preliminary draft darrell duffie1 and joshua younger2 · 2019-03-06 · cyber runs preliminary...

CyberRunsPRELIMINARYDRAFTDarrellDuffie1andJoshuaYounger2AllviewsexpressedinthispaperarethoseoftheauthorsanddonotrepresenttheviewsoftheResearchDepartmentofJ.P.MorganSecuritiesLLC(“JPMS”)ortheviewsofJPMorganChaseoranyofitsaffiliates.WearegratefulforresearchassistancebyDanLuo.February13,2019Couldacyberattackonalargebank’swholesaledepositorsmorphintoaseriousandcontagiousbankrun?Ourpurposeistobrieflyanalyzethefinancial-stabilityimplicationsofsucha“cyberrun.”Weconsiderscenariosinwhichasignificantcyberattackonabank’sdeposits,whetherbytheft,datacorruption,ordenialofaccess,mayleadwholesaledepositorsinthesameandotherlargebankstowithdrawtheirfundsrapidlyenoughtothreatentheliquidityoftheseinstitutionsortheeffectivenessofthepaymentsystem.Afterabriefreviewofpotentialtriggeringcyberevents,weoutlinerundynamicsandmagnitudes.OuranalysisofasampleoftwelvesystemicallyimportantU.S.financialinstitutionssuggeststhatthesefirmshavesufficientstocksofhighqualityliquidassetstocoverwholesalefundingrunoffsinarelativelyextremecyberrun.Beyondtheirownstocksofliquidassets,theseinstitutionshaveaccesstosubstantialadditionalemergencyliquidityfromFederalReservebanks.Theresiliencyofthelargestbankstocyberrunsdoesnot,however,ensurethatthepaymentsystemwouldcontinuetoprocesspaymentssufficientlyrapidlytoavoiddamagetotherealeconomy.Duringaseverecyberevent,especiallyonewhosereachintothebankingsystemisuncertain,non-banksmaybereluctanttosendfundsthroughcustomarybankpaymentnodes.Asapotentialsafeguard,weraisetheideaofan“emergencypaymentnode,”anarrowpayment-bankutilitythatcouldbeactivatedduringoperationalemergenciestoprocesspaymentsbetweenakeysetofnon-bankfinancialfirms.Weendwithanoverviewofotherformsofpreparedness,includingcyber-runstresstests.1GraduateSchoolofBusiness,StanfordUniversity,andNationalBureauofEconomicResearch.DuffieisalsoamemberoftheboardofdirectorsofTNB,Inc.2J.P.MorganChase&Co.

Whatisacyberrun?Cyberriskstofinancialstabilityhavereceivedsignificantattentionfrompolicymakers.3Theserisksareworsenedbytheincreasingdiversityofperpetrators—includingstateandnon-stateactors,cyberterrorists,and“hacktivists”—whoarenotnecessarilymotivatedbyfinancialgain.Infact,forsomethepotentialofexploitingacybereventtoinjectsystemicriskintoourhighlyinterconnectedglobalfinancialsystemmayactuallybeanenticement(Ablon,2018).Beyondgeneralconcernsaboutcyberrisksthatarecommontomanyfirms,discussionpapersandofficial-sectorpolicydocumentshavenotedthethreatofcyberattacksonfinancialmarketinfrastructure4andbankdeposits.Somereportsmentiontheimplicationsforconfidenceinfinancialinstitutionsandthepotentialforruns.5Wearenotaware,however,ofpriorworkonthenatureofacyberrun,includingitspropagationdynamics,potentialscale,andancillaryeffectsonthepaymentsystem.Cyberattacksonbankdepositshaveincludedtheft6anddenialsofservice.7Athirdrelevantformofattackisthecorruptionortheftofdepositaccountdata.Allthree3Forsummaries,seeHealey,Mosser,Rosen,andTache(2018),Howell(2018),andKashyapandWetherilt(2018).Forofficial-sectorpolicysummaries,seeBankforInternationalSettlements,FinancialStabilityInstitute(2017),BoardofGovernorsoftheFederalReserveSystem,OfficeoftheComptrolleroftheCurrency,andFederalDepositInsuranceCorporation(2016),CommitteeonPaymentsandMarketInfrastructuresandBoardoftheInternationalOrganizationofSecuritiesCommissions(2016),FederalFinancialInstitutionsExaminationCouncil(2015),OfficeofFinancialResearch(2017),andRosengren(2015).4SeeCPMI-IOSCO(2016),OfficeofFinancialResearch(2017),andBouveret(2018).Rosengren(2015)writesthat“Amoreseriouscasewouldbeanattackonpaymentsystemsaimedatdisruptingtransactions,forexamplebyaroguestateorentity.Preventionisdifficultbecausetheattackerdoesnotneedto`enter’thesystemtobedisruptive,andthereisnoneedtoexitwithconfidentialdata–alltheattackerneedstodoisfloodthepublic-facing`frontdoor’ofapaymentsprocessorwithenoughtraffictomakethesystemunavailable.”5Healey,Mosser,Rosen,andTache(2018)statethat,“Whateverthetrigger,asufficientlyextremelossofconfidencecouldcausea‘runonthebanks.’”Boveretdescribeshow“Cyber-attackscanalsobeusedtounderminecustomers’confidenceinaninstitution.Forexample,onJune27,2014,Bulgaria’slargestdomesticbankFIBexperiencedadepositorrun,amidheighteneduncertaintyduetotheresolutionofanotherbank—followingphishingemailsindicatingthatFIBwasexperiencingaliquidityshortage.”6Tocite:BangladeshcentralbankdepositsattheFederalReserveBankofNewYork,andotherexamples.7TheU.S.DepartmentofJustice(2016)describedattacksbyIranonlargeU.S.banks.“Thedefendantsand/ortheirunindictedco-conspiratorsthensentorderstotheirbotnetstodirectsignificantamountsofmalicioustrafficatcomputerserversusedtooperatethewebsitesforvictimfinancialinstitutions,whichoverwhelmedvictimserversanddisabled

