The Defender’s Dilemma: Understanding Cybersecurity in Financial Systems
According to Jón Danielsson, director of the Systemic Risk Center at the London School of Economics, “Hostile agents must find part of the system to attack, while defenders must protect the entire system. We call it the defender’s dilemma.” This issue is growing more critical as malicious agents, which can include terrorists, criminals, and nation-states, pose increasing threats to financial systems.
Asymmetry in Resources: Attackers vs. Defenders
Danielsson highlights that the resources required for conducting an attack are significantly lower than those needed for comprehensive defense efforts. “The asymmetry between defenders and attackers continues to grow as we increasingly rely on AI,” he emphasized. To counter this growing threat, he advocates for a more diverse system to enhance resilience against potential cyber attacks.
A cyber attack would have acted as a systemic crisis amplifier
Geopolitical Factors: The Role of Nation-States
Nicolas Veron, a principal researcher at Bruegel and the Peterson Institute for International Economics, expresses concern over the current American administration’s “very antagonistic” stance towards its allies. He argues that when evaluating cyber threats, nations should also consider potential risks posed by the United States itself. “We must think in terms of tail scenarios,” Veron cautioned, emphasizing the need for a comprehensive approach to cybersecurity.
The Intersection of Cyber Attacks and Financial Instability
Danielsson stresses the importance of evaluating both financial system instability and technological vulnerabilities concurrently. His assessment indicates that a cyber attack during periods of liquidity tension, akin to the 2008 financial crisis, could have devastating effects. He noted, “A cyber attack would have acted as a systemic crisis amplifier,” suggesting that successful cyber attacks today would likely coincide with liquidity crises.
Adapting to Rapidly Changing Financial Landscapes
“Liquidity pads during an era of AI and the calibration of the Liquidity Coverage Ratio (LCR) may soon become obsolete,” warned Danielsson. He proposed that central banks need to adapt their crisis response mechanisms, particularly in relation to AI advancements. Automatic triggering of liquidity facilities could drastically reduce the time it takes to respond to impending crises, which may soon become a matter of minutes or seconds.
Mixed Preparedness Among European Banks
John Berrigan, director general of financial stability and capital markets at the European Commission, notes a growing concern for cyber threats among banks. “The banks came to me and talked about how cyber threats are their biggest worry, yet they struggle to justify investing in them,” he revealed. Despite initial reluctance to share information, Berrigan acknowledged a positive trend where banks are beginning to collaborate more effectively, realizing that a cyber attack on one could imply a similar risk for others.
Legislative Measures to Enhance Cyber Preparedness
Improvements in cybersecurity preparedness have been noted, particularly due to legislation like the Digital Operational Resilience Act (Dora), which delineates how financial institutions should organize their defenses. Nevertheless, Berrigan emphasized that addressing systemic cyber risks—where the entire financial ecosystem is simultaneously targeted—demands ongoing attention and robust strategies to ensure the resilience of financial systems.