(Archived Content)
BOSTON - Thank you for having me here today as part of your conference on cybersecurity. The various topics that speakers are addressing today—from emerging technologies and blockchain to board-level engagement—are also among ones at the forefront of our thinking at Treasury. The holistic way in which you are engaging on the subject of cybersecurity is an approach that I want to continue in my remarks.
At the Treasury Department, we seek to promote the conditions that enable economic growth and stability, as well as protect the integrity of the financial system. In my role, among other things, I oversee both the Office of Financial Institutions Policy and the Office of Critical Infrastructure Protection and Compliance Policy. To some, it may appear that prudential financial regulation and cybersecurity operate on two parallel and separate tracks. In actuality, however, they are complementary and share key conceptual underpinnings. As such, I would like to devote my remarks today to a comparative exploration of cybersecurity and financial regulatory policy.
Let’s begin with an illustration by taking two key episodes in recent financial history. In September 2008, the parent holding company of Lehman Brothers filed for bankruptcy in New York. The firm’s collapse revealed that when global banks fail, the shockwaves ripple across borders. Lehman’s business and legal lines were cross-cutting and complicated. Approximately eighty Lehman subsidiaries entered insolvency in eighteen different jurisdictions.[1] Uncertainty and volatility spiked in the global financial markets as Lehman’s clients scrambled to adjust, financial contracts were terminated, and money market funds came under pressure from redemptions.[2]
Twenty three years earlier, another major financial institution found itself in distress but for a very different reason. On November 21,1985, Bank of New York (BNY), a major custodian bank both then and now, experienced a significant software problem in its systems that disrupted its ability to clear securities trades for other banks. BNY was able to receive securities, but because of this technical glitch, was unable to redeliver the securities to counterparties over Fedwire. The bank accumulated overdrafts in its reserve account over the course of the day.[3] By late in the night of November 21st, BNY was able to process only a fraction of the securities transfers, and early the next morning, the Federal Reserve Bank of New York extended it nearly $24 billion in secured credit—at that point, the largest discount window loan in history and at an amount totaling 150 percent of BNY’s assets.
These two episodes, apart from being two decades apart, are different in important ways. The solvency of BNY was never in question. Lehman’s failure, however, occurred at a time of significant market stress and volatility, and was driven by its insolvency. In one case, the shock was driven by credit and market losses; in the other, it was an operational, technological issue.[4]
But I would suggest that these two episodes also share a key similarity, which is that they highlight the inherent interconnectivity of financial markets—and the reality that parties and counterparties must take into account each other’s interdependencies, and the resilience of those connections, in order for the financial sector to maintain the trust of market participants, depositors, and taxpayers. Indeed, both episodes highlight the real risk of transmitting one institution’s distress throughout the financial system. The BNY episode is perhaps not as memorable as Lehman’s failure, and the contagion risk in that case seems less evident, but at the time policymakers were very much concerned about knock-on effects. As a Federal Reserve Board official testified before Congress about a temporary stoppage of BNY’s securities transfers:
Even in this short period of time, the result was a backup in the willingness and ability of…market participants to transfer securities among themselves…. Perhaps most
importantly, there was also some evidence that investors were beginning to seek to break trades and financing transactions with dealers who were serviced by the Bank of New York.[5]
Fortunately, normal operations soon resumed and the distress subsided. But the potential for significant and negative spillover effects was all too real. These two examples are vivid reminders that a secure, resilient, and sound financial system is a shared public and private interest—and achieving that interest is the common objective of both financial regulatory policy and cybersecurity policy.
Both of these policy areas share conceptual underpinnings. Both types of policy seek to reduce the probability of a particular event occurring—default in the case of prudential regulation, a harmful intrusion in the case of cybersecurity policy. Furthermore, both seek to minimize the cost to society if such an event occurs—the overriding goal is that taxpayers should not bear the burden of a financial institution’s default, and that key market functions should not be affected by a disruption at any single institution.
With this goal in mind, I will outline what we are doing to improve the ex ante safety and soundness of our financial system, as well as minimize the ex post costs to society should a financial institution fail or a significant cybersecurity incident occur. Then, I will discuss the practical side of this comparative perspective on financial institutions and cybersecurity policy.
Improving Resilience Through Wall Street Reform
As we are all aware, over the course of 2007 and 2008, concerns about the solvency and liquidity of large, complex financial institutions eventually crystallized—and a deep recession ensued. At the worst depths, our economy was contracting at the fastest rate in 50 years, companies were cutting more than 800,000 jobs per month, and unemployment topped 10 percent. Millions of Americans lost their jobs and their homes during the crisis, which was driven by a financial system that was undercapitalized, over-leveraged, and taking on too much risk.
