Deputy Governor of the Bank of Finland
2nd Annual Nordic Cyber in Finance Conference
Helsinki, 29 November 2018
Introductory remarks at the 2nd Annual Nordic Cyber in Finance Conference hosted by the Bank of Finland, Helsinki, 29 November 2018
Ladies and Gentlemen,
You are all warmly welcome to this conference, entitled "Nordic Cyber in Finance" and hosted by the Bank of Finland.
As we know, in the world of digital technology, everything happens at lightning speed – what was breaking news yesterday, may already feel old and familiar tomorrow. Therefore, I will only be half-joking when I say that we, the Nordic central banks, have a long tradition of co-hosting a Cyber Conference every year, as this is already the second event of its kind. The first one was organised in wonderful Copenhagen, one year ago, by our dear Danish colleagues from Danmarks Nationalbank.
The event was so well organised that it will be difficult to improve on it, but one thing we have added is an event hashtag – #cyberinfinance. After all, the Bank of Finland already has 90 experts active on Twitter. One of them, by the way, is a robot who tweets real-time economic forecasts. Let's see if @SPNowCast has tweeted anything this morning.
Today we will continue the discussion started in Copenhagen, and focus on a handful of timely themes within the domain of cyber security. Among these, we will hear very substantive presentations on hybrid threats, as well as data breaches, which has been a topic much talked about throughout the year.
Slide 3: Parallels between the financial crisis and cyber risks
In my opening remarks, I wish to raise awareness of one additional important topic. That is the link between cyber risks and financial stability.
To simplify the issue, whereas we are already striving to make sure that a single banker cannot bring down the entire financial system, in the future we also have to make sure that a single hacker cannot bring it down either.
Let me now elaborate on this notion.
This year marks the tenth anniversary of the global financial crisis. The roots of the crisis were in the US mortgage market, but there were complex interdependencies, and global imbalances, which contributed to the problem. I will not delve deeper into the sequence of events, as they have been covered in many good books and articles. Instead, I wish to look at some of the key lessons from the crisis, and to draw parallels between them and the cyber risks we are facing today.
The Great Cyber-Moderation?
The years preceding the global financial crisis were commonly described as "The Great Moderation" by economists. The concept refers to the long period of low volatility in financial markets and relative calm in the wider economy. Business cycles were subdued and banks were profitable – year in, year out. To many, it seemed as if financial institutions had permanently mastered risks, and the world had found a way to grow steadily without recessions.
As we now know, that long period of relative calm was suddenly disrupted by the collapse of Lehman Brothers and the credit crunch and the recession that followed in the real economy. The Great Moderation had only been a mirage.
We have witnessed many serious cyber incidents in the last few years, some with international significance. But none so far have directly disrupted critical market infrastructures, such as payment systems. Is this because we have comprehensively mastered the risks, or have we merely been lucky, so far?
What we can learn from the financial crisis is that just because we have avoided a systemic cyber event so far does not mean that the risk of one occurring has decreased. We should not let ourselves lull into a false sense of confidence.
When the financial crisis unfolded, it became clear that financial institutions were much more interconnected and dependent on each other than either market participants or regulators had previously understood. Financial risks became systemic, because banks had correlated exposures, and because a complex web of contractual obligations created contagion channels for the crisis to spread.
The growth of digital technology in the financial sector has created another kind of complex web between financial institutions, namely one of computers and information systems. This will be further accentuated by the emergence of Open Banking. We should therefore apply the concepts of correlated exposures and contagion channels also from a cyber security point of view, and make sure cyber events have a limited impact, if and when they occur.
- Bank resilience
Resilience is a word that is used by both the financial community and the cybersecurity community. The financial crisis taught banks, and banking regulators, that it is essential to maintain sufficient capital buffers to create resilience against unforeseen financial shocks. The most important regulatory steps taken in Europe to make the banking sector financially more resilient are the creation of the banking union and the development of a new macroprudential framework.
Cyber security experts, on the other hand, talk about cyber resilience, when they refer to an organisation's ability to withstand, contain, and recover from cyber attacks. The Financial Stability Board has recently published a Cyber Lexicon where this concept has been carefully explained.
