As the threat of cyberattacks against financial institutions has grown, the response by industry and government has matured. Banking agencies, trade groups, law enforcement authorities and others have developed protocols for identifying, limiting, reporting and otherwise responding to attacks. But a newer type of threat is growing that has so far received scant focus from the industry and government.
The attention on cyberattacks has so far focused mainly on data breaches and so-called "denial-of-service" attacks, in which an institution's computers or servers are rendered temporarily or indefinitely unavailable to its customers. Less attention has been paid to what might be termed "denial-of-system" attacks, which can make enterprisewide information systems completely inoperable. Such attacks have occurred, and the possibility of a catastrophic failure at a "systemically important financial institution" resulting from such an attack poses a serious risk to the stability of the U.S. financial system.
To date, the paradigmatic cyberattack has involved a data breach, and the primary concern has been that pirated data may be used to conduct unauthorized transactions. A related concern is that, once inside a financial institution, hackers may search for and exploit more sensitive business data. This is suspected to have occurred when the central bank of Bangladesh's credentials were stolen and used to initiate Swift transactions. The scheme reportedly succeeded in stealing over $80 million from the central bank's account at the Federal Reserve Bank of New York.
These types of attacks focus on the misappropriation and misuse of data. What has received less attention has been the evolution of denial-of-service attacks from an externally based business disruption to denial-of-system attacks in which malicious and intrusive software or malware is inserted into a financial firm's information system to potentially cause widespread infrastructure damage and global chaos in financial markets.
Consider the recent spate of "ransomware" attacks against hospitals across the United States. Malware locked up the computers of several hospitals and made it impossible for staff to have access to data for scheduled surgeries and other crucial patient care. Relatively unprepared for such an attack and with a vulnerable patient population, some of these hospitals readily paid ransom to restore their systems, sometimes even before notifying law enforcement authorities.
What if a criminal or a state-sponsored cyberterrorist targeted the core processing systems of the principal subsidiary bank or broker-dealer subsidiary of a systemically important U.S. banking organization? What if, just hours before markets were set to open in Tokyo, the CEO was informed that the subsidiary could not make any entries and, as a result, could not pay checks or debits, respond to margin calls, transmit or receive cash to pay principal, interest or collateral in any of its securities finance transactions, or honor any of its derivative transactions? Even assuming that the entire financial organization was well-capitalized and highly liquid under every applicable regulatory standard, that fact would not help the bank to perform its legal obligations as they became due to customers and counterparties. The Treasury secretary might determine, pursuant to the Orderly Liquidation Authority in the Dodd-Frank Act, the organization is in default and must quickly be placed in orderly liquidation to maintain some semblance of public confidence. Would the Treasury have to write a blank check to avoid or mitigate the adverse effects, or to pay or arrange for the assumption of the bank's or broker-dealer's obligations? What would be the cost to taxpayers and, worse yet, the cost to the U.S. economy?
Recently, as directed by Section 123 of the Dodd-Frank Act, the Financial Stability Oversight Council issued a study of the economic effects of possible regulatory initiatives intended to reduce risks to the financial system. The study addressed regulatory limits or requirements on eight separate factors, including size, organizational complexity, operational separation, risk transfers between business units, and, of course, stress tests and capital and liquidity requirements, as methods of limiting risk. No attention was paid to a denial-of-systems attack, which, it appears, could have catastrophic effects notwithstanding that all the other studied safeguards were in place.
Among the duties of the FSOC is to monitor the financial services marketplace in order to identify potential threats to the financial stability of the United States and to recommend general supervisory priorities and principles to its member agencies. Planning for how to respond to a successful "denial of systems" attack on a systemically important financial institution appears to fall within the FSOC agenda. Currently, however, this does not appear to be part of resolution and recovery planning by the Federal Deposit Insurance Corp. or the Federal Reserve.
A denial-of-systems attack is a major and growing risk factor for our financial system, which needs to be immediately addressed by regulators and industry. However, it is not an entirely unprecedented threat, and a model for an effective response is at hand. The systemic technological risk of a denial-of-systems attack is very similar to the Y2K technological issues, which had the potential to shut down computer systems in the U.S. and globally. The intensive and collaborative government and industry response resulted in effective planning and remedial work that prevented any interruption of the operation of critical banking infrastructure. Those preparations also included the institution of an asset and liability backup program at a limited number of depository institutions. During the critical Y2K period, those institutions were required to maintain a common data set in a standard format that would enable the FDIC, if necessary, to provide access to deposits and transfer assets to private sector purchasers without the need to map and convert information from a closed bank's inoperable systems.
It is now time for a similar collaborative effort to be undertaken to develop readiness plans to mitigate the high risk of a technical failure of a SIFI due to a denial-of-systems attack.
Mitchell L. Glassman is former director of the division of resolutions and receiverships at the FDIC. Gordon L. Miller is senior counsel at Allen & Overy LLP and former attorney at the Federal Reserve Board.