Measuring and monitoring cyber threats from a financial stability perspective poses considerable challenges. The dynamic and rapidly evolving threat landscape, coupled with limited visibility into incidents, creates obstacles to accurate risk assessment and evaluation.
In Europe, the Digital Operational Resilience Act (DORA) is set to have a concrete impact in terms of incident visibility. It introduced a harmonised, comprehensive framework for digital operational resilience for EU financial institutions and also established a reporting regime for major Information and Communication Technology (ICT) incidents by EU financial institutions.
A recent article from the European Securities and Markets Authority (ESMA) delves into the systemic importance of cyber risk. It explores conceptual frameworks to examine how individual incidents can become systemic, by focusing on exposures to cyber threats, the propagation of the shock through the system, and their impact. framework.
Case study: ICBC
The ransomware attack at ICBC Financial Services On November 8, 2023, a ransomware group, believed to be a highly sophisticated cybercriminal organization, managed to infiltrate the IT systems of ICBC Financial Services (ICBC FS), a US-based financial services arm of the Industrial and Commercial Bank of China (ICBC). The subsidiary is wholly owned by ICBC and primarily engages in providing custody services to institutional clients, including global clearing, execution, and financing services.
The attack caused significant disruption to the bank’s operations and interrupted its operating systems, including those used to clear US Treasury trades and repo financing transactions. This resulted in a temporary delay in its payment to counterparties.
According to various press reports, the outage caused ICBC FS to temporarily owe BNY Mellon approximately $9 billion, an amount far exceeding its net capital. Although the full extent of the event is not entirely clear, a Fitch Ratings (2023) analysis offered explanations as to why the disruption to the Treasury market from the attack was limited overall and did not affect its functioning.
First, ICBC FS swiftly resolved outstanding payments shortly after the cyberattack, thanks to an emergency liquidity injection from its parent bank. Second, the size of ICBC FS is relatively small compared to its parent bank (0.4% of ICBC’s total assets at end of the first half of 2023), whose primary business is in its core market in China.
Additionally, the bank’s segmented network architecture – with ICBC FS’s systems operating independently from those of the parent group – also helped prevent the disruption from spreading more widely.
Despite the contained disruption in this instance, concerns remain that a similar attack on a financial institution lacking adequate shareholder support and emergency liquidity could trigger default events, with potentially significant financial stability implications.
Repo simulation
The paper also presents findings from a simulation analysis conducted on the EU repo market, examining scenarios in which a hypothetical cyber incident disrupts settlement operations at key market players. Results indicate that operational disruptions at a few critical institutions can trigger temporary yet severe liquidity shortages at both system and counterparty level, with widespread network effects.
According to the stress simulation analysis, the disruption of settlement operations at any of the 10 largest participants in the EU repo settlement network would have been associated with a substantial liquidity shortage, of about €35 billion ($40.8bn), on average at the system level. The impact is non-negligible when compared, for example, to the total funding in the repo market. The results show that, on an average day in our sample, around 6% of the total repo borrowing is potentially affected by the incident. The financial impact of the cyber shock can be particularly severe in most adverse scenarios.
