Dean Merit E. Janow delivered opening remarks and hosted a fireside chat with leading practitioners and thinkers in the financial stability and cyber fields. Throughout the day, panels discussed the current state of research [three of which are publicly available: the first by Filippo Curti and Atanas Mihov from the Federal Reserve Bank of Richmond, the second by Martin Boer and Jaime Vasquez from the International Institute of Finance, and the third by Anne Wetherilt and Anil Kashyap from the Centre of Economic Policy Research], ongoing public and private sector efforts to address cyber risk, the looming threats, and possible next steps to strengthen financial stability frameworks in light of the growing impact of cyber.
Kevin Stiroh, EVP and head of supervision at the Federal Reserve Bank of New York, outlined a principles-based supervisory approach regarding cybersecurity. Per Stiroh, cyber risks greatly differ from conventional operational risks because of three differentiating factors: a threat actor’s intent to harm, the dynamism and impact of cyber threats, and the skill-mismatch between conventional financial service risk managers and those needed to control cyber risks. The best way forward, Stiroh highlighted, is to leverage current supervisory and risk management frameworks: the processes of risk identification, measurement, mitigation, monitoring and reporting, controls, and board oversight to tackle cyber risks. However, he emphasized the need for international collaboration and harmony across regulatory jurisdictions to address the cyber threat and keep pace with the evolving cyber risk landscape. Stiroh concluded that the system benefits from close alignment between individual firm and sector interests, “microprudential and macroprudential objectives [as they relate to cyber risks] are reinforcing.”
Important takeaways gleaned from the day’s discussion focused on the need for a common lexicon to define and classify cyber threats and incidents. That way, the industry as a whole can assess their systemic impact and devise macroprudential risk mitigation solutions. Secondly, collaboration and information sharing are critical. Conferences such as CRFS’s and formal industry consortiums devoted to understanding cyber serve as a foundation upon which industry and regulatory capacity to mitigate the cyber threat can be developed. With those two criteria in place, the industry can work towards quantitative metrics to model the systemic impact of cyber incidents and rigorously test which investments are most beneficial in strengthening resiliency.
An after-action report delving into the content of the conference in more detail will be published during the upcoming summer months.
The CRFS project works to foster dialogue between experts in academia, industry, and government at the intersection of cybersecurity and financial stability to strengthen resilience in the financial industry. It is led by Jason Healey, director of the Program on Future Cyber Risks and a senior research scholar at SIPA; Patricia Mosser, director of the Initiative on Central Banking and Financial Policy and a senior research scholar and senior fellow at SIPA; and Katheryn Rosen, SIPA adjunct professor of international and public affairs and former deputy assistant secretary for financial institutions policy of the U.S. Department of Treasury. The project also includes Merit E. Janow, the dean of SIPA.
In December 2018, CRFS published a working paper titled “The Ties that Bind: A Framework to Assess the Linkage between Cyber Risks and Financial Stability.” The working paper outlines the transmission channels through which cyber risks can transform into financial systemic risks and the ways in which those risks can amplify or dampen systemic impacts.
— Andrew Quartuccio MIA ’19 and Claire Teitelman MPA ’19