A trio of experts at the New York Federal Reserve constructed a variety of scenarios connected with how banks and payment networks would be impacted if a widespread cyberattack happened.
Thomas Eisenbach, Anna Kovner and Michael Junho Lee released their findings in a 37-page report this week, detailing how the response could vary depending on the size of the institution.
The trio explained that it modeled how a cyberattack may be amplified through the U.S. financial system, focusing on the wholesale payments network. They estimated that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38% of the network affected on average.
“The impact varies and can be larger on particular days and in geographies with concentrated banking markets,” they said in the report.
When banks respond to uncertainty by liquidity hoarding, Eisenbach, Kovner and Lee acknowledged the potential impact in forgone payment activity is “dramatic,” reaching more than 2.5 times daily gross domestic product.
In a reverse stress test, the report authors said interruptions originating from banks with less than $10 billion in assets are sufficient to impair a significant amount of the system.
Additional risk emerges from third-party providers, according to Eisenbach, Kovner and Lee.
“Our analysis demonstrates how cyberattacks on a single large bank, a group of smaller banks or a common service provider can be transmitted through the payments system,” they wrote. “A cyberattack on any of the most active U.S. banks that impairs any of those banks’ ability to send payments would likely be amplified to affect the liquidity of many other banks in the system.
“The extent of the amplification would be even greater if banks respond strategically, which they are likely to do if there is uncertainty about the attack,” they continued. “The impact on geographies with concentrated banks may be even larger.
“We also identify other ways that the system may become impaired that highlight the importance of all banks in the network, not just the largest banks,” the authors added. “First, if a number of small or midsize banks are connected through a shared vulnerability, such as a significant service provider, this would likely result in the transmission of a shock throughout the network.
“Similarly, banks with a relatively small amount of assets but large payment flows also have the potential to impair the system,” they went on to say.