createasignificantriskthatsome(ifnotall)depositorsaffectedinstitutionsarelockedoutoftheiraccountsuntiltheincidentisresolved.Sophisticatedfinancialfirmsplacesignificantvaluenotjustonthesafetyoftheirdeposits,butalsothecontinualaccesstothesedeposits,alargeproportionofwhichareneededonshortnoticetomeethighvolumesofpaymentobligationsassociatedwitheverydayactivities.Ourfocalconcernisthat,inthefaceofanyoftheseformsofattackonabank,largeinstitutionaldepositorsthathavenotyetbeenaffectedbytheattackwouldrapidlyandenmassetaketheprecautionofredeemingtheirdeposits.Alargebankcouldsufferaliquiditycrisisifasufficientfractionofitswholesaledepositfundingweretosuddenlydisappear.Theensuingliquiditycrisiscouldbecontagious.CrediblereportsofaseriouscyberattackonBankAcouldleadwholesalecustomersofBankBtoimmediatelywithdrawtheirdepositsatBankB,inlightoftheheightenedconditionalprobabilitythatBankBmayalsobeunderattack.EvenifBankBisnotunderattack,therecouldbeaself-fulfillingexpectationthatotherlargedepositorsinBankBwillmakeprecautionarywithdrawals,thusgeneratingthethreatofaliquiditycrisisforBankBthatisitselfarationaleforanylargedepositortorun.Thiskindofherdingbehaviorhasbeenobservedduringpastcreditevents—mostrecentlytherunonprimemoneymarketmutualfundsaftertheLehmanbankruptcy,includingprimefundswithlimitedornodirectexposure—andwouldlikelybetriggeredbycyberincidentsaswell.Adeposit-basedliquiditycrisiscoulddeepenifothernormalsourcesoffundingtoalargebankweretoreactcautiouslybydecliningtoprovideorrenewfunding.Forexample,somelargeU.S.bankshavesecuritiesdealeraffiliatesthatrelyonoverahundredbilliondollars(each)ofovernightfinancingintherepomarket,inordertomaintaintheirsecuritiesinventories.Aliquiditycrisisamongthelargestbankscanalsobeamplifiedbythenormalrelianceofthesebanksoneachotherasliquidityshockabsorbers.8AsexplainedbyAfonso,Curti,andMihov(2019),bankshavesubstantialregulatorycapitalrequirementsassociatedwithoperationalrisks,includingcyberattacks.However,regulationsdesignedtomanageliquidityriskamonglargebanksweredesignedtoaddressconventionalrunscenarios.Acyberincident,ontheotherhand,maytriggerfearsofanimmediatelossofaccesstodeposits.Thus,the

themfromcustomersseekingtolegitimatelyaccessthewebsitesortheironlinebankaccounts.”8Kopp,Kaffenberger,andWilson(2017)writethat“Closedirectconnectionsthroughinterbankandtransfermarkets,andindirectrelationships(liquiditycascades)allowshockstospreadquicklythroughoutthesystem.Aninstitution’sinabilitytomeetpaymentorsettlementobligations—forexamplebecausetheirinternalrecord-keepingorpaymentssystemshavebeencompromised—cancauseanamecrisis,whichwouldhaveadverseeffectsonfundingliquidityandknock-oneffectstootherinstitutionswhichwerecountingontheavailabilityoftheseliquidityflows.”

