The Seventh Annual State-of-the-Field Conference on Cyber Risk to Financial Stability, co-hosted by the New York Fed, brought together researchers, practitioners, and policymakers at Columbia University’s School of International and Public Affairs on April 17. Through research presentations and panel discussions, the conference examined emerging threats to financial sector stability, distilling what the industry is learning and what more can be done.
Visibility Is the Foundation of Financial Stability
Research presented at the conference, available at the event page, underscored that what cannot be measured cannot be managed. In banking, both cybersecurity posture and bank characteristics are important predictors of future incidents. On cyber losses, cyber insurance has generally covered a meaningful share of economic damage when purchased, and truly catastrophic single-firm losses remain rare. However, as speakers cautioned, a relatively benign track record so far does not mean a large-scale loss cannot happen in the financial sector—only that it hasn’t yet. Better mapping of dependencies in financial networks could have flagged systemic effects of previous cyberattacks.
Third-Party Risks in Financial Services
The conference featured a fireside chat between former U.S. Treasury Secretary Jacob Lew and IBM chairman and CEO Arvind Krishna, who also sits on the New York Fed’s board of directors. They discussed the cybersecurity challenges posed by third parties in the financial sector, such as outside vendors. Krishna said third-party risk is worse today than 10 years ago.
“The very large firms, the top dozen or the top five, they are under so much scrutiny, they’ve gotten better; the amount of monitoring they do is really robust,” Krishna said. He noted that the bottom 3,000 financial firms have outsourced their cyber defenses to adept contractors, meaning they’re reasonably well-defended. “That leaves the middle thousand,” he said. These mid-tier financial firms are more likely to hire vendors who promise to do things faster or cheaper, opening themselves to risks.
Researchers discussed how concentration within IT supply chains creates underappreciated systemic vulnerabilities. When a single cybersecurity vendor protects a substantial portion of the financial sector, smaller, overlooked components of networks can create outsized systemic risk.
The Imperative of Resilience and Recovery
A critical theme was that prevention is an insufficient strategy for the financial sector. Incidents should be treated as endemic. The more consequential questions are how quickly a financial institution can recover and how effectively it can operate under degraded conditions. Patricia Mosser, a senior research scholar at Columbia School of International and Public Affairs, said, “Maybe we’re not doing such a bad job at prevention, but resilience and recovery—if you could spend more time, that’s where you’d focus it.”
The engineering orientation in the cybersecurity field, which emphasizes optimizing to prevent failure, needs to incorporate a crisis management orientation that assumes failure will occur, speakers said. They emphasized that financial organizations need to plan for and practice how they will operate effectively under degraded conditions, both externally and internally.
The Quantum Computing Threat
Speakers discussed the imminent threat of quantum computing to financial data security, with “Q Day”—the day when quantum computers are able to break current encryption standards—potentially just years away. In addition, Lew and Krishna discussed how attackers are taking a “harvest now, decrypt later” approach, gathering encrypted data now with the strategy that once quantum computers can break the encryption, they’ll be able to extract private information. Speakers discussed addressing this threat through strategies including adopting alternative encryption methods.
AI Accelerates Everything, Including the Stakes
AI featured across every session as both threat and tool for financial institutions. On the one hand, AI tools mean attackers can discover and exploit vulnerabilities in seconds rather than hours or days. This has enabled attackers to evade defense systems, giving them the potential for precision targeting of critical financial infrastructure nodes—a shift from indiscriminate to surgical disruption.
On the defensive side, the velocity of AI-enabled attacks has exceeded human response capacity, making AI-assisted defense necessary for financial institutions. Speakers identified credential compromise, third-party exposure, and deepfake-enabled fraud as the most immediate and underappreciated vectors. The broader governance challenge is that AI risk spans cybersecurity, supply chain, geopolitics, and regulation, leaving most financial organizations without a single owner for the full picture.
The event agenda and research papers are on the SIPA Cyber website, and the full recording is available online.
Danny Brando is deputy chief risk officer and head of risk response and resiliency at the New York Fed.
Charles Olajide Falajiki is a Joint Japan World Bank Scholar and MPA Development Practice at Columbia University.
The views expressed in this article are those of the contributing authors and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.
