OFR_2016_Financial-Stability-Report

Recommendations

Info

2.3 Cybersecurity Incidents Affecting Financial Firms Financial institutions, like other businesses, are under constant threat of malicious cyber activity. They are especially vulnerable because of their reliance on information technology (IT) and their many links to each other, to financial markets, and to other parts of the economy. Malicious cyber activity that targets financial firms has become more common and more sophisticated. Incidents can disrupt services, reduce confidence in firms and markets, and damage the integrity of key data. Malicious cyber activity that targets financial firms has become more common and more sophisticated. Incidents can disrupt services, reduce confidence in firms and markets, and damage the integrity of key data. The OFR ranked vulnerability to malicious cyber activity as a top threat with substantial potential impact. Quantifying the magnitude of these risks or measuring the resilience of institutions is difficult. Still, cybersecurity incidents clearly have the potential to cause real harm. Some financial institutions play unique roles. If their IT systems were compromised, that could disrupt payment systems or markets and trigger a cascade of operational and financial losses. Financial firms already fight off malicious cyber activity on many fronts (see White House, 2013). They may spend heavily to defend themselves. Regulators have also taken steps to increase cyber-resilience. They have encouraged information-sharing and collaboration and issued guidance and rules for financial firms. U.S. regulators could also consider developing a shared risk-based approach to guide financial firms in their IT security practices. Although firms are primarily responsible for the security of their systems, regulators should provide guidance and oversight and work to ensure that the financial system can recover quickly. Cybersecurity Incidents Come in a Variety of Forms Cyberattacks are deliberate efforts to disrupt, steal, alter, or destroy data on IT systems. Tactics include finding hidden weaknesses in widely used software (called zero-day vulnerabilities) to get into IT systems, targeting e-mail accounts to steal passwords (spear-phishing), targeting websites to infect users with malicious software (malware), and implanting software that locks companies out of their own IT systems (ransomware). The growth in Internet links provides more ways for attackers to enter proprietary IT systems and networks. Detailed data about frequency, tactics, and results of cybersecurity incidents are scarce. In part, data are lacking because firms and authorities avoid reporting them due to reputation concerns or concerns over giving insights to potential hackers (see OFR, 2015; U.S. Congress, 2016). Cybersecurity 38 2016 | OFR Financial Stability Report
worries show up in industry surveys, reports from technology providers, regulatory filings, and responses to high-profile incidents (see Symantec, 2016). Profit often motivates malicious actors targeting the financial system. On the black market, cyber criminals can sell stolen credit card data and buy software and other tools to launch new infiltrations. But hackers may seek to break into firms for other reasons. Some break in for foreign policy or espionage reasons, such as the 2014 attack on Sony, which was carried out by hackers linked to North Korea (see FBI, 2014). Such incidents may be matters of national security, especially when they have foreign government support. Intruders are showing more technical sophistication and a more nuanced understanding of how firms operate. For example, there are reports that malicious actors in 2013 used off-the-shelf malware delivered over the Internet via a vendor’s system to break into the IT system of Target, a retailer. They planted the malware three months before they stole Target’s credit card records (see Krebs, 2014). This year, malicious actors broke into Bangladesh Bank and stole central bank funds (see Hackers Breach Bangladesh’s Central Bank). Intruders are showing more technical sophistication and a more nuanced understanding of how firms operate. Cybersecurity Incidents Threaten Financial System