Staff Reports
Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis
Number 909
January 2020 Revised June 2020

JEL classification: G12, G21, G28

Authors: Thomas M. Eisenbach, Anna Kovner, and Michael Junho Lee

We model how a cyber attack may be amplified through the U.S. financial system, focusing on the wholesale payments network. We estimate that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average. The impact varies and can be larger on particular days and in geographies with concentrated banking markets. When banks respond to uncertainty by liquidity hoarding, the potential impact in forgone payment activity is dramatic, reaching more than 2.5 times daily GDP. In a reverse stress test, interruptions originating from banks with less than $10 billion in assets are sufficient to impair a significant amount of the system. Additional risk emerges from third-party providers, which connect otherwise unrelated banks.

Available only in PDF
AUTHOR DISCLOSURE STATEMENT(S)
Thomas Eisenbach
1. I have not received outside financial support for the research in this paper.
2. I have not received financial or in-kind support from any interested party.
3. I do not hold any paid or unpaid positions as officer, director, or board member of relevant non-profit organizations or profit-making entities.
4. The disclosures above also apply to any close relative or partner of mine.
5. The paper was reviewed prior to being circulated as a New York Fed Staff Report, as required by the New York Fed’s review policy (available at https://www.newyorkfed.org/research/staff_reports):
The New York Fed reserves the right to require pre-publication changes to papers appearing in its working paper series Staff Reports. Such changes are strictly limited to ensuring that Staff Reports do not offer concrete predictions about impending monetary policy or regulatory actions, or otherwise violate applicable rules on the use of confidential information or standards of professional conduct. In addition, Staff Reports must not violate contractual obligations to data vendors.

While management in the Research Group may suggest substantive changes to Staff Reports on the basis of criteria other than those specified in the above paragraph, whether and how to respond to such suggestions are at authors’ sole discretion. Authors of Staff Reports are solely responsible for ensuring that all claims made in their work are well supported by evidence and that limitations of the analysis are clearly described.

Anna Kovner
I have no relevant or material financial interests that relate to the research described in this paper. Prior to circulation, this paper was reviewed in accordance with the Federal Reserve Bank of New York review policy, available at https://www.newyorkfed.org/research/staff_reports/index.html.

Michael Junho Lee
I declare that I have no relevant or material financial interests that relate to the research described in this paper. Prior to circulation, this paper was reviewed in accordance with the Federal Reserve Bank of New York review policy, available at https://www.newyorkfed.org/research/staff_reports/index.html.