resultingoutflowscouldbefastermovingandlargerinmagnitudethananticipatedbythedesignofcurrentliquidityregulations.Akeyquestion,whichweaddressinthenextsection,iswhetherlargeU.S.bankscurrentlyholdenoughhighqualityliquidunencumberedassetstoweathersucharun.Evenwerebankstoavoidanoutrightliquiditycrisis,cyberrunscouldintroducesignificantfrictionsintothepaymentsystem.Forexample,activityontheAutomatedClearingHouse—whichmakesupmorethanhalfofallnon-cashpaymentactivity—ishighlyconcentratedamongafewmemberinstitutions.Wereoneofthesenodestobetakendown,evenforashortperiodoftime,theeconomicimpactcouldbesignificant,aswewilldiscussinmoredetail.Thoughsafeguardingthepaymentsystemhaslongbeenafocusofcyberpolicy,thepotentialforacyberruntoturnanoperationaleventintoaliquidityeventmakesoutagesinaffectedpaymentnodesmoredifficulttoremedy.Cyberrunriskiscompoundedbythepropensityofaffecteddepositorstoseeknon-bankliquidityoutletssuchasgovernmentmoneymarketfunds(MMFs),whichareoutsidethepaymentsystemandalsounlikelytoachievehighenoughturnovertoservenormal(letalonecrisis)demandsfortransactionsactivity,especiallyonshortnotice.Moneyfundsarealsoexposedtointradayliquidityevents,giventheirlackofdirectaccessforliquiditytotheFederalReserveSystem.Asuddenreductioninthemaximumattainablevelocityofcirculationofcashcouldhaveseriousmacroeconomicrepercussions.QuantifyingtherunriskThefirststepinaddressingcyberrunriskistoidentifyandquantifythesourcesofbankfundingthatarepotentiallyexposedtosucharun.Thoughstandarddisclosurestypicallylacksufficientgranularityforthisexercise,LiquidityCoverageRatio(LCR)regulationsrequirelargerfinancialinstitutionstoidentify,model,anddisclosedetailsaroundhowtheyfundthemselves.9Relyinginpartonthesedisclosures,weconsiderasampleof12majorbankholdingcompanies(withatleast$250bnintotalassets),includingmajor“money-center”banks,largerregionalbanks,institutionsthataredominatedbytheirsecuritiescustodyservices,andinstitutionswhosemostsignificantbusinessistheirbroker-dealer.TheprincipleunderlyingtheLCRisthatallofamandatedbank’spotentialcashoutflowswithin30daysmustbecoveredbyconservativelyestimatedcashinflowsandthebank’sstockpileofunencumberedhighqualityliquidassets(HQLA).Forthepurposesofapplyingtherule,eachofabank’ssourcesoffundsisassignedanassumedadverse-scenariorun-offrate.Theseassignedrun-offratesareconservativewithrespecttoempiricalevidenceontraditionalbankruns,asexplainedbyMartin,PuriandUfier(2018).Forlargebanks,wholesaledeposits9 Foradetailedoverview,seeU.S.BaselIIILiquidityCoverageRatioFinalRule:VisualMemorandum,DavisPolk&Wardwell,9/23/2014.

tendtodominatetheregulatorymeasureoftotalweightednetcashoutflowsbecauseoftheirmoreaggressiverun-offassumptions,althoughthiseffectvariesacrossinstitutions.Withinunsecuredwholesalefundingsources,thecurrentLCRruleapplies25%and40%runoffratestooperationaldepositsandnon-operationaldeposits,respectively.Arun-offrateofonly3%appliestostableretaildeposits.TheLCRrulemakessomeallowanceforcashinflowswithinthe30-daytestwindow.Securedfundingisassumedtobemoreeasilyaccessibleinacrisis,withanaverageinflowrateofroughly25%acrossoursampleofinstitutions,comparedtoa10%inflowrateassumptionforunsecuredfunding.Asofthethirdquarterof2018,thetwelvebanksinoursamplemorethanexceededtheirLCRrequirements,havingenoughweightedHQLAtocovertheirrespectivemeasuresofstressedoutflows,netofassumedinflows,withacomfortablemanagementbuffer.Thebankingsystem,bothasawholeandamonglargerinstitutions,isapparentlyresilienttotraditionalrunscenarios.Cyberruns,however,couldgenerateexceptionallyhighshort-termrun-offrates.Althoughthe2008financialcrisisdoesnotprovideanapples-to-applescomparison,thecrisisexperiencesuggeststhatwholesalefundingrunscouldbemorerapidthanassumedbytheLCRruleattimesofextremestress.Forexample,intheimmediateaftermathoftheLehmanBrothersbankruptcyinlate2008,rawinstitutionalprimemoneymarketfund(MMF)outflowspeakedatmorethan10%perday(KacpercyzkandSchnabl,2010;Schmidt,Timmermann,andWermers,2016).Cyberrunscouldbeevenmorerapidbecauseoperationaleventstypicallyhaveshortertimescalesthancreditevents.ResearchbyMartin,Puri,andUfier(2018)suggeststhattraditionalrunsaremitigatedbythelong-standinginstitutionalrelationshipsbetweendepositorsandtheirbanks.Inacyberrun,however,relationshipsmightimpingemuchlessontherationaleforquickwithdrawals.Insuchascenario,abankclientwhorunstosafeguard“physical”accesstoitsfundswouldnotbeshowingdisrespectforitsbank’screditworthiness.Altogether,wesuspectmuchlargerandmorefront-loadedoutflowratesinaseriouscyberscenariothanenvisionedinthedesignofthecurrentLCRrule.Aswehavediscussed,acybereventcouldenvelopemorethanthedirectlyaffectedinstitutions.Duringthemassive2008flightofwholesalecashinvestorsfromprimemoneyfundsthatwastriggeredbylossesoftheReservePrimaryFundonitsLehmanpaper,themajorityoftheoutflowswerefromprimefundswithnosignificantexposuretoLehmanBrothers.Inprinciple,abank’soperationaldepositsarethosemostexposedtocyberrunsbecausetheyarespecificallyassociatedwiththehigh-frequencytransactionsneededfordailyactivities.TheLCRruleidentifiesoperationaldepositsasthose