Stability on Multiple Fronts Cybersecurity threats impose direct costs on firms. These costs include the loss of funds or customer records, added IT spending, remediation costs, reputational costs, and legal expenses. Cybersecurity incidents also can pose a broader risk to financial stability. Financial institutions work within complex networks and rely on electronic transactions, often on a rapid just-in-time basis. They are linked digitally to each other and to nonfinancial entities, including third-party service providers. Some markets and systems depend on a few key firms, and those firms must run properly. Other markets and systems may be decentralized, either by design or because participation is not concentrated. Spreading havoc among those operations may be harder for hackers. However, defending a decentralized network that has many entry points can also be more difficult (see Rosengren, 2015). This increase in digital links also gives rise to financial stability risks. A cybersecurity incident that disrupts a large firm could trigger second-order effects. For example, a large troubled firm could default on obligations to Key Threats to Financial Stability 39
Page 1: OFFICE OF FINANCIAL RESEARCH 2016 F
Page 5: Contents Executive Summary ........
Page 8 and 9: Chapter 2 provides deeper analysis
Page 10 and 11: of sharp decreases in U.S. equity a
Page 13 and 14: 1 Financial Stability Assessment Ov
Page 15 and 16: Figure 3. Real GDP Growth (year-ove
Page 17 and 18: Figure 8. Ten-Year U.S. Treasury Yi
Page 19 and 20: Monitoring Shadow Banking Risks The
Page 21 and 22: An earlier OFR paper proposed an ac
Page 23 and 24: Figure 17. Size, Liquidity, and Con
Page 25: Figure 19. Top Systemic Risk Scores
Page 28 and 29: The analysis pointed to seven key t
Page 30 and 31: could. In early 2016, investor conc
Page 32 and 33: earnings or share issuance. But red
Page 34 and 35: Fund Monitor, the OFR assessed expo
Page 36 and 37: 2.2 Risks in U.S. Nonfinancial Corp
Page 38 and 39: Figure 31. U.S. Nonfinancial Corpor
Page 40 and 41: Figure 36. U.S. Corporate Bond Defa
Page 42 and 43: Commercial Real Estate Prices Have
Page 46 and 47: Hackers Breach Bangladesh’s Centr
Page 48 and 49: Figure 42. Banks that Include an Op
Page 50 and 51: The industry is working with the pu
Page 52 and 53: Figure 46. U.S. Financial Regulator
Page 54 and 55: 48 2016 | OFR Financial Stability R
Page 56 and 57: eleased the results of an unprecede
Page 58 and 59: Figure 49. CCP Default Waterfall ($
Page 60 and 61: Figure 50: CCP Ratios and Amounts f
Page 62 and 63: cause more-prudent CCPs to appear m
Page 64 and 65: 2.5 Pressure on U.S. Life Insurance
Page 66 and 67: The experience of Japan’s life in
Page 68 and 69: 2015). These benefits are effective
Page 70 and 71: Figure 55. Life Insurance Securitie
Page 72 and 73: Drivers of Insurers’ Systemic Ris
Page 74 and 75: 2.6 Systemic Footprints of Largest
Page 76 and 77: Interest Rates and Derivatives Expo
Page 78 and 79: Figure 63. Components of U.S. G-SIB
Page 80 and 81: Figure 66. Five-Year Changes to G-S
Page 82 and 83: 2.7 Deficiencies in Data and Data M
Page 84 and 85: Figure 68. Examples of Key Post-Cri
Page 86 and 87: Broader Adoption of Data Standards
Page 88 and 89: Better Regulatory Sharing Needed Th
Page 90 and 91: The U.S. Census Bureau surveys publ
Page 92 and 93: The group will also consider how th
Page 94 and 95:
and contracts would be crucial. The
Page 96 and 97:
Figure 72. Scaling of Data Validati
Page 99 and 100:
Glossary 10-Year, 10-Year Forward R
Page 101 and 102:
Conditional Value-at-Risk (CoVaR) C
Page 103 and 104:
Fire Sale Form N-MFP Form PF Fundin
Page 105 and 106:
Liquidity Risk Liquidity Transforma
Page 107 and 108:
Pension Funded Ratio Pension Risk T
Page 109 and 110:
Stress Test Supplemental Leverage R
Page 111 and 112:
Bibliography Adrian, Tobias, and Ma
Page 113 and 114:
Board of Governors of the Federal R
Page 115 and 116:
www.richmondfed.org/~/media/richmon
Page 117 and 118:
Her Majesty’s Government and Mars
Page 119 and 120:
Paul, Ruma. “Bangladesh hopes to
Page 121:
Zetter, Kim. “That Insane, 18M Ba
show all

OFR_2016_Financial-Stability-Report

Create successful ePaper yourself

Delete template?

Save as template?