A pre-mortem analysis sounds … ominous.
Mortem, after all, is Latin for “dead.” And the term is attached to a report from the New York Federal Reserve detailing the dangers of cyberattacks.
Might we make an official pronouncement on the matter?
Yikes.
In the business world, a pre-mortem analysis starts at a hypothetical point of failure. Then those conducting the analysis work backward and look toward points or events that lead to the failure itself.
The official title of the paper, written by analysts Thomas M. Eisenbach, Anna Kovner and Michael Junho Lee, is “Cyber Risk and the US Financial System: A Pre-Mortem Analysis.”
The cyberattack in question could wreak havoc on financial firms. And the paper notes that financial services firms – amid a general level of “increasing concern” – are experiencing more than 300 times the number of attacks than other types of firms.
The authors seek to quantify how the attacks may be “amplified” through the financial system. The ripple effects would, of course, be far-reaching.
And there remains the risk of bank runs, which would lead to solvency issues.
“When a cyberattack compromises the availability or integrity of an institution’s system and/or data – unlike in a traditional run, cyberattacks may impair the ability of the bank to service running creditors,” wrote the authors. “In such a scenario, the classic first-mover advantage would be weakened, potentially limiting the incentive to run. On the other hand, uncertainty regarding the nature and extent of the attack could prompt runs to occur in segments of banks’ operations that are otherwise unaffected.”
Of particular lure to would-be hackers and attackers: wholesale payments.
“Wholesale payments are one of the most critical networks for resiliency,” according to the paper. “Indeed, high-value payment and settlement systems may be a natural candidate for a malicious attacker intent on inflicting the largest possible damage to the financial system and the broader economy.”
In the scenarios offered in the study, one assumption is that an attacked institution receives payments but is unable to send them for a single full day. Accumulating payments means that the impacted firms “soak up liquidity, effectively acting as a liquidity black hole.” If any large institutions are prevented from sending payments, 6 percent of institutions breach their end-of-day reserves thresholds. The spillover then impacts 38 percent of bank assets.
The numbers are even higher upon considerations of disruptions at the county level, due to high banking concentration within many U.S. counties, the authors added.
And in terms of the amplified impact, “When banks respond to uncertainty by liquidity hoarding, the potential impact in foregone payment activity is dramatic, reaching more than 2.5 times daily GDP,” according to the estimates.
“If a cyberattack were to compromise the integrity of banks’ systems, the reconciliation and recuperation process would be an unprecedented task,” the paper said.
And among the responses? The Fed authors state that there might be the need for post-cyberattack liquidity injections or even bank holidays tied to efforts to recover affected systems.