associatedwithdailyactivitiessuchaspaymentprocessing,payroll,settlementoffinancialtransactions,andsoon.LCRdisclosuresforoursampleofinstitutionsimplythatoperationaldepositsaccountfornearly$1.8trillioninaggregate,or60%ofwholesaleunsecuredfunding.Threequartersofthistotalisheldbythefourlargestnames.Inpractice,however,thedistinctionbetweenoperationalandnon-operationaldepositsisnotstraightforward.Notonlyarethesefundsgenerallycomingled,butthefunctionalsplitbetweenthetwocanvarysignificantlyoverlongandshorttimescales.Forthepurposesofourquantitativeexercise,weproposetoviewallinstitutionaldeposits—totalingmorethan$2.8trillioninoursampleasoflatelastyear—asatriskinacyberrun.Asmentioned,theLCRruleallowsforfundinginflowstopartiallyoffsetrun-offs.Becausecyberrunsdealspecificallywithoperationalrisks,itseemslikelythataffectedinstitutionswouldhavemoredifficultyaccessingsecuredfundingthaninatraditionalrun.Bothretailandwholesalecustomerswouldalsobelesskeentodepositfundsbecauseoffearsoflackofaccess.Thefearoflossofaccess,aboveandbeyondaversiontocreditexposure,wouldlikelyworsennetoutflowsandnetinflowsrelativetoLCRassumptions.TheLCRrulesplitsHQLAintovariouslevelsaccordingtothespeedwithwhichtheassetscanbeliquidatedatlowcost.ReservesheldattheFedare“Level-I”,andarethemosteffectiveformofHQLAforaddressingintradayliquidityneedsatlargescale.Next-dayneedscanbemetwiththeremainingformsofLevel-IHQLA,primarilyTreasuriesandT-Billswhichtradeseveralhundredbilliondollarsdaily.10Lower-levelHQLAwouldcontributesignificantliquidityoverroughlyweeklytimeframes.Basedagainondatafromthethirdquarterof2018,wefindthat,inaggregateacrossoursample,reservescoverroughly25%ofwholesaleunsecuredfunding.OtherLevel-IHQLAtotalstoabout37%ofwholesalefunding,splitroughly2-to-1onaverage11betweentreasuriesandGNMAmortgage-backedsecurities[MBS].TheremainderofHQLA(largelycomposedofconventionalMBS)coversanother15%ofwholesalefunding,for78%coverageintotal.However,asillustratedinFigure1,thereissignificantvariationacrossinstitutions.Moneycenterandregionalbankshavecoverageofaround80%(ofwhich25%consistsofreserves,thoughthiscanbeashighasabout40%forsomebanks),whilethecoverageofcustodybanksiscloserto50%(ofwhich17%isreserves).InadditiontocomparingthestockofHQLAtopotentialwholesaledepositflight,itisimportanttoconsiderthetimingofoutflowsversusacanonicalbank’sabilitytoraiseliquidity.Forthispurpose,Figure2showstheresiliencyofthe“averagebank”

10SeePrimaryDealerStatisticsprovidedbytheFederalReserveBankofNewYorkat:https://www.newyorkfed.org/markets/gsds/search.html11SeeIhrig,Kim,Kumbhat,Vojtech,andWeinbach(2017).

inoursampletothreehypotheticalrunoffscenarios,thespecificationsofwhicharedetailedinAppendixA:

a. AscenarioconsistentwiththedesignoftheLCRrule,basedonstressedandweightedgrossoutflows,leadingtoacumulativetotalrunoffrateofapproximately24%overa30-daywindow.

b. Anadversecyberrun,withanassumedcumulativetotalrunoffof50%ofwholesaledepositsover30days.

c. Aseverecyberrun,withassumedtotalrunoffof75%.Foreachofthethreescenarios,thedailyprofileofrunoffratesacrossthe30-daywindow,detailedintheappendix,isassumedtobefront-loaded.Anysuchassumptionsarehighlyconjectural,astheurgencytorunisdifficulttomodelandlikelytobesubjecttomultipleself-fulfillingequilibria(DiamondandDybvig,1983).Inthissenseourscenariosshouldbetakenaspurelyillustrativebutintendedtorepresentrelativelyconservativesituations.

Figure1.HQLAcoverageofwholesaledepositsforselectedbanks.Foreachbank,theheightofthecoloredsegmentsrepresentthelevels,asoftheendofthethirdquarterof2018,ofvarioustypesofhighqualityliquidassets(HQLA)asafractionoftotalwholesaledeposits(operationalandnon-operational)ofselectedbanks:JPMorgan(JPM),BankofAmerica(BAC),WellsFargo(WFC),Citibank(C),StateStreet(STT),BankofNewYorkMellon(BK),U.S.Bank(USB),TorontoDominion(TD),PNCBank(PNC),andCapitalOne(COF).ForCOFweincludealleligibleHQLA,thoughitisimportanttonotethatthismaydifferfromthereportedLCRmeasurementduetolevel2assetcapsintherule.

