Cyber risks also relevant to financial stability

Cyberthreats are posing increasing risks to financial institutions

Financial institutions are increasingly facing cyberthreats as the financial sector becomes more and more digitalised. For example, Dutch banks increasingly report operational losses due to cyber incidents. The proportion of European banks that reported they had been the target of one or more cyberattacks rose from 28% in 2018 to 40% in 2019. This and other trends have prompted financial institutions and supervisory authorities to place a stronger focus on cybersecurity. Cyberattacks aimed at disrupting critical economic sectors also contribute to this.

Potentially, a cyberattack could develop into a systemic crisis, for example, when a cyberattack renders vital digital processes in energy supply or transport inaccessible. A cyberattack targeting a financial institution or the financial infrastructure could also have major economic and social consequences if it results in the financial sector – or part of it – no longer functioning properly. For example, a cyber incident can undermine trust in the financial sector or jeopardise an institution's continuity. Cyberattacks can spread through the financial system at a rapid pace, for example because many institutions depend on the same systems for payment and securities transactions. The outsourcing of digital business processes also creates increasing concentration risks if a small number of specialised service providers work for a large number of financial institutions. 

Cyber stress test maps out the spread of a cyber incident through operational problems and a confidence shock

We have used scenario analyses to investigate how a cyber incident could threaten the Dutch banking sector. The study investigates two ways in which a cyber incident could become a problem for the financial system: due to operational problems and as the result of a confidence shock. DNB is one of the pioneers in this field.

In one of the scenarios, a cyber incident prevents a major bank from making payments via TARGET2, the payment system used for interbank transactions. As a result, other banks are not receiving part of their payments, which may cause them to run into liquidity problems. This happens when a bank's liquidity reserve is temporarily below the required minimum (risk level 1 in Figure 1).  Figure 1a shows that if a cyber incident should occur at one of the three large banks studied, at most one in eight receiving banks would face this situation. So as long as the cyber incident only affects one major bank, the chances of it developing into a systemic risk are limited. One explanation is that banks currently have large liquidity reserves. However, if we apply the scenario to a situation with less liquidity, the picture looks less favourable. Figure 1b shows that the proportion of banks running into problems then increases to 30-40%.

Figure 1: Share of Dutch banks that do not meet the reserve requirements (red) in the simulation

Note: The figure shows the proportion of recipient banks that may run into problems due to an operational problem at one of the three large banks (A, B and C). The simulation was carried out for each day in 2019 (2014); the figure shows the five days with the greatest effect.

A cyber incident could also lead to a systemic crisis if confidence in one or more banks is lost. In this scenario, the consequences of the incident remain unclear for a long time, and concerns about it are reinforced by negative media coverage. Customers and market participants lose confidence, which makes it harder for the bank to attract loans and induces customers to withdraw their savings. This stress scenario leads to a significant outflow of deposits, but the average Dutch bank still has plenty of liquid assets left. For the average Dutch bank, on top of the already assumed stress, 25% of stable deposits would have to be withdrawn before the bank runs out of liquidity. When additional market financing outflows are included, this point is reached at a deposit outflow of 13%. These are significantly higher percentages than the 5% outflow that banks must be able to absorb under the regulations.

The stress scenario analyses show that a cyber incident does not develop into a systemic crisis overnight, but that it is possible in certain situations. For example, operational problems may occur at a larger scale and simultaneously at several large banks. In that case it is more likely that the banking sector will run into trouble. Also, an incident may initially cause damage through the operational channel, and subsequently lead to a confidence shock. Therefore, further analysis of more complex scenarios is necessary. 

Supervisory authorities and institutions focus on preventing contagion

Even if it has not happened to date, in the future a cyberattack could take place in the Netherlands that endangers financial stability. The efforts of supervisory authorities and financial institutions are therefore not only aimed at limiting the impact of cyberattacks on individual institutions, but also at preventing contagion to the rest of the financial system. As part of this, we are working to further improve our monitoring of cyber incidents to gain a better insight into the various channels through which a cyberattack can develop into a systemic risk. It is important that this also happens on a European and international level, and we strongly advocate this. On this basis, we can take measures where needed to limit the further spread of the shock and to increase the resilience of the system.