In 1999, NASA lost its $125 million Mars Climate Orbiter due to a careless error: the engineers forgot to convert measurements from imperial to metric. This single point failure had cascading effects, with the probe ultimately disappearing altogether.
In the 21st century, first-order, single-point failures with profound second- and third-order effects are especially common in cyberattacks against complex systems. For one, the U.S. financial system is complex and highly interconnected, making it very vulnerable to a cyberattack.
The Federal Reserve Bank of New York (FRBNY) recently epitomized this interconnectivity in a report, arguing that a cyberattack could impair a bank’s ability to service creditors. More specifically, impairment of any of the five most active U.S. banks could result in significant spillovers to other banks, with 38% of the network affected on average.
Perhaps even more concerning, the FRBNY identified a subset of smaller banks that, if impaired, could threaten the solvency of a top-five institution. In particular, the FRBNY estimated it would take the financial distress of six small banks, each below $10 billion in assets, or just one institution with between $10 billion and $50 billion in assets.
More than 80 U.S. banks fall into the midsize bank category, with aggregate assets of approximately $1.8 trillion, while there are about 4,440 small banks, with cumulative assets of around $4.7 trillion. Combined, the midsize and small banks account for about 36% of all commercial banking assets. This indicates that the complexity of the U.S. banking system may not be driven solely by the “megabanks.”
A cyberattack on these banks, which appear benign in isolation and have simpler balance sheets, could ultimately cause a cascading failure of interbank funding, leading to a tipping point for a broader systemic liquidity crisis.
At a glance, when viewed with typical “first-order thinking,” this is deeply troubling, because larger banks tend to have more resources and invest more in building robust cybersecurity than smaller banks. Even if a large bank puts in place a proper cybersecurity policy with the right controls for its own protection, which it absolutely needs to do, it may not be enough.
The issue is not just building a bigger cybersecurity “moat and castle.” Instead, financial institutions need to understand the interconnectedness of their entire ecosystem, integrating cyber risk, vendors, liquidity sources, off-balance-sheet exposures, etc.
More thoughtful analysis, using second- and third-order thinking, indicates that cyberattacks by their very nature know no physical boundaries and can spread rapidly across the globe. We know this from the infamous NotPetya attack in 2017, when a worm planted in Ukrainian tax software managed to infect not just Ukrainian critical infrastructure, but also the largest global shipper, A.P. Moller-Maersk, and the big pharmaceutical company Merck as well as a chocolate factory in Australia.
In a system like banking that is already highly interconnected in its own right, one would expect the overall impact on the U.S. financial system to be even greater. The FRBNY’s paper is a very important illustration of how an operational risk can rapidly lead to grave financial risk.
Fortunately, despite the high levels of complexity and interconnectedness, there are ways to model and quantify the risk. They involve using network science concepts that go as far back as the 18th century, when Leonhard Euler was trying to solve the problem of the Seven Bridges of Königsberg.
As displayed in Figure 1, we can transform qualitative expert analysis of how the U.S. financial system works into a “map” that illustrates the complex relationships between the relevant concepts. By analyzing this map, we can determine which concepts are the most significant, by virtue of their immediate or global connectivity, and which concepts are the most significant drivers of the narrative.
Having identified these most significant concepts, we can create a causal model that is sufficiently complex to be realistic, but simple enough to be understood. This model can now help CFOs, chief risk officers, treasurers, and liquidity managers assess how different inputs affect the tightly interconnected financial network and explain the most critical points of weakness.
The benefit of this type of analysis is that it allows CFOs to tell the “risk story” by determining the triggers, causes, and nonlinear relationships underlying a financial collapse due to a cyberattack (the first-order risk) resulting in a systemic liquidity crisis (second- and third-order risks).
While root cause analysis is a longstanding approach for examining the underlying causes of a risk event, it’s not necessarily the most appropriate way to do so.
For example, suppose a state actor launched a cyberattack against a major U.S. bank and it led to a financial collapse. Many would argue that the root cause of the financial collapse would be the cyberattack. However, that ignores everything that led up to it, such as whether the state actor was targeted by U.S. sanctions, embraced an extremist ideology, or had some kind of historical grudge against the United States (i.e., action, reaction, counteraction).
As a result, root cause analysis in this case can lead down a very long path that does not help CFOs better understand the risk (as shown in Figure 1).
What’s far more helpful is understanding points of cascading failures. Such points can be determined in the model and, unlike all the rabbit holes one can go down in root cause analysis, this actually helps senior decision makers better understand the company’s risk exposure and control framework. More importantly, it allows them to think deeply about what the best strategy is, given the relationships within the network.
In order to understand and process the complexity of the banking system, the noncritical risk paths are removed to provide a “minimally complex system” (Figure 2). This view gives CFOs and board members strategic focus, revealing a number of important insights regarding a cyberattack on the banking system.
Sources of financial fragility: After the 2008 global financial crisis there are fewer large banks, but they have even larger balance sheets than before. However, the fragility of the banking system is not just driven by the failure of a top-five bank.
In addition, the impairment of two midsized banks ($10 billion to $50 billion in assets) can trigger a liquidity crisis. The model shows both the direct and well understood path from the failure of a large bank to a financial crisis and, just as importantly, the more complex path from the failure of two midsized banks. In this regard, risk professionals need to look beyond the “usual suspects” for vulnerability in a highly connected financial system.
Multiple paths to failure: While the attack scenario for a midsized and a large bank are principally the same, the set of triggers that lead to a market catastrophe are not.
For a large bank the path is fairly direct. A cyberattack that impacts one of the largest banks in the United States would create a direct effect on the fundamental elements of the economy and significantly raise the probability of a financial crisis. Impairment of a midsized bank would also be direct, but the impact on the system overall would be more complex and less obvious. The failure of a single midsized bank would lead to a deterioration of funding markets and the ability to clear transactions.
These consequences would lead to a loss of confidence in midsized banks and the eventual failure of a second midsized bank. That second failure could be the tipping point to financial crisis, similar to that of an illiquid large bank.
Concealed risk in plain sight: More astonishingly, if six small banks (less than $10 billion in assets) became impaired, putting stress on wholesale funding, the model indicates that there is a path to systemic failure. Although it’s not self-evident, the small banking sector can pose a significant risk to the safety and soundness of financial markets overall.
The path from a failure of one small bank to a financial crisis is direct. Not only do six small banks pose a risk equivalent to the direct failure of one large bank, but their abilities to prepare for and defend against a cyberattack are significantly less.
Small banks functionally rely on confidence in the small banking sector based on the assumption that the system can absorb a bankruptcy. However, a small number of simultaneous impairments (six or more), due to a cyberattack, could damage confidence in the sector to the point that fear and risk aversion trigger a sequence of liquidity events that cascade into a broader financial crisis.
Building on the FRBNY’s analysis, we see that there are multiple paths to systemic crisis. We have explored only two major scenarios, illustrating, at a high level, how our methodology can analyze attacks, play out their cascading effects, and test scenarios.
Applying this approach should better inform risk managers and senior decision makers about vulnerabilities, hidden risk relationships, and unexpected paths to financial crisis.
Chris Harner is managing director of the cyber risk solutions practice at Milliman, an actuarial and consulting firm. Chris Beck is an executive risk consultant within the practice. Blake Fleisher is a senior cyber risk analyst in the practice.