JPM BAC WFC C STT BK USB TD PNC COF0

20

40

60

80

100

120

140

160

180

HQ

LA c

over

age

of w

hole

sale

dep

osits

(per

cent

) reservesother Level 1Levels 2A, 2B

TheabilitytoraisecashwithinagiventimewindowislimitedbythecompositionoftheHQLAportfolio.Forourillustrativepurposes,weassumethe“average”HQLAcompositionofmoney-centerbanksacrossreserves,Treasuries,andMBS,exploitingtheempiricalanalysisofIhrig,Kim,Kumbhat,Vojtech,andWeinbach(2017).WeassumethattheabilityofourhypotheticalbanktoliquidatetreasuriesandMBSwithinagiventimeframeislimitedbyhistoricalturnoverintheserespectivemarkets,forwhichwerelyontradingvolumedata.12WeconservativelyassumeT+1settlementforTreasuriesandMBS,13thoughinprinciplebothofthesetypesofassetscouldbeusedascollateraltosourcesame-daycashviasecuredfundingsourcessuchasrepurchaseagreements(repos).Forsimplicity,weassumenopriceimpactforsaleofthesetwoassetclasses.(Salescanbeavoidedbyrelianceinsteadonrepos.)Ourresults,althoughbasedoncrudeandpreliminaryassumptions,suggestthatourhypotheticalrepresentativemoney-centerbankhasampleliquiditytosurvivescenariosanticipatedbytheLCRruleandevenadversecyberruns.Ourhypotheticalbankexperiencesmoderateliquidityshortfallsunderourassumptionsforaseverecyberrun,but,aswehaveemphasized,thebankcouldaccelerateitsaccesstocashbyusingitstreasuriesandMBSascollateralformoreimmediateaccesstocashviarepurchaseagreements.Moreover,theFedisavailableasarobustadditionalsourceofliquidityandwouldpresumablynothesitatetoofferampleadditionalreservesagainstgoodcollateralduringanextremecyberevent,justastheFeddidduringtheoperationaloutagesatBONY14in1985(EnnisandPrice,2015)andat9/11/2001(Lacker,2003).Insummary,allofouranalysis,althoughquitebasic,suggeststhatbankshavesufficientliquidity—bothstockandflow—tosurviveevenarelativelyextremecyberrun.Asacaveat,asystemicbank’sliquiditysituationcouldworsensharplyduringscenariosinwhichsecuredfundingturnsskittish.Thoughseeminglyextremeonthesurface,wedonotbelievethatsuchascenarioisentirelyimplausibleinthewakeofacyberincidentinvolvingamajorbank.Itshouldbenotedthatwhilerepomarketswereinmanywaystheepicenterofthe2008financialcrisis,theircompositionhaschangeddramaticallyinfavorofhigherqualitycollateral.For

12Fortreasuries,werelyonPrimaryDealerStatisticsprovidedbytheFederalReserveBankofNewYork.ForMBS,weuseTRACEdataonpass-throughs,assummarizedbySIFMA’sU.S.StructuredFinanceTradingVolumedataathttps://www.sifma.org/resources/research/us-sf-trading-volume/13InprincipleMBScanbesettledsame-dayforcash,howeveritisunclearwhatvolumeofsuchtransactionsthemarketcanaccomodate.14EnnisandPrice(2015)describehow,in1985,TheFedprovidedTheBankofNewYork(BONY)with$23billionindiscount-windowfundingwhenasoftwarefailureleftBONYunabletomeetitsagreementstodeliverlargequantitiesofsecurities.

example,usingmoneymarketfunds(MMFs)asaproxy,FederalReservedata15suggestthatTreasuriesandAgencies(mostlyMBS;Baklanova,Copeland,andMcGaughrin,2015)makeupmorethan95%ofcollateral,upfrom75%in2010(theearliestdatecoveredintheiranalysis).However,evensecuredlendersrelyonreadyaccesstocashfordailyliquidity,particularlybankssubjecttominimumoperatingliquidityandotheroperationalrequirements.Giventheriskthattheircashmaybefrozenbyacybereventinprogress,therecouldbestrongincentivesamongcashinvestorstoavoidanyaffectedinstitutionsregardlessofcollateralquality.Thisisnotourbasecaseforevenaseverecyberrun,butisaplausibleriskinanextremeevent.

Figure2.Resiliencyofan“average”money-centerbanktohypotheticalcyberruns.Theheightofthestackofcoloredsegmentsshowsthecumulativecashavailableatagivennumberofdaysfromanevent,stemmingfromthreesourcesofhighqualityliquidassets(reserves,treasuries,andmortgagebackedsecurities)basedonliquidationtimingassumptionsstatedinAppendixA.Thelinesplottedinblackshowthecumulativerunoffsofwholesaledeposits(bothoperationalandnon-operational),basedonrunoffrateassumptionsstatedinAppendixA.CumulativerunoffsareshownforhypotheticalscenariosassociatedwiththedesignoftheLiquidityCoverageRatio(LCR)rule,anadversecyberrun,andaseverecyberrun.Section23oftheFederalReserveActessentiallyrulesouttheabilityofthelargestU.S.securitiesdealerstoobtainemergencyliquidityfromthebanksubsidiarieswithinthesamebankholdingcompanies.Worseningthesituation,theDodd-FrankActpreventstheFedfromprovidingemergencyfundingtoindividualsecuritiesdealersunderitsemergencylendingauthority,Section13-3oftheFederalReserve15https://www.federalreserve.gov/releases/efa/efa-project-money-market-funds-investment-holdings-detail.htm

reserves

treasuries

MBS

LCR

adverse cyber

severe cyber

total wholesale deposits

0 2 4 6 8 10 12 14 16 18 20Days from event

0

100

200

300

400

500

600

Cum

ulat

ive

cash

ava

ilabl

e an

d ru

noff

(USD

billi

ons)

