social benefits. However, the risk of a bank failure due to illiquidity – if depositors or wholesale funding providers were panicked into a run by the cyber attack – is higher, tipping the balance toward investing in more protection.
“When bank failure is illiquidity-driven, we find that there’s going to be underinvestment in cyber security,” said Anand. “When failure is illiquidity-driven, the conditional likelihood of failing is very high, and therefore the social benefits of greater protection are also larger.”
As such, the paper finds that three out of four cases of bank failures would benefit from investment in cyber security defences, rather than relying on stress tests to ensure resilience.
“There are things like subsidising cyber security investment or using red teaming that would be the socially optimal policy,” said Anand.
One audience member at the conference suggested Anand might have underestimated the benefits of investment in cyber security, as the paper assumes it is purely a sunk cost that cannot be redeployed in any other capacity. In reality, the same investment could also contribute to post-attack resilience and recovery.
LM University of Munich’s Riordan pointed out that, given the limited research available so far on the subject, any additional information is helpful for risk managers and policy-makers to assess potential policies to mitigate cyber risk.
“Thinking these things through … is important,” he said. “Policy on cyber regulation is relatively new – how we regulate in general [and] when we regulate, there are also unintended consequences.”
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
The IMD Wrap: Déjà vu as exchange data industry weighs its options
Max highlights some of WatersTechnology’s recent reporting on data costs and capacity issues facing the options industry, and asks, haven’t we seen this before somewhere?
FRTB data quality issues persist amid shifting implementation dates
Banks are finding market and reference data challenges posed by the FRTB’s standardized model tricky, compounded by uncertainty over when the regulation will take effect.
Cboe pushes rule change to make way for proprietary Opra alternatives
As US options data has grown in volume and cost, Cboe says changing the public feed's governing document would make way for more competition from private alternatives, including its Cboe One Options Feed, launched in 2023.
Hong Kong looks for digital response to trade reporting burden
New swaps reporting framework will include more fields than requirements in US or Singapore.
Big questions remain over Dora’s critical third parties
Industry looks for clarity on critical third parties ahead of July 17 regulatory technical standards for the EU’s Digital Operational Resilience Act.
As legal letters fly, Cusip licensing debate rolls on
Cusip Global Services’ licensing agreements with third-party data providers sit at the heart of the antitrust case against itself and three others.
Lightning strikes: Options boom threatens data overload
Concerns over creaking infrastructure in US options markets are fueling talk of measures to limit the exponential amount of data being generated.
All eyes turn to North America as T+1 arrives
As T+1 settlement becomes a reality in North America, long-lingering questions will get their answers.
Most read
- WatersTechnology Asia Awards 2024: All the winners and why they won
- Asia Awards 2024: Best order management system (OMS) provider—Bloomberg
- The IMD Wrap: Déjà vu as exchange data industry weighs its options