A well-planned cyberattack on the U.S. banking system could have a devastating effect on U.S. financial stability, according to new research from the Federal Reserve Bank of New York.
In a paper termed a “pre-mortem analysis” that was released Monday, bank analysts Thomas Eisenbach, Anna Kovner, and Michael Junho Lee looked at how banks would react to cyberattacks that impaired their ability to process payments between banks.
“If a cyber attack were to compromise the integrity of banks’ systems, the reconciliation and recuperation process would be an unprecedented task,” the authors wrote. “This could have severe implications on the stability of the broader financial system vis-à-vis spillovers to investors, creditors, and other financial market participants.”
The paper examined what would happen if there was an attack that affected the five biggest banks involved in the payments system.
“A cyber attack on any of the most active U.S. banks that impairs any of those banks’ ability to send payments would likely be amplified to affect the liquidity of many other banks in the system,” the authors wrote. “The extent of the amplification would be even greater if banks respond strategically, which they are likely to do if there is uncertainty about the attack.”
The paper notes that a cyberattack has a lot in common with an old-school bank run, where a bank is unable to provide money to customers who want their funds, and panic ensues.
The authors said their findings were based on studying data from Fedwire, the central bank’s widely used payment processing system. They wrote that “high-value payment and settlement systems may be a natural candidate for a malicious attacker intent on inflicting the largest possible damage to the financial system and the broader economy.”
They noted that given the ebbs and flows of activity in the payments system, the timing of an attack could increase damage. The paper said if a cyberattack impaired the financial system broadly enough, “the potential impact in forgone payment activity is dramatic, reaching more than 2.5 times daily GDP.”
Concern over cyberattacks against the U.S. government, its allies, or companies responsible for infrastructure including in the banking sector, has increased since the U.S. strike that killed an Iranian military leader.