Act.Inanindustry-widecrisis,however,theFedretainsitslegalauthoritytosetupprogrammaticliquidityfacilitiesformultiplesecuritiesdealers,justasitdidin2008aroundthefailuresofBearStearnsandLehman.Payment-systemnetworkeffectsHavingdiscussedtheresiliencyofindividualinstitutionstocyberruns,weturntothenetworkimpactsofacyberrunonthepaymentsystem,andspillovereffectsontherealeconomy.TheFederalReservePaymentsStudy16revealsthattheAutomatedClearingHouse(ACH)isthesinglelargestsourceofnon-cashpaymentsintheUnitedStates—recentlyhandlingmorethanhalfofgrosstransfers.17Apotentialsideeffectofacyberrunisthatdepositaccountsatalargefinancialinstitutionbecomeinaccessible.ThiswouldeffectivelylocktheinstitutionoutofACHandotherpaymentsystemsthatinteractdirectlywiththerealeconomy.ACHpaymentactivityishighlyconcentratedonafewnodes.Asanillustrationof2017networkstatistics,thefivemostactiveoriginatorsconstitutedmorethan60%oftotalACHpaymentactivity.18Werejustoneofthesecriticalpaymentnodestoberenderedinoperativeorotherwiseinaccessible,theinterruptionorslowdownofconsumerandbusiness-relatedpaymentscouldhavemateriallyadverseeconomicimplications.Thoughcyberriskstothepaymentsystemhavebeenrecognizedforsometime(Borghard2018;Bouveret2018;CPMI-IOSCO2016;Kopp,Kaffenberger,andWilson2017;OfficeofFinancialResearch2017;Rosengren2015)therehasbeenlittlediscussionofthepotentialforcyberrunstoexacerbatetheimpacts.Anoutflowofdepositswouldlikelyrapidlydepletethereservebalancesofaffectedinstitutions.Banksrelyonthesereservesfortheintradaysettlementliquiditythatfacilitatesthesmoothfunctioningofthepaymentsystem19(Bech,Martin,andMcAndrews, 2012;Belton,2018).OnecouldinprincipleturntooverdraftsonFedreserveaccountsasasubstitute—aswascommonlythecaseinthepre-crisisera.However,intheextreme,continuedoutflowscouldmaketheseoverdraftsmuchmoredifficulttocurebytheendofaday,forcingaffectedbankstodownscaletheirFedWireandACHactivity.TheFed’sdiscountwindowisavailable,buttendstobea

16The2017AnnualSupplementshowsroughly55%ofnon-cashpaymentactivitywasprocessedviatheACHnetwork,relativeto~10%inchecks(excludinginterbankpayments)andjustunder8%oncredit,debit,andprepaidcards.Fordetails,seeFederalReserveBoard(2017)availableatthislink:https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm17SeeFederalReserveBoard(2017).18The2017andhistoricalnetworkstatistics,includingthetop50originatorsandreceivers,areavailableontheACHwebsiteathttps://www.nacha.org/ach-network/timeline19Theappropriatesteady-statebalanceofreservestofacilitateinterbankpaymentsisanongoingareaofactiveresearchanddiscussion,whiletheFederalReservehasbeenreducingthesizeofitsbalancesheetaspartofitspolicynormalizationprocess.

lastresortbecauseoftheassociatedcost,stigma,andcollateralrequirements.Asaresult,cyberrunscanexacerbateandprolongdisruptionsinthepaymentsysteminthewakeofacyberincident,potentiallylongaftertheproximatecausehasbeencured. Aseverecyberincidentinthebankingsystemcouldthereforenotonlyinduce,butalsoprolong,apayment-systemgridlock.Withoneormorenodesinthesystemessentiallyinaccessiblebecauseofacyberevent,andamidheightenedfearsofplacingfundsatcertainotherpaymentnodes,therecouldbeasignificantslowdowninthecirculationofreserves.Thisincreasestheincentivesofaninstitutiontohoardliquidity,evenifunaffecteditselfbythecybereventandevenifunconcernedaboutcounterpartycreditrisk.Indeed,Ashcraft,McAndrews,andSkeie(2009)findevidencethatabankwithsignificantintra-dayinflowsandoutflows,wheneverconcernedthatitmaynotreceiveinflowssufficientlyinadvanceofoutflows,hasatendencytodelayitsownpayments.Inseverecases,hoardingliquiditywouldbecomeaself-fulfillingequilibriumbehavior.WhendescribingtheimpactofoperationaloutagesduringtheeventsofSeptember11,2001,Lacker(2003)wrote“Thegeneraldisruptioninpaymentflowswouldalsohavemeantuncertaintyformanybanksaboutwhetherscheduledincomingpaymentswouldbereceivedasplanned.Thismayhaveinducedbankstodelayorwithholdpayments.”McAndrewsandPotter(2002)providesupportingevidenceofhoardingbehaviorat9/11,writingthat“Whilesomebanksthatexperiencedtechnologicaldifficultiesinsendingpaymentsaccumulatedhigher-than-desiredbalances,otherbanks’increaseduncertainty(regardingwhichpaymentstheymightreceivelaterintheday)ledthemtohavehigherprecautionarydemandforliquidbalances.Consequently,thesourcesofliquidityinternaltothebankingsystemwerenotavailableorcapableofaddressingthewidespreaddemandforliquidity.”Non-bankliquidityoutletsIfwholesaledepositorsandsecuredcashinvestorsrunfrompayment-systemnodes,theywouldsubstitutewithotherformsofcashinstruments.Asinlate2008,governmentMMFscouldprovetobeanattractivenon-bankliquidityoutletinacyberrun.Thesefundsarebackedalmostentirelybyhigh-quality(sovereignorgovernment-agency)short-maturityassets.Inprinciple,MMFsoffersame-dayliquidityforlargeshareholders.ThegovernmentMMFcomplexislarge,holdingmorethan$2.3trillionintotalassetsasofthiswriting,20roughly$1.6trillionofwhichconstitutesinstitutionalfunds.21TheseMMFshaveaccesstosufficientinvestableassets,meeting2a-7regulatoryrequirements,toabsorbeventhemost20Asof1/9/19,basedondataprovidedbytheInvestmentCompanyInstitute(ICI).21Atpresent,roughly40%ofthegovernmentMMFcomplexisrestrictsitsshareholderstonaturalpersonsperthesameICIdata.

