Interconnected Banks Enable a Market-wide Cyberattack Kill Chain
Cyberattacks against financial institutions continue to grow every year. In 2015, threat actors targeted banks and financial organizations four times more than other industries. Four years later, financial firms had to defend themselves against cyberattacks 300 times more often than those in other industries. While early cyberattack attempts were mainly opportunistic "get in and get out" operations, today's threats are more sophisticated. Advanced Persistent Threats (APTs) are sustained attacks that infiltrate networks for weeks, months, or even years. These attacks require more resources, planning, and experience than most rogue hackers possess. So far, the top five largest banks in the United States have proven themselves resilient to these threats. Hackers and cybersecurity experts alike understand that the country's 4000+ small banks may not fare as well. Those small banks account for over one-third of all commercial banking assets. According to the Federal Reserve Bank of New York's report, the interconnected system between large and small banks is highly vulnerable to cyberattacks, with their damaging second and third-order spillover effects for other institutions. The report identified a set of small banks that might threaten the solvency of one of the five most active US banks. Cybercriminals can realize this cascade effect simply by coordinating an attack on six small banks, each below $10 billion in assets. A successful cyberattack on these banks could cause a "kill-chain" effect. Inter-bank wholesale funding may experience disruptions, leading to a catastrophic liquidity crisis throughout the market. There are multiple paths to this outcome, and many of them rely on the fact that it's easier to compromise multiple small banks than one large one. But catastrophic system failure isn't the only probable outcome. Risk managers and senior decision-makers must also consider the effects of cyberattacks and reputation loss on their institutions.
Reputational Damage Forces Banks to Lower Credit Standards
Small banks represent a much higher security risk than large ones. They also are more likely to face long-term reputational damage because of a cyberattack. Alarmingly, damage to a bank's reputation can also force it to lower its credit standards and take on riskier customers. An in-depth analysis of small commercial banks that suffered cyberattacks between 2005 and 2017 found that customers reallocate their deposits away from victimized banks following a cyberattack. This "flight-to-reputation" favors large banks, where customers see as being resilient against future cyberattacks. As low-risk customers flee towards more reputable banks, victimized banks attract higher-risk customers to replace their losses. On average, deposits appear to reduce by over 20% over time, while victimized banks approve roughly the same number of mortgage and loan applications as they did before the attack. Suppose victimized banks approve of mortgage applications at the same rate as they did before suffering a cyberattack, and primarily serve riskier customers because of reputational damage. In that case, it implies they must approve riskier loans to maintain the quota. In local markets with little competition, small banks that suffer cyberattacks can sometimes counterbalance reputational damage. They can do this by offering higher remuneration for deposit products. That might help them maintain or establish relationships with creditors. However, in markets where customers have more opportunities to switch banks, rates typically decrease following a cyberattack. There is no evidence for long-term reputational spillover effects of the kind described by the Federal Reserve Bank of New York at the local market level. Cyberattacks generate dangerous spillover effects towards branches of large partner banks, but not necessarily to competitor banks in the same region. Altogether, cyberattacks undermine the trust customers place in banks and cause significant reputational damage, particularly to small banks. This damage creates a cycle of adverse business effects, reducing the victim's competitive position while also forcing it to serve riskier customers.