In response, the Administration and Congress put in place the most comprehensive financial regulatory reform since the Great Depression, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Dodd-Frank is built around three pillars: financial stability, transparency in financial markets, and consumer protection. For the purpose of my remarks today, I want to focus on the first pillar—financial stability.
As part of its focus on financial stability, Dodd-Frank seeks to address the danger to the economy posed by large, complex financial institutions maintaining insufficient capital and liquidity. The purpose of regulatory capital and liquidity is to reduce the probability of an institution’s failure. Sound capital requirements help force financial institutions to internalize the costs to the system of excessive risk-taking.
Today, large bank holding companies with $50 billion or more in assets are subject to “enhanced prudential standards.” These heightened requirements include stronger capital and liquidity rules, as well as stress tests, which are designed to ensure that our largest financial institutions can absorb adverse shocks and continue lending to support the economy. Indeed, over the last six years, banks have added nearly $700 billion of capital, which is 700 billion more dollars that will be available to absorb unexpected losses.
Financial regulatory reform since the crisis also addresses the challenge exemplified by the failure of Lehman Brothers that I discussed at the outset—how to protect taxpayers and minimize the cost to society in the event a major financial institution fails. Title II of Dodd-Frank sets forth the Orderly Liquidation Authority, known as OLA. OLA is meant to be used to resolve a failing financial company—whether it’s a bank holding company or a non-depository financial institution—in cases where the traditional resolution of a financial company under the Bankruptcy Code would have serious adverse effects on financial stability in the United States. Importantly, OLA allows for the orderly resolution of a firm with U.S. taxpayers bearing none of the costs. Instead, shareholders lose their investment, creditors absorb necessary losses, and management is replaced.
OLA puts in place a clear legal framework to achieve the objective of protecting taxpayers and minimizing societal costs. The strategy that draws upon that legal framework is known as Single Point of Entry resolution. Under the Single Point of Entry resolution strategy, U.S. authorities effectively pre-position the capacity to absorb losses before the failure occurs, and during resolution, establish a financing mechanism to ensure a smooth unwind process as subsidiaries remain open and operating under the auspices of a bridge financial company. Importantly, this approach “buys time” as the orderly resolution of the failed firm proceeds. To facilitate this resolution strategy, we have strongly supported the total loss absorbing capacity (TLAC) standard, which has recently been proposed for U.S. implementation. TLAC helps ensure that shareholders and creditors absorb losses during resolution, instead of burdening taxpayers.
Carrying out an effective and orderly resolution—whether under the Bankruptcy Code or through OLA—requires considerable planning. Title I of Dodd-Frank requires bank holding companies with assets of $50 billion or more, as well as certain nonbank financial companies, to submit resolution plans, known as “living wills.” The living wills must describe the firm’s plans for rapid and orderly resolution in the event of material financial distress or failure.
The collective purpose of OLA, Single Point of Entry, and living wills in the U.S. resolution framework is to shield taxpayers from bearing the losses of an institution’s failure, impose losses on creditors in a predictable fashion, facilitate cross-border cooperation, continue the operation of key critical functions, and maintain financial stability. These outcomes all serve to help contain the negative spillovers generated by the failure of a large, complex financial institution.
Approach to Cybersecurity
Our approach to improving the cyber resilience of the financial sector is analogous to the approach to prudential regulation and resolution planning that was just outlined. In the cyber context, our aim is to reduce the probability of a destructive cyber event occurring, but should that event occur, our mission is to minimize the costs of that event, particularly if the incident is of such magnitude that critical functions, such as payments, clearing, settlement, custody, or deposit taking, are disrupted for an extended period of time, which may have implications for financial stability.
At Treasury, our approach to reducing the probability of cybersecurity incidents is organized in four primary areas: promoting best practices, facilitating information sharing, enhancing response and recovery procedures, and deterrence. We believe that financial institutions and market infrastructures should adopt robust baseline protections based on best practices and leading standards. Firms’ policies, procedures, and controls to prevent penetration of their networks and systems, and to prevent damage assuming that there has been access, should map clearly to the cyber risks presented by firms’ business lines and operations. These protections and practices can range from network integrity and protection against data leaks, to network access control and robust penetration testing. In this regard, we encourage the use of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. It is a framework that helps establish a common lexicon to facilitate communication both internally across IT and business teams, as well as externally with financial supervisors and third-party vendors.