extremeinflowsrelatedtoacyberrun.Forexample,afterexcludingcurrentgovernmentMMFholdings22aswellasthoseoftheFederalReserve23andforeignofficial-sectorinvestors,24thestockofT-Bills,agencydiscountnotes,eligibletreasuries,agenciesandfloatingratenotes(FRNs)exceeds$4.5trillion,25whichiswellinexcessofthe$2.8trillioninwholesaledepositsamongthetwelvebanksinoursample.(Thisdoesnotruleoutsomecostlypriceimpacts.)Ontheotherhand,giventherapiditythatwewouldassumeforcyber-run-relateddesiredinvestmentsinMMFs,itmaybedifficultforgovernmentMMFstogrowtheirassetsquicklyenough.Inthepast,repurchaseagreementsintermediatedbythebankingsystemhaveproventobeakeyoutletforshort-termdemands,constitutingthemajorityoftheexpansionofthesefundsaroundtheimplementationofnewU.S.MMFrulesin2016,includingmorethan$200bninSeptemberandOctoberofthatyearalone.26However,regulatoryconstraintsonlargebankbalancesheets—includingG-SIBsurchargesandthesupplementaryleverageratio(SLR)rule—have

22ICIdatashowsgovernmentMMFholdingsatapproximately$2.3trillionasofthiswriting,includingbothretailandinstitutionalfunds.23TheFRBNYpostsdailydetailedholdingsofTreasuriesandAgenciesonitswebsiteathttps://www.newyorkfed.org/markets/soma/sysopen_accholdings.html.24SalesofanyUSDholdings,includingT-BillsandTreasuries,byforeigncentralbankswould,ifnotwashedviabuyingotherUSDassets,havesignificantexchangerateimplications.Further,astockofUSDisrequiredforfacilitatinginternationaltradeaswellasmanagingcapitalinflowsandoutflows.AsaresultUSDassetsheldinforeignofficialaccounts 25AllasofSeptember2018toalignwithourLCRdisclosuresample.WebeginwiththeMonthlyStatementofthePublicDebt(MSPD)fromtheU.S.Treasury,whichindicatesroughly$2.1tnofT-Bills,$1.8tnofNotesandBonds(<397daysremainingmaturity),andjustunder$370bnofFRNs.Ofthose,TICdatafromthesameperiodindicatesroughly$370bnofT-Billsand$3.6tnofNotesandBonds(webelieveroughly10%ofwhichare<397daysremainingmaturity)areheldbyforeignofficialinstitutions,andthereforelikelypartofFXreservesandmoreremovedfromthefreelytradeablefloat.DataonholdingsoflongtermsecuritiesfromtheFederalReserveBankofNewYorkindicatesthat$420bnofshortNotesandBonds,and$18bnofFRNs,wereheldinitsSystemOpenMarketAccount(SOMA)holdings,andthereforealsonotfreetotrade.Thevariousgovernmentagencyissuers(FNMA,FHLMC,FHLB,etc.)haveapproximately$600bnintotaloutstandingdebtinsideoneyearremainingmaturity,andtheJune2017TICForeignHoldingsSurveysuggeststhemajorityofthatisnotheldbyforeignofficialaccounts.Finally,FederalReserveBoardH.8dataonlargecommercialbankholdingsshowsroughly$2.5tnofrepurchaseagreements,thevastmajorityofwhichlikelyhaveTreasuryorAgencycollateral,andthereforewouldbeeligibleforgovernmentMMFinvestment.26NewMMFreformsimplementedinOctober2016imposedgates,feesandfloatingNAVsonprimeMMFsthatmadethemmuchlessattractivetoinstitutionalinvestors.ThisledtoanexodusofthoseaccountstothegovernmentMMFcomplex,whichwasnotsubjecttomanyofthesenewrules.Asaresult,NYFRBdatashowsthattheirassetsgrewbynearly$1.5tnoverthecourseofthatyear,peakingatmorethan$200bnpermonthinSeptember,October,andNovember.Dealer-intermediatedtripartyrepoconstitutedthemajorityoftheincreaseinassetsover2016,andmorethanthatinseveralofthemoredisruptivemonths.

