The following isa review of the Current Issues in Financial Markets principles designed to address the learning
“objectives set forth by GARP®. Cross Reference to GARP Assigned Reading —Kopp, Kaffenberger, and Wilson,
READING 75: CYBER RISK, MARKET
FAILURES, AND FINANCIAL STABILITY
Kopp, Kaffenberger, and Wilson
EXAM FOCUS
Cyberattacks on financial institutions are becoming increasingly more frequent and complex.
Asa result, firms and regulators are introducing methods to better measure and manage cyber
risks. For the exam, understand reasons that the private market may fail to provide optimal
levels of cybersecurity. Also, be able to describe how cyber risks impact the stability of the
financial markets. Finally, be able to identity measures that can help increase resiliency to
cyber risk.
MODULE 75.1: CYBER RISK, MARKET FAILURES, AND
FINANCIAL STABILITY
Optimal Level of Cybersecurity
LO 75.a: Evaluate the private market’s ability to provide the socially optimal level of
cybersecurity.
There are several reasons that the private market may fail to provide the socially optimal level
of cybersecurity (the level that equates the social costs and benefits of cybersecurity at the
margin). These reasons can be categorized into (1) information asymmetries, (2) misaligned
incentives, (3) externalities and coordination failures, and (4) risk concentration.
Information asymmetries:
rms often lack information about the probability of a successful cyberattack,
irms do not have good information about the extent of their potential liabilities from
cyberattacks.
= Firms often do not have good information about the effectiveness of their existing (or
additional) cybersecurity.
Misaligned incentives:
= Firms have an incentive to not share their experiences regarding successful
cyberattacks and their costs because of perceived risk to their reputations. Without
good information about the actual cost of a cyberattack, firms may spend too little on
cybersecurity.
= In addition to the problems of moral hazard and adverse selection, cyberattack
insurance may lead firms to underspend on cybersecurity as they do not take into
account the effects of insurance claims on their future premiums.Externalities and coordination failures:
rms on a common network may not consider the positive effects their cybersecurity
spending has on the returns from cybersecurity spending by other firms on the network.
= Firms may even spend less on cybersecurity as other firms spend more (free-ride) as
their own vulnerabilities are perceived to be lessened by the actions of others.
= Widely used software may have flaws as companies prefer being faster to market
(compared to later release with less flaws) because they do not fully consider the costs
that security flaws impose on users of the software.
= The development costs of improved software security are high and often not economic
until software sales reach a relatively high level with significant market share.
= If firms do not consider the positive effects of their cybersecurity spending on others
(the social benefits), spending will be suboptimal without effective coordination and
cooperation in their decision-making.
Risk concentration:
= Economies of scale in providing software, hardware, and internet access can lead to
industry concentration, with a few large providers serving a high percentage of market,
participants.
= When a significant proportion of financial services firms use the same software or
hardware, they share the same risks of cyberattack. This can lead to concentrated risks
and increase the probability that a successful cyberattack will have systemic effects on
the financial services industry
= The market for cyber insurance is also highly concentrated, with the top three providers
accounting for approximately 40% of the insurance in force. A systemic attack on the
financial services industry could lead to failure of insurance providers because the risks
they insure are highly correlated.
Systemic Cyber Risk
LO 75.b: Describe how systemic cyber risk interacts with financial stability risk.
Firms typically focus on preventing or reducing idiosyncratic (firm-specific) risk and do not
focus on systemic risk. Systemic risk is the result of common risk exposures (highly
correlated risks), risk concentration, and contagion effects. All of these risk factors are
present in the financial system.
Common risk exposures of financial firms result from the use of common networks and
platforms, such as the Society for Worldwide Interbank Financial Telecommunications
(SWIFT) messaging platform for cash transfers among financial institutions, trading
platforms for financial securities, common operating platforms, and common cloud servers.
Risk concentration is evidenced by the fact that a few financial institutions handle a high
proportion of certain financial transactions (e.g., currency trading). As noted previously, risk
concentration also results from reliance on a small number of cyber risk insurers and from
common use of specific networks, operating systems, cloud servers, and trading platforms.
Contagion refers (o the effects of a cyberattack on one company or institution that also affect
other companies or institutions. In an extreme case, this may result in systemic shocks to or
significant failures of the financial system. A lack of liquidity can spread as a company
experiencing shock from a cyberattack ceases to honor its obligations to other companieswho, in turn, cannot honor their obligations to others. When assets are sold in response to a
lack of liquidity, prices fall, putting stress on other firms or institutions that leads to further
asset sales and additional contagion effects. A successful cyberattack on a firm (or multiple
firms) may cause others to step away from doing business with the affected firms so that
damage to the affected firm’s liquidity can quickly spread across the financial system and
damage overall financial stability.
With the increasing size, complexity, and interconnectedness of the financial system, the
probability that systemic cyber risk will increase the risk of financial system instability or
failure can be expected to increase over time.
Reducing Systemic Risk
LO 75.c: Evaluate the appropriateness of current regulatory frameworks and
supervisory approaches to the reduction of systemic risk.
‘The current regulatory framework for financial services firms focuses on overall operational
risk. Operational risk is the risk of losses due to poor internal processes, employees, or
systems, as well as legal risk and risk events outside the firm. IT-related risk is treated as part
of overall operational risk, and cyber risk is treated as a component of IT-related risk. In this
context, IT risk management standards have primarily addressed problems of data recovery
and business continuity planning.
Regulators in the financial services industry focus on the risk of not meeting minimum
amounts of regulatory capital, which is often based on tail risk. Tail risk is the probability of
extreme losses over some specific time period. Scenario analysis often examines the effects
of deviations from an organization’s assumed correlations among its various operational loss
exposures. More broadly, we can view scenario analysis as an examination of the potential
Josses from multiple operational loss events. Firms must set aside capital to protect the firm
from such estimated losses.
Current regulation is organized around firm functions. The Committee on Payments and
‘Market Infrastructures (CPMI) provides minimum standards for managing operational risk
for central and international banks. The International Association of Insurance Supervisors
(IAIS) is a standards-setting body, comprising insurance regulators from over 140 countries.
‘The International Organization of Securities Commissions (IOSCO) is a global association of
the regulators of securities and futures markets. While much of the risk management
regulation regarding IT risks is well developed, cyber risk is newer, and is changing over
time.
‘The G7 have put forward a framework for the management of cyber risk, which includes
cybersecurity strategy and framework; governance; risk and control assessment; monitoring;
response; recovery; and information sharing. Their aim is to provide these elements as a
starting point for regulators and financial institutions to design cybersecurity regulations and
processes. Regulators in various jurisdictions can use the elements in creating regulations and
supervisory functions to fit the circumstances of their jurisdiction, Because the nature of
cyberattacks and vulnerabilities is changing over time, the specifics of each element will need
to be changed over time to address new threats.
‘Many countries have begun to address cyber risks as a set of risks distinct from other IT risks.
In the United States, bank regulators include cyber risk in the scenarios designed to evaluate
overall operational risk. The FDIC, Federal Reserve Bank, and the OCC have begun the
process of establishing regulations regarding cybersecurity practices for the institutions they