On February 5th, 2020, the president of the European Central Bank (ECB), Christine Lagarde, warned that a cyber attack on a major financial institution could trigger a systemic financial crisis. Specifically, operational outages that encrypt or destroy balance accounts at a major bank could cause a liquidity crisis. Lagarde’s statement is a good reminder to take a closer look at the systemic risk surrounding financial institutions as a bedrock of critical infrastructure in the global economy, and to consider the evolving threat landscape for these institutions.
Most cyber attacks against banks and financial institutions follow the classic heist model - either for cash or for data. North Korean hackers stole $100 million from Bangladesh’s central bank in the 2016 SWIFT attacks, cyber criminals from the Carbanak group stole over $1 billion from hundreds of banks around the world from 2013-2018, and the 2014 JP Morgan data breach exposed PII and PCI including SSNs for 83 million customers around the world. The type of attack that would cause a liquidity crisis, however, would be much more destructive in nature - more Godzilla than Oceans 11.
A number of trends indicate that the systemic cyber risk to financial institutions is growing. The increasing digitalization of the financial industry, with the explosion of mobile and online banking, the prevalence of online payment systems, the rise of e-commerce, and the emerging impact of fintech products and services digitizing everything from financial transfers to stock trading, create a wider variety of attack surfaces for threat actors. New and emerging fintech companies with lower security maturities remain vulnerable and can cause rippling effects if compromised, due to the increasing interconnectedness of players in the financial ecosystem. The financial industry continues to weather the second-highest volume of cyber attacks among all major industries, according to FireEye’s 2020 M-Trends Report.
How could such a cyber attack referenced by the ECB potentially occur, to trigger a liquidity crisis? Firstly, the attack would likely have to impact several institutions simultaneously in order to reduce the supply of available liquidity enough to trigger a widespread cash shortage that would cascade as organizations rushed to withdraw money, causing a severe cash flow problem for companies around the world. Secondly, an attack of this nature would not necessarily have to be targeted; an outbreak of destructive ransomware with similarities to Ryuk, WannaCry, or Locky could infect several banks via phishing or a zero-day vulnerability and cause long-lasting outages that shut down financial transactions. Wiper malware resembling Shamoon, NotPetya, or ZeroCleare (which targeted energy companies in the Middle East in 2019), could target the databases of a leading financial institution and irreparably damage files. Additionally, a distributed denial of service (DDoS) attack targeting either the online banking services of major banks (similar to the 2018 attack which shut down major Dutch banking websites) or the data centers of financial service organizations (akin to the March 2019 banking DDoS attacks reported by Akamai), could result in customers being unable to conduct transactions.
The World Economic Forum’s 2020 Global Risk Report cites cyber attacks as among the top 10 global risks in terms of likelihood and impact, with cyber attacks on infrastructure expected to increase in 2020. CyberCube’s Portfolio Manager product provides analytics and economic loss estimates behind these risks, including cyber aggregation scenarios impacting the financial services industry and global critical infrastructure. For now, Christine Lagarde’s warning is prescient, but remains one of many potential cyber catastrophe scenarios posing risk to the global economy.