Fed's ex-regulatory czar Tarullo warns of "nightmare scenario" from cyberattack

Daniel Tarullo, the former US Federal Reserve governor most responsible for crafting post-financial crisis Washington policies, said a cyberattack on a bank could set off widespread panic by eradicating ownership records held by the institution.

“The nightmare scenario is: someone penetrates the information systems of large institutions and wipes out the records of who owns what,” Tarullo, the Fed’s vice chairman for supervision during the Obama administration, said at a Washington event this week. “It doesn’t matter how much capital the bank has at that point. You’ve got the equivalent of financial pandemonium when no one knows who owns what.”

He said stress tests that try to determine whether banks have enough capital to absorb economic shocks are “really not directed at big cybersecurity risks. We need to have a whole different approach.”

US capital requirements that carry out  Basel III standards seek to protect against market risk, credit risk and some forms of operational risk, Tarullo said.

“The big cyber risk is not somebody penetrates a system and steals a couple of hundred million dollars,” he said. “Capital does help protect against that.”

A Fed spokesman had no immediate comment.

Fed examinations

Fed Chairman Jerome Powell has said the central bank is incorporating cybersecurity into its inspections of individual banks while trying to be mindful of the burden it might place on small community banks.

“There is always the feeling with cyber that you’re just not doing enough,” he said in February.

Kevin Stiroh, the Federal Reserve Bank of New York’s supervisory chief, last month said a key supervisory focus is the resilience of banks’ core business services in the event of a cyberattack.

“In terms of governance, we expect effective oversight from boards of directors,” he said.

Banks should try to improve their exposure, monitoring of potential threats, and ability to recover from an attack, Stiroh said. They also should ensure the resilience of outside contractors.

Fed’s cyber priority

Fed officials have said combating cyber risks is a top priority. Tarullo’s successor, Randal Quarles, said in a prepared speech last year that the Fed “is committed to strategies" that will bring measurable "enhancements to the cyber resiliency of the financial sector.”

Quarles urged firms to share threat information with an industry group focused on cyber risks.

The Fed’s financial stability report issued this month, which flags possible systemic risks, contained two sentences and a footnote on cyber issues in a 60-page document.

“While this framework provides a systematic way to assess financial stability, some potential risks do not fit neatly into it because they are novel or difficult to quantify,” the report said. “For example, cybersecurity and developments in crypto-assets are the subject of monitoring and policy efforts that may be addressed in future discussions of risks.”

A footnote added: “This report does not currently report a standard set of metrics for determining the cyber resiliency of systems that are deemed to be critical to maintaining U.S. financial stability. Nonetheless, the Federal Reserve is using the available information and working with the relevant domestic agencies to develop resiliency expectations and measures”.