Regulators urged to promote cyber security investment

Policies designed to generate increased spending on cyber security could help to reduce the risk of bank runs that might follow a major cyber attack, according to a German regulatory official.

“Despite the growing interest in the topic, we don’t have a framework to think through how cyber attacks might impact banks, and what they might do in terms of investing in cyber security,” said Kartik Anand, an economist at the Deutsche Bundesbank’s research centre.

He was presenting a paper he had co-written at the 2024 European Central Bank annual banking supervision research conference in Frankfurt on June 12. The paper argues that banks need to find the right balance between the cost of protection and the added resilience from being better able to withstanding attacks. If a severe attack resulted in a loss of confidence and a bank run, then regulatory policies that increased spending on cyber security would result in better outcomes for the public good, even if they reduced bank profitability in the short term.

Cyber security has been dominating the agenda for operational risk, especially after the crime spree by hacking group LockBit, which claimed 71 attacks in 2023 alone.

Creating regulations and policies for cyber security can prove difficult because of the ever-evolving nature of cyber risk. Some supervisors, such as the ECB, have homed in on resilience stress tests for banks as a way to manage the consequences of cyber attacks when they happen, rather than necessarily trying to reduce the risk of a successful attack.

Investing more in cyber security improves protection … [but] at the same time, it will reduce investments in profitable assets

Kartik Anand, Deutsche Bundesbank

“Operational resilience standards will help us to make sure that we have adequate security investment, although they are hard to calibrate,” said Ryan Riordan, a professor at LM University of Munich, responding to Anand’s paper.

Anand developed a new model – together with co-authors Chanelle Duley and Prasanna Gai, both from the University of Auckland – to understand the potential impact of cyber attacks on banks, and what policies would be best to mitigate this.

“The key trade-off is that investing more in cyber security improves protection … and the chances of finding and patching up the vulnerability before the attacker [exploits it],” said Anand. “At the same time, it will reduce investments in profitable assets – this is going to apply irrespective of who wins this tournament.”

The model offers a fairly straightforward mechanism to try to identify the optimum balance. The bank and attacker both invest money into their cyber security and their attack respectively. The model then sets out how badly the bank’s performance is impaired as a result of the cyber attack and sets a threshold for whether the losses result in illiquidity or insolvency. From this, a bank can decide how to distribute its investments in order to balance profitability, resilience and protection.

Protection is defined as putting money into cyber security measures. These can include establishing ‘red teams’ to probe the bank’s defences and find any holes in their armour, or ‘bug bounties’, where staff are rewarded for identifying errors and vulnerabilities in the IT architecture. Resilience is understood as the ability to withstand losses that result from a cyber attack and restore operations quickly.

Liquidity risk

The model predicts that the probability of a bank becoming insolvent because of a cyber attack is too low to justify additional investment in defences. If the bank faces a sophisticated attacker and finds itself to be at a disadvantage, then spending on resilience instead would result in larger social benefits. However, the risk of a bank failure due to illiquidity – if depositors or wholesale funding providers were panicked into a run by the cyber attack – is higher, tipping the balance toward investing in more protection.

“When bank failure is illiquidity-driven, we find that there’s going to be underinvestment in cyber security,” said Anand. “When failure is illiquidity-driven, the conditional likelihood of failing is very high, and therefore the social benefits of greater protection are also larger.”

As such, the paper finds that three out of four cases of bank failures would benefit from investment in cyber security defences, rather than relying on stress tests to ensure resilience.

“There are things like subsidising cyber security investment or using red teaming that would be the socially optimal policy,” said Anand.

One audience member at the conference suggested Anand might have underestimated the benefits of investment in cyber security, as the paper assumes it is purely a sunk cost that cannot be redeployed in any other capacity. In reality, the same investment could also contribute to post-attack resilience and recovery.

LM University of Munich’s Riordan pointed out that, given the limited research available so far on the subject, any additional information is helpful for risk managers and policy-makers to assess potential policies to mitigate cyber risk.

“Thinking these things through … is important,” he said. “Policy on cyber regulation is relatively new – how we regulate in general [and] when we regulate, there are also unintended consequences.”