At a conference at the New York Fed on April 12, EVP Kevin Stiroh discussed the issue of cybersecurity from the perspective of a bank supervisor. He noted that cybersecurity is one of many aspects of operational resiliency for firms:
“Our approach to cybersecurity is embedded in the broader supervisory and risk management frameworks…. We see notable similarities to other shocks that could impact a firm’s operational resiliency, safety and soundness, and ability to continue to provide financial services in a sustainable way.”
But he also pointed out important differences between cyber threats and what might be considered traditional risk areas for firms. One difference is motivation:
“Asset quality or market prices may change unexpectedly and weather events may prove disruptive, but they lack intent to harm. By contrast, cyber events, by definition, involve an intention to steal, disrupt, or destroy.”
Another is the nature of the disruption, including potential impacts on data confidentiality, integrity, and availability:
“Cyber attacks that involved data corruption or destructive malware are unique to a cyber threat and can have an immediate and devastating impact…. Even if a firm can recover from a data corruption cyber-attack, when would customers and clients trust them as a counterparty?”
And a third challenge from a risk management perspective is the amount of human capital required to manage cyber defense:
“Cyber security requires a different set of skills and abilities… Acquiring and retaining the critical talent for these activities is a growing challenge.”
These complexities notwithstanding, cyber resiliency is an area “where the incentives of the private and public sector are closely aligned,” and it is increasingly important for all sides “to collaborate, share information, and learn from one another about threats, responses, and best-practice approaches.”
“Supervisors can contribute to this debate by continuing to emphasize the critical importance of a strong risk culture with the appropriate governance and controls framework.”
This article was originally published by the New York Fed on Medium.
The views expressed in this article are those of the contributing authors and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.
