What is Federal Reserve Chair Jerome Powell’s biggest worry?
At the recent Semiannual Monetary Policy Report to Congress, Senator Jon Ossoff asked Federal Reserve Chair Jerome Powell what he assessed “to be the greatest systemic threats to financial stability over the medium term either limited to the U.S. or globally.” Powell’s response merits serious attention by legislators and regulators globally.
“I’d have to say that the thing that worries me the most is really cyber risk. You know it’s a constant concern. And we spend lots of resources on it, so does the private sector. We have a playbook for bad lending and bad risk management.”
He is certainly right. Both in the U.S. and abroad, we have had numerous banks fail, or practically fail, due to significant credit or operational risks. Regulators and legislators have certainly learned a lot from the 2007-2009 financial crisis.
Chair Powell went on to say that “We have a lot of capital in the system.” This is also correct. Thanks to Basel III rules, the world’s most systemically important banks not only have more capital, the capital is of much higher quality and loss absorbing than what was required before Basel III was finalized in 2010. Additionally, globally systemically important banks now also have uniform liquidity rules that require them to have high quality liquid resources to withstand credit and market crises.
Cyber risk, however, is very different. “…as you see, with the ransomware issues…now it’s just an ongoing race really, to keep up. And we haven’t had to face a significant cyber event from a financial stability standpoint, and I hope that we don’t. But that’s the thing that I worry the most about.” Powell had expressed similar concerns about cyber risk most recently during an interview on CBS’ 60 Minutes.
Powell is right to worry. Cyber attacks have been increasing in the last few years but especially since COVID-19 struck. According to a report published by the Financial Stability Board earlier this week, “while cyber activities such as phishing, malware and ransomware are not new, they grew with the spread of the pandemic, from fewer than 5,000 per week in February 2020 to more than 200,000 per week in late April 2021.” The financial sector is the recipient of the most cyber attacks of any sector in the economy.
Financial institutions certainly know that cyber risk is a top concern. In a study published by O.R.X. last month, information security, including cyber, was cited as “the single greatest industry concern, with the potential to impact organizations financially, operationally and reputationally.”
According to the Financial Stability Board “continued investment in and maintenance of cyber security, such as firewalls, antivirus software, intrusion detection systems and security operations centers, are essential. At the same time, financial institutions need to recognize the human factor as a core element of the cyber security chain (for example, the handling of confidential information by employees working from home). Common methods of attack, such as phishing, target both employees and consumers.”
In April, the Basel Committee on Banking Supervision (BCBS) published Principles for Operational Resilience. One of the key principles is about information and communication technology (ICT) including cyber security. The BCBS recommends that banks should ensure resilient ICT including cyber security that is subject to protection, detection, response and recovery programs that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes. The aim is to support and facilitate fully the delivery of the bank’s critical operations.
Importantly, here in the U.S. the Federal Financial Institutions Examination Council (FFIEC) recently updated the FFIEC Information Technology Examination Handbook ‘Architecture, Infrastructure, and Operations (AIO).’ Many parts of this important bank examination handbook are devoted to instructing bank examiners what to look for at banks cyber security risk management. Every officer in charge of supervision at each Federal Reserve Bank was notified about AIO. Professionals with IT responsibilities at banks would do themselves a great favor if they read this handbook before examiners turn up to their banks.
This article was written by Mayra Rodriguez Valladares from Forbes and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.