In 2016, hackers — suspected to be from North Korea — stole $81 million from Bangladesh’s central bank by using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) international payments network. In February, SWIFT agreed to help the bank rebuild the payments infrastructure that facilitated what is believed to be the world’s largest cyber heist.
According to a paper issued in March by the Carnegie Endowment for International Peace, the hackers used a “hot patch” of the payments system to bypass security features. They also built custom malware to carry out the attack, which the authors described as an “unprecedented escalation” of cybercrime.
Bankers, regulators and big investors continue to worry about another hack of the SWIFT system. However, beyond cyber heists, policy makers now have a much bigger concern: a future attack on the financial system's network infrastructure, or on a big bank, could trigger the next global economic crisis.
“We are all aware of what happened in the great financial crisis,” David Hunt, CEO of PGIM, Prudential Financial Inc.’s global investment management business, told a confab of big investors and executives in April at the annual Milken Institute Global Conference in Beverly Hills, California. “But the next crisis is likely to come from technology and cyber.”
Hunt and other top C-suite officials and bankers at major US institutions have been sounding the alarm in recent months around cyber risk. Key issues include payment exchange platforms and vulnerabilities at large financial institutions, all of which could cause a cascading crisis.
“What worries me the most would be an actual attack on the infrastructure of the financial markets that creates a shutdown of the major pipes for how we do business,” said Hunt. “It is something we spend a lot of time working on and investing in.”
The Carnegie Endowment study, “The Cyber Threat Landscape,” reported that state and non-state attackers are building advanced capabilities to target core banking systems, particularly around payment messaging and transaction authorization.
Tim Maurer, co-director of the Carnegie Endowment’s Cyber Policy Initiative, contends that hackers only began targeting payment processing systems in recent years. Policy makers acknowledge that the financial system and infrastructure for payments need to be strengthened, with low-income countries and regions needing more assistance than others.
“Beyond being worried about a single firm failing, the concern is about choke points in the system,” Maurer said in an interview. “We need to raise everyone to the same level of cyber security. We need to build capacity in low-income countries that could be targeted by threats to steal funds.”
A case in point is the 2016 cyber attack in Bangladesh, suspected to be a state-sponsored North Korean effort, which points to the need to build up network infrastructure protections for banks in low-income countries.
According to Maurer, major economies need to develop norms and mechanisms to hold cyber criminals accountable across state lines. “We need to come up with ways to deter these actors, whether they are state-sponsors or not,” Maurer said.
The Carnegie Endowment wants the major economies of the Group of Twenty to collectively refrain from using cyber tools to “corrupt the integrity of data in the financial system and to cooperate when such attacks do occur.”
Regulators are keenly aware of the concerns. Jay Clayton, chief of the US Securities and Exchange Commission, didn’t mince words when he suggested on April 9 that regulators still have work to do to make sure exchanges, clearing houses (intermediaries between buyers and sellers of securities) and large banks are more resilient.
“There are a number of…single points of failure in our information economy that we need to make sure are resilient,” Clayton told Carlyle Group co-founder David Rubenstein at the Bloomberg event. “The ones we worry about are exchanges, clearing houses, large banks. If there is a cyber problem, are they able to get up and running quickly? We need to move to where we’re more comfortable that that’s happening.”
Beyond financial infrastructure, big banks need to do more or their failures could also unleash another global credit crunch. According to the Carnegie study, there were 94 cases of cyber attacks identified as financial crimes, including 23 believed to be connected to state sponsors, such as North Korea, China, Russia or Iran, over the past decade. A number have targeted large banks, among them the Bank of Montreal and the State Bank of India.
Even so, experts perceive that the biggest banks are more resilient against cyber attacks than their smaller counterparts, simply because they have more resources at their disposal to protect systems.
It is true that the biggest US banks are spending significantly more on cyber protection than many of their rivals. JPMorgan Chase spends $600 million a year on cyber security, CEO Jamie Dimon recently told a congressional panel on Capitol Hill. “All of us [big US banks] spend a huge amount of money to protect the privacy of the system,” Dimon said. “Cyber risk is probably the biggest risk I think the financial system faces in the world.”
At the same hearing, Morgan Stanley CEO James Gorman noted that the New York-based institution he oversees is spending $400 million on cyber security in 2019, up from $50 million in 2019. “This year, we will be spending in excess of $400 million on building so-called fusion centers in Baltimore, in New York, Singapore and Glasgow, all designed and working hand and fist with the government agencies,” Gorman said. “[Cybercrime] is the single most existential threat to the financial system, in my opinion.”
However, the biggest banks are also considered to be overly complex and dangerous to the economy. Many on the left and right haven’t forgotten the 2008 financial crisis and continue to push for a breakup of the largest “too-big-to-fail” financial institutions in an effort to protect the global economy from the cascading global impact of another Lehman Brothers-like collapse.
But at the Milken conference earlier this month, cyber security emerged as a top concern, and opposition to too-big-to-fail banks appeared to have dissipated. Instead of advocating for the breakup of big banks, panellists at the event urged regulators to allow banks to grow so they can invest in cyber security protections. “In banking…it’s no longer too-big-to-fail but too-small-to-scale,” State Street Corporation CEO Ronald O’Hanley told participants.
Even so, it is probably too simplistic to say that large institutions are generally more protected from cyber criminals than their smaller rivals. Big banks do have the resources to hire top cyber security talent; Carnegie’s Maurer says smaller institutions generally have a tougher time finding and retaining the kind of technology experts needed. Many community banks, for example, don’t have a chief security officer.
However, big banks have much bigger brands, which can make them more of a target. They also often have complex legacy systems retained from acquisitions, which may not have been integrated effectively and can expose institutions to attacks. “Smaller banks can be more agile,” Maurer said. “They are not large bureaucracies with so many levels.”
Even so, smaller banks may not see themselves as a target, which is a problem. “They think, ‘we’re not on anyone’s radar.’ But hackers will go after the low-hanging fruit,” Maurer said.
Still, many smaller banks have another kind of advantage: they can outsource security to sophisticated cloud service providers, such as those offered by Amazon Web Services or Microsoft. “This turns a small financial institution, from a security perspective, into one of the most tech-savvy companies,” Maurer said.
So far, attacks on both big and small institutions have not led to a cascading financial crisis. That said, a cyber attack against large banks or the global payments system is likely to produce the next crisis.
Are we prepared? Not at all, suggests Stephanie Flanders, senior executive editor at Bloomberg News. She summarized the conclusions of her Milken panel, which discussed cyber risks among other issues, as such: “We’ve got no ammunition for fighting the next crisis and we think the system is completely unsustainable as it is, and we don’t really know how to fix it.”