Massive Cyberattack on the US Wholesale Payments System (Simulation but Real?)

One report you may have missed was this one: CyberRisk and the U.S. Financial System: A Pre-Mortem Analysis from The New York Fed and released in January.The paper focuses upon a co-ordinated cyberattack on the wholesale payment systems of America and can be summarised as:We (the Federal Reserve Bank of New York’s academics) model how a cyberattack may be amplified through the U.S. financial system, focusing on the wholesale payments network. We estimate that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average. The impact varies and can be larger on particular days and in geographies with concentrated banking markets. When banks respond to uncertainty by liquidity hoarding, the potential impact in forgone payment activity is dramatic, reaching more than 2.5 times daily GDP. In a reverse stress test, interruptions originating from banks with less than $10 billion in assets are sufficient to impair a significant amount of the system. Additional risk emerges from third-party providers, which connect otherwise unrelated banks. And they conclude: Our analysis demonstrates how cyberattacks on a single large bank, a group of smaller banks or a common service provider can be transmitted through the payments system. A cyberattack on any of the most active U.S. banks that impairs any of those banks’ ability to send payments would likely be amplified to affect the liquidity of many other banks in the system. The extent of the amplification would be even greater if banks respond strategically, which they are likely to do if there is uncertainty about the attack. The impact on geographies with concentrated banks may be even larger. We also identify other ways that the system may become impaired that highlight the importance of all banks in the network, not just the largest banks. First, if a number of small or midsize banks are connected through a shared vulnerability, such as a significant service provider, this would likely result in the transmission of a shock throughout the network. Similarly, banks with a relatively small amount of assets but large payment flows also have the potential to impair the system.While the shock we assume is extreme in some ways — a complete inability to send payments — it is conservative in others. We currently do not model spill-overs outside the payment network such as to short term creditors that provide liquidity to impaired banks.Allowing creditors and customers to run without the ability to realize additional liquidity through the sale of liquid assets would surely make our results even larger. We also focus primarily on the impact that a cyberattack may have within a single day. However, if a cyberattack were to compromise the integrity of banks’ systems, the reconciliation and recuperation process would be an unprecedented task. This could have severe implications on the stability of the broader financial system vis-à-vis spillovers to investors, creditors, and other financial market participants. One shortcoming of the analysis is that while we see payment flows among banks, we do not know the purpose of the flows. Therefore we cannot measure how these flows will affect customers and borrowers and the real economy. In future work, we hope to explore how borrowers and other counterparties would respond. Interesting … Especially as Bank Director magazine has just followed with an article entitled:

Related: Cashless Shopping May Be Here … but a Cashless Society? Nah!