The following isa review of the Current Issues in Financial Markets principles designed to address the learning “objectives set forth by GARP®. Cross Reference to GARP Assigned Reading —Kopp, Kaffenberger, and Wilson, READING 75: CYBER RISK, MARKET FAILURES, AND FINANCIAL STABILITY Kopp, Kaffenberger, and Wilson EXAM FOCUS Cyberattacks on financial institutions are becoming increasingly more frequent and complex. Asa result, firms and regulators are introducing methods to better measure and manage cyber risks. For the exam, understand reasons that the private market may fail to provide optimal levels of cybersecurity. Also, be able to describe how cyber risks impact the stability of the financial markets. Finally, be able to identity measures that can help increase resiliency to cyber risk. MODULE 75.1: CYBER RISK, MARKET FAILURES, AND FINANCIAL STABILITY Optimal Level of Cybersecurity LO 75.a: Evaluate the private market’s ability to provide the socially optimal level of cybersecurity. There are several reasons that the private market may fail to provide the socially optimal level of cybersecurity (the level that equates the social costs and benefits of cybersecurity at the margin). These reasons can be categorized into (1) information asymmetries, (2) misaligned incentives, (3) externalities and coordination failures, and (4) risk concentration. Information asymmetries: rms often lack information about the probability of a successful cyberattack, irms do not have good information about the extent of their potential liabilities from cyberattacks. = Firms often do not have good information about the effectiveness of their existing (or additional) cybersecurity. Misaligned incentives: = Firms have an incentive to not share their experiences regarding successful cyberattacks and their costs because of perceived risk to their reputations. Without good information about the actual cost of a cyberattack, firms may spend too little on cybersecurity. = In addition to the problems of moral hazard and adverse selection, cyberattack insurance may lead firms to underspend on cybersecurity as they do not take into account the effects of insurance claims on their future premiums.Externalities and coordination failures: rms on a common network may not consider the positive effects their cybersecurity spending has on the returns from cybersecurity spending by other firms on the network. = Firms may even spend less on cybersecurity as other firms spend more (free-ride) as their own vulnerabilities are perceived to be lessened by the actions of others. = Widely used software may have flaws as companies prefer being faster to market (compared to later release with less flaws) because they do not fully consider the costs that security flaws impose on users of the software. = The development costs of improved software security are high and often not economic until software sales reach a relatively high level with significant market share. = If firms do not consider the positive effects of their cybersecurity spending on others (the social benefits), spending will be suboptimal without effective coordination and cooperation in their decision-making. Risk concentration: = Economies of scale in providing software, hardware, and internet access can lead to industry concentration, with a few large providers serving a high percentage of market, participants. = When a significant proportion of financial services firms use the same software or hardware, they share the same risks of cyberattack. This can lead to concentrated risks and increase the probability that a successful cyberattack will have systemic effects on the financial services industry = The market for cyber insurance is also highly concentrated, with the top three providers accounting for approximately 40% of the insurance in force. A systemic attack on the financial services industry could lead to failure of insurance providers because the risks they insure are highly correlated. Systemic Cyber Risk LO 75.b: Describe how systemic cyber risk interacts with financial stability risk. Firms typically focus on preventing or reducing idiosyncratic (firm-specific) risk and do not focus on systemic risk. Systemic risk is the result of common risk exposures (highly correlated risks), risk concentration, and contagion effects. All of these risk factors are present in the financial system. Common risk exposures of financial firms result from the use of common networks and platforms, such as the Society for Worldwide Interbank Financial Telecommunications (SWIFT) messaging platform for cash transfers among financial institutions, trading platforms for financial securities, common operating platforms, and common cloud servers. Risk concentration is evidenced by the fact that a few financial institutions handle a high proportion of certain financial transactions (e.g., currency trading). As noted previously, risk concentration also results from reliance on a small number of cyber risk insurers and from common use of specific networks, operating systems, cloud servers, and trading platforms. Contagion refers (o the effects of a cyberattack on one company or institution that also affect other companies or institutions. In an extreme case, this may result in systemic shocks to or significant failures of the financial system. A lack of liquidity can spread as a company experiencing shock from a cyberattack ceases to honor its obligations to other companieswho, in turn, cannot honor their obligations to others. When assets are sold in response to a lack of liquidity, prices fall, putting stress on other firms or institutions that leads to further asset sales and additional contagion effects. A successful cyberattack on a firm (or multiple firms) may cause others to step away from doing business with the affected firms so that damage to the affected firm’s liquidity can quickly spread across the financial system and damage overall financial stability. With the increasing size, complexity, and interconnectedness of the financial system, the probability that systemic cyber risk will increase the risk of financial system instability or failure can be expected to increase over time. Reducing Systemic Risk LO 75.c: Evaluate the appropriateness of current regulatory frameworks and supervisory approaches to the reduction of systemic risk. ‘The current regulatory framework for financial services firms focuses on overall operational risk. Operational risk is the risk of losses due to poor internal processes, employees, or systems, as well as legal risk and risk events outside the firm. IT-related risk is treated as part of overall operational risk, and cyber risk is treated as a component of IT-related risk. In this context, IT risk management standards have primarily addressed problems of data recovery and business continuity planning. Regulators in the financial services industry focus on the risk of not meeting minimum amounts of regulatory capital, which is often based on tail risk. Tail risk is the probability of extreme losses over some specific time period. Scenario analysis often examines the effects of deviations from an organization’s assumed correlations among its various operational loss exposures. More broadly, we can view scenario analysis as an examination of the potential Josses from multiple operational loss events. Firms must set aside capital to protect the firm from such estimated losses. Current regulation is organized around firm functions. The Committee on Payments and ‘Market Infrastructures (CPMI) provides minimum standards for managing operational risk for central and international banks. The International Association of Insurance Supervisors (IAIS) is a standards-setting body, comprising insurance regulators from over 140 countries. ‘The International Organization of Securities Commissions (IOSCO) is a global association of the regulators of securities and futures markets. While much of the risk management regulation regarding IT risks is well developed, cyber risk is newer, and is changing over time. ‘The G7 have put forward a framework for the management of cyber risk, which includes cybersecurity strategy and framework; governance; risk and control assessment; monitoring; response; recovery; and information sharing. Their aim is to provide these elements as a starting point for regulators and financial institutions to design cybersecurity regulations and processes. Regulators in various jurisdictions can use the elements in creating regulations and supervisory functions to fit the circumstances of their jurisdiction, Because the nature of cyberattacks and vulnerabilities is changing over time, the specifics of each element will need to be changed over time to address new threats. ‘Many countries have begun to address cyber risks as a set of risks distinct from other IT risks. In the United States, bank regulators include cyber risk in the scenarios designed to evaluate overall operational risk. The FDIC, Federal Reserve Bank, and the OCC have begun the process of establishing regulations regarding cybersecurity practices for the institutions they