On June 18, Anil Kashyap, a professor at the University of Chicago Booth School of Business and external member of the Bank of England’s Financial Policy Committee, testified before the United Kingdom Parliament’s Treasury Committee that “it was only ‘a matter of time before [a cyberattack] happens on a big scale,” and that the Bank of England “was vulnerable despite preparing its defences.”
Although United Kingdom banks reportedly “have focused mainly on stopping service outages,” Professor Kashyap warned that “the falsification of transaction records and other data was an even bigger danger.” “’If you wanted to do maximum damage’,” he testified, “’that is what you would probably do if you were a state actor’.”
Professor Kashyap also stated that cyberattacks on bank records “would be especially damaging as it would not be easy to identify which records were accurate and which had been corrupted.” In his words, “’You have this difficult situation where you have to restore the system, where you could be restoring a corrupt system’.”
In addition, Professor Kashyap cautioned Members of Parliament that financial institutions “risked focusing too much on dangers that would damage their individual reputations, rather than threats to the system as a whole, such as overreliance on a handful of providers of cloud computing services.” He stated that he does not “’really care if bank ‘x’ is offline for a week, even if it’s disastrous for their share price, if the services that they provide, that are critical, can be delivered in some other way. What is tricky is it could be the case that the (bank) board’s incentives of what to worry about are misaligned with the general incentives’.”
Note: Professor Kashyap’s testimony reinforces a statement to Members of Parliament by Ciaran Martin, Chief Executive of the United Kingdom’s National Cyber Security Centre, “that a ‘category one’ attack that would disable the financial system and national energy supplies was a matter of ‘when, not if’.” Both witnesses’ views should be of substantial concern not only within the Financial Policy Committee, which is responsible for removing or reducing systemic risks to the United Kingdom financial system, but to Members of Parliament in general and the United Kingdom financial sector as a whole.
The problem, in large part, stems from the fact that there is no predictable timeframe for any particular agency or business to prepare for a major cyberattack. Any systemic risk that has a low probability on any given day, but high impact if and when it does occur, poses a substantial challenge for boards and Chief Financial Officers in deciding how much to budget and for how long to address that threat. That challenge becomes even greater when, as with cybersecurity, the nature, variety, and sophistication of the threats is constantly changing.
Nonetheless, United Kingdom financial institutions, if they have not already done so, need to do some sustained benchmarking of their cybersecurity programs against each other and against financial institutions outside the United Kingdom. That benchmarking should include not only data relating to their cybersecurity budgets in general, but specific programs and practices such as fusion centers that can speed the tasks of strategic and tactical intelligence collection and analysis and incident response.
As Professor Kashyap correctly indicated, state actors (including ostensibly private actors operating on their behalf) pose the greatest cyber-related risk over time to the financial system. A recent report by the Carnegie Endowment for International Peace has shown that “[c]yberattacks on financial institutions are increasingly being linked to nation-states.”
Financial institutions, in the United Kingdom and elsewhere, must therefore move beyond thinking of cybersecurity as a function linked solely to annual budgeting cycles, and treat the risk of a major cyberattack by at least one state actor as a genuine prospect for which they must be well-prepared on a continuing basis. The consequences, for any financial institution or government agency that should find its operations crippled for weeks or even months by such a state actor, are too great to risk.