Earlier this year, the New York Fed and Columbia University’s School of International and Public Affairs (SIPA) hosted the fifth annual State-of-the-Field Conference on Cyber Risk to Financial Stability. Since 2017, this collaboration between the New York Fed and SIPA has brought together practitioners from across cyber security and finance to focus on three central questions: What are we learning about cyber risk to financial stability? What are we doing? And what’s next?
Here are the key themes from the public portion of the event:
State of Play
The conference opened with remarks by Sushmita Shukla, chief operating officer of the New York Fed, and Charles Carmakal, chief technology officer of Mandiant, who discussed developments in cyber risk in recent years. Shukla drew parallels between traditional financial stability risk and cyber risk, noting that both involved hidden threats and interconnectedness between institutions. She also highlighted securing the cloud, reducing exposures, and continuously identifying and monitoring cyber threats as ongoing priorities for financial institutions. Carmakal noted that recent years have seen evolutions in intrusions by nation-states; changes brought on by the war in Ukraine; a rise in hacking for fun, fame, and financial gain; and increases in mass exploitation and extortion. In particular, he said threat actors have changed how they approach hacking for espionage purposes, with adversaries like China growing more advanced in their methods and tactics. Similarly, younger hackers who exploit for clout have created new challenges due to their ingenuity and persistence. Still, law enforcement continues to adapt to these changing dynamics, he said.
What Are We Learning?
In the first panel, participants discussed ongoing research on financial stability considerations arising from cyber risk. Ivan Ivanov, a senior economist at the Chicago Fed, pointed out the financial costs incurred by state and local governments due to hacking, noting that as the size of a government entity increases, the likelihood of a cyber incident also increases. He also argued that data breach notification laws, which impose penalties on state and local entities for not disclosing breaches, were ineffective penalty measures. Anastasia Kartasheva, an associate professor at the University of St. Gallen, presented findings from research on the growing market for cyber insurance in the United States, which has special features that affect financing and provision. She pointed out that reforms that imposed a tax on foreign-affiliated insurance transactions led to a decrease in the supply of cyber insurance as it became costlier to issue. And Alejandra Caro Rincon, an associate director at Moody’s Analytics, discussed the impact of cyber events on credit risk and demonstrated how weaknesses in cybersecurity practices could translate into material financial losses. She also emphasized the need for industry to adopt a risk management framework for cyber risk.
Next, in a moderated discussion, former interim National Cyber Director Kemba Walden discussed market aspects of innovation, pointing out that venture capital firms could invest in technology and software in a way that shortens the difference between being first to market and bringing a secure product to market. She also argued in favor of having minimum regulatory standards, noting that regulation in cyberspace without harmonization across industries and jurisdictions will not improve resilience. “Once we figure out what works well to solve our common cyber security problem—and there are common problems across all of the critical infrastructure sectors—then we can start figuring out how to regulate the uniqueness of each sector,” she said. “It’s a mammoth task.”
What Are We Doing? And What’s Next?
During the conference’s second and third panels, which were off the record, experts representing both the private sector and the official sector shared perspectives on the current state of cybersecurity on preparedness and response to maintain financial stability. They also offered views on technological innovations and emergent trends, as well as their implications on cybersecurity, including artificial intelligence, automation, and open-source software.
We would like to acknowledge Jason Healey, Christine Elizabeth McNeill, Patricia Mosser, and Virpratap Vikram Singh—our Columbia SIPA counterparts who contributed to this article.
Michael Junho Lee is a financial research economist in Money and Payments Studies in the New York Fed’s Research and Statistics Group.
Anna Kovner is an executive vice president and the director of research at the Richmond Fed.
The views expressed in this article are those of the contributing authors and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.