Going forward, both types of resilience are important for financial institutions. But cyber resilience cannot be built by adding capital buffers. Each type of resilience requires its own policy tools.
- Preparedness and contingencies
Capital buffers can protect a bank from financial shocks by improving its long-term solvency, but it is also important for the bank to hold sufficient liquidity to be able to meet its short-term financial obligations. The importance of, and distinction between, liquidity and solvency became a central topic during the global financial crisis.
The analogy to financial liquidity in the cyber security context are contingency arrangements. Contingency planning and backup systems enable financial institutions to continue operating while a cyber event is occurring and until a problem has been fixed.
Independent control over critical infrastructures, such as payment and settlement systems, has to be maintained, to prevent a potential cyber event from causing a disruption in the wider economy. In Finland, a viable national back-up system for payments is needed and is currently work in progress – one that can be deployed in emergency situations without the need of international assistance.
As you can see, there are many parallels between financial stability and cyber security. I have already highlighted four of them: false confidence, interconnectedness, resilience, and contingency planning. Before I conclude, let me add two more.
- Understanding the risks of new innovations
Before the global financial crisis, there was talk about innovation in the financial sector. But instead of FinTech, it referred to financial innovation. What was meant by that term at the time were new financial products, often securitised investment offerings, such as Mortgage Backed Securities or Credit Default Swaps. While these then new innovative products helped create more efficient markets, they also brought with them plenty of new risks.
There was not enough time and not enough experience to understand the true risk profiles of some of these products. As a result, risks were more than often mispriced and under-regulated.
Again, we can see a parallel in cyber security. Today, the emergence of FinTech is bringing to the market new offerings for both households and businesses. There is now a wide selection of payment apps, investment tools, and other types of digital financial services available. Many of these are based on technologies, such as artificial intelligence and open interfaces, of which we do not have much experience yet.
It is important that we analyse carefully how these products work, so that we have a good understanding of the risks involved. This also requires regulators to move out of their traditional comfort zone, and become more knowledgeable about technology.
- Divergent risk preferences
Finally, I would like to remind ourselves of the concept of moral hazard, which became important during the global financial crisis.
A central dilemma in the financial sector has always been the trade-off between risk and reward. Financial businesses, such as banking, trading, or insurance, are essentially about calculated risk-taking. However, in many cases the risk appetite of individual financial institutions is too high from the point of view of the rest of society. There is thus a negative externality with regard to risk-taking, which can lead to what economists call moral hazard.
Does this old dilemma of divergent risk preferences repeat itself in the case of cyber risks? At least in theory, that may be the case.
Let me be clear, there is currently no reason to think that our banks and other financial institutions were not, and indeed are not, well protected against cyber risks. But the financial crisis showed us that systemic risks are risks which an individual institution is not taking into account unless motivated to do so by regulators. As an example, an individual bank does not necessarily know whether it is a single-point-of-failure in the wider financial system. In such a case, it is the regulator who needs to see the bigger picture; it is the regulator who needs to identify concentrations of risks, and then use policy measures to introduce precautions. The types of precautions are different in the case of financial risks and cyber risks, but the basic principle is the same.
Ladies and Gentlemen, Dear Friends,
We have had many financial crises in history, but none of them have been caused by a cyber event, at least not so far. But the concept of systemic risk has become broader, and cyber security is becoming an integral part of the financial stability framework.
Based on the experience from the global financial crisis, combined with an increasingly complex industry landscape driven by digitalisation, regulation in the financial sector is more necessary than ever. But it doesn’t have to mean over-regulation. One has to find the right balance between creating a safe and sound business environment, while also allowing innovation to take place.
It also means finding the appropriate tools and responses to the risks at hand. Since the threats to financial stability are becoming increasingly technological, and also more global, this calls for more cooperation between authorities, both within a country but also between countries. A global response is needed, by putting to best use the international institutions that have been established in recent years for maintaining financial stability.
I hope these thoughts will motivate a lively and productive discussion in all the sessions today. Let me wish you all a pleasant stay in Helsinki.