Another key component of reducing the probability of cybersecurity incidents is information sharing. Sharing descriptive information about cybersecurity threats allows firms to better protect themselves against malicious cyber activity—no matter the size of the firm. While being mindful of consumers’ privacy and civil liberties, greater levels of information sharing between companies and with public authorities leverages network effects and increases our collective security. That is why we supported the recent passage of the Cybersecurity Act of 2015, which promotes the timely sharing and receipt of cyber threat indicators among private sector entities, and between the private sector and the federal government. Treasury’s Financial Sector Cyber Intelligence Group (CIG) helps to identify information government possesses about cyber threats and shares this information in a timely and actionable fashion with companies in the financial sector. The Financial Services Information Sharing and Analysis Center (FS-ISAC) also plays an important role in this area; it has nearly 7,000 members including all manner of financial companies and their key service providers.
Viewed from a comparative perspective, robust cyber defenses at individual institutions play a similar role in lowering the likelihood of adverse events that sufficient, high-quality capital buffers do in absorbing the impact of economic shocks, recognizing there is already an operational risk capital charge embedded in U.S. regulations and Basel capital standards. But despite a strong set of baseline protections and robust information sharing programs, cybersecurity incidents will continue to occur. Therefore, a comprehensive cybersecurity program should also include effective response and recovery arrangements—the purpose of which are to contain and mitigate incidents, so as to prevent the spread of the threat across the industry.
We have encouraged firms in the financial sector to consider framing their response and recovery arrangements through a playbook. The playbook should detail the roles and responsibilities of the board, management, incident response teams, key business teams, and other internal parties—as well as how they should coordinate with external parties, including regulators, law enforcement, business partners, vendors, clients, and customers.
Response and recovery efforts at individual firms complement our national and sector-wide efforts. As part of the Cybersecurity National Action Plan announced by President Obama this past February, the Administration will publicly release a policy for national cyber incident coordination and an accompanying severity methodology for evaluating cyberattacks, so that government agencies and the private sector can communicate and respond consistently and effectively to major cyber incidents.[6]
At Treasury, we are helping to develop response and recovery arrangements specific to the financial sector in coordination with the private sector as well as our other government partners. And in recent years, Treasury has carried out several large-scale, public/private cybersecurity exercises to test response processes. These exercises have involved a wide range of public and private participants, and have generally focused on destructive malware attacks targeted on larger institutions. We are planning shortly to introduce an “exercise in a box” program targeted to smaller and medium-sized institutions, so that smaller firms can also benefit from the rich lessons learned from a rigorous cyber exercise regime.
Finally, we seek to deter malicious cyber actors, an effort I’ll just touch on briefly. Pursuant to an Executive Order issued by President Obama last year, the Secretary of the Treasury, in consultation with the Secretary of State and the Attorney General, is authorized to impose targeted financial sanctions on individuals or entities whose malicious cyber conduct has contributed to a significant threat to the national security, foreign policy, or economic health and financial stability of the United States. Treasury’s sanctions authority is only one part of the Administration’s comprehensive strategy to confront malicious cyber actors—especially those who target our critical infrastructure—and Treasury’s efforts support and are supported by diplomatic engagement, trade policy tools, and law enforcement mechanisms.
A Comparative Perspective in Practice
Up to this point, I have discussed the shared conceptual underpinnings of financial regulation and cybersecurity frameworks (exemplified by the four-pillared Treasury approach)—both seek, in important ways, to lower the probability of adverse events occurring and, if those events occur, to minimize their costs to society at large. Moving beyond that conceptual comparison, I would like to highlight a few practical elements these two areas also share.
There is an important planning component in both areas. The living wills that certain financial institutions are required to prepare describe a detailed resolution strategy that allows for an orderly re-structuring and wind down, while also providing for the continuity of key operational and financial interconnections. This means that firms must carefully map their corporate structure and, among other things, identify core business lines and material legal entities, describe their derivative and hedging activities, and list their memberships in material payment, clearing, and settlement systems. This is not unlike the mapping and inventorying that firms carry out as part of their cybersecurity risk management. A comprehensive resolution strategy encompasses key provisions regarding stabilization, coordination and communication with stakeholders, and continuity of critical functions—that are all also part of a robust cybersecurity response plan.
Resolution and cybersecurity policy also face similar coordination-related challenges due to the cross-border interconnectedness of large financial institutions and market infrastructures. In light of this interconnectedness and its implications across policy areas, Treasury and other U.S. authorities have carried out exercises with our UK counterparts on how to handle the resolution of global systemically important banks, as well as how to coordinate our response and recovery activities in the event of a cybersecurity incident affecting both countries’ financial sectors.
