Bank executives, security experts and federal officials have been planning for potentially devastating cyberattacks against the financial industry for at least a decade. But the issue has grown more urgent in recent years because of an increase in nation-state cyberattacks against critical infrastructure, such as the cyberattacks by Russia that took out part of Ukraine’s electric grid and the WannaCry worm linked to North Korea that hit the hospital and shipping industries. The Federal Reserve Chairman, Jerome Powell, recently told “60 Minutes” that “the risk that we keep our eyes on the most now is cyber risk.”
The federal government and financial institutions have formed information-sharing groups, performed tabletop exercises and invested heavily in cybersecurity. JPMorgan Chase alone spends about $600 million each year on cybersecurity efforts and has “more than 3,000 employees” working on the issue in some way.
Still, experts say there are significant gaps in awareness and preparation for a cyberattack on Wall Street, and that the focus has more often been on threats to individual institutions than on threats to the system as a whole. The recent spate of ransomware attacks underscored the vulnerability of individual companies’ systems.
“I think everybody believes an institution can be taken out,” said Greg Rattray, the former director of cybersecurity at the National Security Council and a former chief information security officer for JPMorgan. But, he said, “the degree of risk, I think, is really not well understood systemically.”
Rehearsals aren’t enough
Key financial institutions rehearse responses to cyberattack scenarios. But Rattray said these exercises provide more confidence in readiness than they should.
Unlike the detailed simulations that help prepare first responders and soldiers for hurricanes, forest fires and wars, “we do not simulate the scale of destruction, and we never simulate duration” with cyberattacks, Rattray said. “What we don’t know is how bad it would get and how fast.”
The financial system could probably withstand one large institution getting knocked out, but if multiple large financial institutions were shut down by a cyberattack, the disruption could last for weeks, he said.
Additionally, if attackers struck during a particularly volatile period in the markets — for example, on one of the “triple witching” Fridays that occur each quarter when stock options, stock index futures and stock index options all expire on the same day — the effects could be amplified.
Such an attack would require skill, resources and immense coordination, which so far adversaries have not shown. Most cyberattacks against financial institutions to date have involved criminal theft of bank card numbers and account credentials; although a few incidents involving nation-backed actors have occurred, they’ve been contained in scope and effect.
In late 2011, Iranian hackers associated with the Islamic Revolutionary Guard Corps launched a monthslong denial-of-service campaign against dozens of US financial institutions, including American Express, JPMorgan and Wells Fargo, according to Department of Justice documents. The onslaught disabled banking websites and locked hundreds of thousands of customers out of online accounts.
And in 2016, hackers associated with North Korea broke into Bangladesh Bank and hijacked employee credentials in an attempt to steal $951 million via the Swift network, a messaging system used by financial institutions. They succeeded in nabbing $81 million.
More sophisticated and destructive attacks are not out of the question, however. The New York Cyber Task Force — a group of government and private industry experts convened by Columbia University and led by Rattray — examined a “severe but plausible” scenario involving multiple financial institutions.
In the theoretical scenario, described in a report the task force published this year, North Korean hackers compromise a third-party service provider, such as a cloud computing company, to slip into a financial institution’s network and install a self-propagating digital worm that wipes data. As other financial institutions communicate with the infected bank, the wiper spreads to their networks as well.
The scenario highlights how swiftly an attack could cascade and how financial institutions that are focused on securing their own networks from adversaries could miss the risk of being compromised by the network of trusted partners.
If this scenario were to occur as the task force imagined, an initiative called Sheltered Harbor would help address at least the loss of data. The program, launched by the industry in 2015, is designed to protect banks from losing valuable data because of cyberattacks — the data of participating banks is encrypted and backed up daily to offline secure storage so that if it gets deleted or altered, or access to it is blocked, it can be restored.
It’s not just about banks
Under a 2013 White House executive order, the Department of Homeland Security was asked to identify critical infrastructures for which a cybersecurity incident could have “catastrophic regional or national effects on public health or safety, economic security or national security.” Within the financial sector, DHS and the Department of the Treasury identified more than two dozen key financial institutions that fit the description, according to sources who asked not to be named because the information is sensitive.
Not long after the list was created, eight of the top US financial institutions formed the Financial Systemic Analysis & Resilience Center to address cyberattack risks. The eight were Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan, Morgan Stanley, State Street and Wells Fargo.
But banks aren’t necessarily the biggest risk to the system as a whole. Many critical infrastructure industries are composed of interwoven entities that make cybersecurity tricky — a hit on one key institution puts all others potentially at risk. The financial sector is more interwoven than most and relies on a few major institutions that if taken out can bring critical services and processes for the entire industry to a halt. These include payment card processors, clearing houses like ACH and Fedwire, and systems for settling transactions involving bonds, equities and options — for example, the National Securities Clearing Corp. and the Depository Trust and Clearing Corp.
Financial entities aren’t the only concern; nonfinancial third-party providers, such as cloud services companies, electric utilities and data storage services could have great effect on financial services if wiped out.
“There is little understanding of the ways in which the failure, whether by accident or adversary design, of an IT company ‘too big to fail’ (such as a major cloud service provider) might cascade,” wrote the authors of a Brookings study on financial stability and cyber risk.
Is the financial industry prepared?
Eric Goldstein, the executive assistant director for cybersecurity at DHS' Cybersecurity and Infrastructure Security Agency, wouldn’t quantify how prepared the financial industry is. He said his agency is helping to ensure that all organisations — not just the financial sector — implement the right security controls and resiliency measures so that businesses can continue to operate even in the face of an attack.
Experts say individual financial institutions are resilient enough to withstand attacks as well as deposit runs that likely would result.
Darrell Duffie, a professor at Stanford University’s business school, examined the potential effect of a “cyber run” in a paper published with Joshua Younger, a managing director at JPMorgan. Banks are required to have 30-day liquidity — the ability to access within 30 days funds to cover every deposit and line of credit should all customers withdraw holdings or face called-in debts. Among a sampling of the 12 top US financial institutions, the authors concluded all had sufficient liquid assets to cover a “relatively extreme” cyber run, as well as access to additional funds from the Federal Reserve.
But resilience against a cyber run doesn’t preclude damage to the economy, Duffie and Younger noted. Financial markets, probably more than any other critical infrastructure except elections, require public trust to operate. This can quickly erode, even if an attack isn’t widespread.
Corporate customers and financial firms that aren’t directly affected by an attack but need access to large sums of money on short notice could decide to withdraw money from banks anyway, to place it where they’re assured fast access. Or they could stop processing payments out of caution. Furthermore, if a major processing or settlement house were taken out, the instability “would be very devastating for the performance of financial markets,” Duffie told DealBook.
“To the extent that trades continue to occur and are not settled, investors would get extremely nervous,” Duffie said, adding that if the uncertainty persists for days, prices could decline “very rapidly and significantly.”
Goldstein said that companies need to plan a strategy to communicate clearly to the public the potential implications of a cybersecurity incident, and to deliver it quickly.
“The last thing that any organisation wants to occur is to have a misinterpretation or even misinformation about the incident cause consumers or customers or suppliers to take action” that could escalate the problem, he said.
©2021 The New York Times Company