Fed's ex-regulatory czar Tarullo warns of "nightmare scenario" from cyberattack
23 May 2019 12:34 pm by Brian Baker
Daniel Tarullo, the former US Federal Reserve governor most responsible for crafting post-financial crisis Washington policies, said a cyberattack on a bank could set off widespread panic by eradicating ownership records held by the institution.
“The nightmare scenario is: someone penetrates the information systems of large institutions and wipes out the records of who owns what,” Tarullo, the Fed’s vice chairman for supervision during the Obama administration, said at a Washington event this week. “It doesn’t matter how much capital the bank has at that point. You’ve got the equivalent of financial pandemonium when no one knows who owns what.”
He said stress tests that try to determine whether banks have enough capital to absorb economic shocks are “really not directed at big cybersecurity risks. We need to have a whole different approach.”
US capital requirements that carry out Basel III standards seek to protect against market risk, credit risk and some forms of operational risk, Tarullo said.
“The big cyber risk is not somebody penetrates a system and steals a couple of hundred million dollars,” he said. “Capital does help protect against that.”
A Fed spokesman had no immediate comment.
Fed examinations
Fed Chairman Jerome Powell has said the central bank is incorporating cybersecurity into its inspections of individual banks while trying to be mindful of the burden it might place on small community banks.
“There is always the feeling with cyber that you’re just not doing enough,” he said in February.
Kevin Stiroh, the Federal Reserve Bank of New York’s supervisory chief, last month said a key supervisory focus is the resilience of banks’ core business services in the event of a cyberattack.
“In terms of governance, we expect effective oversight from boards of directors,” he said.
Banks should try to improve their exposure, monitoring of potential threats, and ability to recover from an attack, Stiroh said. They also should ensure the resilience of outside contractors.
Fed’s cyber priority
Fed officials have said combating cyber risks is a top priority. Tarullo’s successor, Randal Quarles, said in a prepared speech last year that the Fed “is committed to strategies" that will bring measurable "enhancements to the cyber resiliency of the financial sector.”
Quarles urged firms to share threat information with an industry group focused on cyber risks.
The Fed’s financial stability report issued this month, which flags possible systemic risks, contained two sentences and a footnote on cyber issues in a 60-page document.
“While this framework provides a systematic way to assess financial stability, some potential risks do not fit neatly into it because they are novel or difficult to quantify,” the report said. “For example, cybersecurity and developments in crypto-assets are the subject of monitoring and policy efforts that may be addressed in future discussions of risks.”
A footnote added: “This report does not currently report a standard set of metrics for determining the cyber resiliency of systems that are deemed to be critical to maintaining U.S. financial stability. Nonetheless, the Federal Reserve is using the available information and working with the relevant domestic agencies to develop resiliency expectations and measures”.
Related Articles
-
15 Jan 2021 3:37 pm by Fiona MaxwellInsurers’ defeat at the hands of the UK's top judges against small businesses claiming Covid-19 payouts could be the first step toward irreversible change for the sector.
-
12 Jan 2021 12:00 am by Neil RolandUS regulators are exploring how to oversee banks’ use of artificial intelligence to prevent fraud and evaluate creditworthiness of potential borrowers.
-
21 Dec 2020 12:00 am by Neil RolandJay Clayton’s legacy as US Securities and Exchange Commission chairman will include his reluctance to address climate change.