But of course, there are important differences between resolution and cybersecurity—and these differences may raise questions for further consideration. For instance, take the example of a severe cybersecurity incident that disrupts operations at a major financial institution, but where neither authorities nor market participants question the solvency of the institution when the incident occurs. Instead, the technological shock directly affects the institution’s liquidity. In the case of resolution, liquidity concerns are often also prominent, but they usually correspond to significant doubts about the solvency of the institution. The implications of this distinction suggest that an operational disruption should be handled differently from a supervisory standpoint than a credit shock. But what if an operational disruption lasts more than a day or two—say, a week or more? What if the institution’s interconnections with payment systems, central counterparties, or foreign exchange settlement institutions are disrupted? There may well be a tipping point in the behavior of market participants that may not be entirely evident during the first day of a disruption in critical functions. Significant delays in payment, settlement, delivery of margin, and other common but critical financial activities could lead to early termination of financial contracts and a build-up of credit risk in the sector—even if the solvency of the individual institution was not originally in question.
I don’t mean to imply that the incident I just outlined is a probable scenario. There are contingency plans at financial institutions and market infrastructures to handle significant incidents affecting critical functions. Nevertheless, we should further deepen our understanding—at a granular level—of the potential system-wide impact and transmission channels entailed in a truly severe operational incident. Just as we have added to the toolkit for the resolution of financial institutions in response to financial shocks, we can consider what could augment an analogous toolkit for especially severe operational scenarios. We should ask ourselves whether there is a point at which the regulatory response, namely the provision of liquidity tools and the employment of a resolution process, converges for operational and financial shocks. And we should also consider whether there is moral hazard that exists in the context of an operational incident and whether that moral hazard has been fully addressed by safeguards that have been put in place to address potential financial incidents.
To that end, I have a few final thoughts on what ex ante measures could be helpful in mitigating a cyber or operational incident that potentially affects financial stability, measures that could serve a similar role as TLAC and the International Swaps and Derivatives Association Stay Protocol do in a resolution context by “increasing the runway” to buy time. The institution should stand ready to activate back-up plans and use workarounds—for example, if necessary, critical payments and deliveries should be made through manual procedures, where considerable capacity is positioned in advance. To obviate the need for liquidity assistance from public authorities, existing pools of liquidity that the institution may have throughout the market infrastructure should be identified to be mobilized potentially to fulfill obligations. Finally, plans should be in place to assure customers, counterparties, and public authorities not only through accurate, high-quality information on key financial metrics, but also through clear communication about the nature of the incident and the steps being taken to mitigate it.
Conclusion
A comparative perspective can involve discussion of a range of issues that may, at first glance, appear only loosely related. But such a perspective can also bring out key commonalities and differences to help guide creative policymaking. I hope I have made some contribution to that end today by highlighting how areas of financial regulatory reform can inform the development of cybersecurity policy in the financial sector. This is a challenge that brings public and private cooperation to the forefront, and I believe that our common undertaking will serve to enhance the resilience of our financial sector and maintain the trust and confidence we all place in it.
[1] Financial Crisis Inquiry Commission, The Financial Crisis Inquiry Report (Washington: GPO, 2011): 340.
[2] Ingo Fender and Jacob Gyntelberg, “Three market implications of the Lehman Bankruptcy,” BIS Quarterly Review (December 2008), available at http://www.bis.org/publ/qtrpdf/r_qt0812x.htm.
[3] Huberto Ennis and David Price, “Discount Window Lending: Policy Trade-offs and the 1985 BoNY Computer Failure,” Economic Brief, EB15-05 (May 2015), available at https://www.richmondfed.org/~/media/richmondfedorg/publications/research/economic_brief/2015/pdf/eb_15-05.pdf
[4] Lacker (2003) uses a similar distinction. See Jeffrey Lacker, “Payment Systems Disruptions and the Federal Reserve Following September 11, 2001,” Federal Reserve Bank of Richmond Working Paper 03-16 (December 2003), available at https://www.richmondfed.org/-/media/richmondfedorg/publications/research/working_papers/2003/pdf/wp03-16.pdf.
[5] Board of Governors of the Federal Reserve System, “Statement of E. Gerald Corrigan, President, Federal Reserve Bank of New York, before the Subcommittee on Domestic Monetary Policy of the Committee on Banking, Finance and Urban Affairs, U.S. House of Representatives, December 12, 1985,” Federal Reserve Bulletin 72, no. 2 (February 1986): 122.
Use featured image
Off