madeitmoredifficultforlargebank-affiliateddealerstointermediatealargeincreaseindemandforrepos.27Thiswouldbeevenmoredifficulttoaccomplishonveryshortnotice,barringanemergencywaiverofthesecapitalrules.Forexample,theSLRrule,at5%forU.S.G-SIBdealers,impliesanextra$5billioncapitalrequirementforeach$100billionexpansionofthebalancesheet.TheFed’sOvernightReverseRepurchaseAgreement(RRP)Facilityoffersacriticaloutletforthesefunds.Basedonthecurrent$30bnlimitsandthelistofitscounterparties,theRRPFacilitycouldinprincipleprovidesignificantcapacity,inthehundredsofbillionsofdollars,inshortorder—andhasdonesowhendealershavebeenunabletointermediatelargerepoflows.28EvenifthegovernmentMMFcomplexcouldabsorbtheseflowssufficientlyquicklyandinprincipleprovidesame-dayliquidity,itwouldbehighlyproblematictorelyonthemasdefactopaymentnodesforoperationalfunds.Firstandforemost,itisnotclearthatmanagingtherequisitevolumeofpaymentactivitywouldbeoperationallyfeasibleonshortnotice.BecauseMMFsarenotdirectlylinkedtothepaymentsystem,processingdailypayroll,settlement,andotherfinancialtransactionswouldrequirehighvolumeintradaysharecreationandredemption.BasedontheLCRdisclosuresinoursample,roughlytwothirdsofwholesaledepositscurrentlyheldatlargebanks—about$1.8trillion—areconsideredoperational,andthereforelikelytodemandahighrateofturnover.SubstitutionofalargefractionofoperationaldepositswithMMFinvestmentsinthewakeofacyberrunwoulddramaticallyincreasethedemandforMMFshareredemptionandcreationactivity.Alongtheselines,MMFregulationsallowtheboardsofthesefundstoimposegatesandfees29intheeventthattheycannotmanagehightransactionvolumes.Second,andperhapsmoreimportantly,netpaymentactivitycanvarysignificantlythroughouttheday,withfrequentandunpredictableshortfallsthatmustbeactivelymanaged(McAndrewsandKroeger,2016).Inlightofpotentialintra-dayliquidityshortfalls,theFedprovidestwoformsofdaylightsettlementliquiditytothebankingsystem:overdraftsandexcessreserves(Bech,Martin,andMcAndrews,2012).Sincethefinancialcrisis,asshowninFigure3,anabundanceofexcessreserveshasallowedbankstosubstantiallyreducetheirrelianceonoverdraftstomanageintradayliquidityneeds—materiallyreducingriskstothepaymentsystem

27Amongotherimpacts,theserulespenalizein-scopebankswhentheygrowtheirbalancesheet,whichwouldberequiredtoholdthecollateralsuppliedbygovernmentMMFsviarepo.FordetailsseeDuffie(2018)andreferencestherein.28Forexample,thiscanoccuraroundquarter-endsandyear-endswhenregulatorysnapshotsmakebalance-sheetintensivetradeslikerepoparticularlypunitive.ThelistofRRPcounterpartiesisavailableontheNewYorkFed’swebsite. 29GovernmentMMFsaregenerallyexemptfromthegatesandfeesrequiredforprimefundsbyrecentlyrevised2a-7U.S.moneymarketrules.Thatsaid,theboardsofallfundshavetherighttoimposetheserestrictionsintheeventtheydetermineitisrequiredtomaintaincompliancewiththoserulesand/ortheirfiduciarydutytoshareholders.

(McAndrewsandKroeger,2016).GovernmentMMFs,however,donothavedirectaccesstoreservesordaylightFedliquidity.Asofthiswriting,theweightedaveragematurity(WAM)oftheirholdingsisaround30dayswithapproximately60%inovernightliquidity.30Theamountofpotentiallyneededintra-dayliquiditycouldbesubstantial.Pre-crisispeakdaylightoverdrafts,aroughproxy,reachedapproximately$185billioninQ32008.Puttingthisalltogether,non-bankliquidityoutletsaresufficientinpotentialsizetoserveasasafehaven,andinprinciplehavesame-dayliquidity.However,weresignificantoperationalfundstomigratetothegovernmentMMFcomplex,theresultingneedsforhigh-volumepaymentsandturnoverwouldlikelystraintheoperationalcapabilitiesofthesemoneyfunds.TheirlackofaccesstoFeddaylightliquiditysourcesmightintroducesignificantfrictionstothepaymentsystem,whichcouldhaveseverenegativespilloverconsequencesforrealsectorsofeconomy.

Figure3.Quarterlypeakdaylightoverdrafts,normalizedbyquarterlyaggregatepaymentvolume,andexcessreserves,alsonormalizedbyquarterlyaggregatepaymentvolume.Datasource:FederalReserve.

30 FromtheInvestmentCompanyInstitutedataonmoneymarketfundportfolios,availableontheirwebsite:https://www.ici.org/research/stats/mmfsummary/nmfp_11_18.

1995 2000 2005 2010 2015Date

0

0.5

1

1.5

2

2.5

3

Rat

io o

f pea

k da

ily o

verd

raft

to to

tal p

aym

ents

10-3

0

0.002

0.004

0.006

0.008

0.01

0.012

0.014

Rat

io o

f exc

ess

rese

rves

to to

tal p

aym

ents

EmergencyPaymentNodesAswehavediscussed,asufficientlyextremecyberruncoulddangerouslyslowdowntheprocessingofwholesalepayments,evenifeverysystemicallyimportantbankhasampleliquidityforitsownsurvival.Thissuggeststhepotentiallyusefulroleofan“emergencypaymentnode”(EPN),whichweenvisionasfollows.AnEPNwouldbeabankthatremainsdormantexceptduringanoperationalcrisisinthepaymentsystem.Whenactivated,anEPNprocessespayments,asrequested,withinaprescribedwholesalepaymentnetworkconsistingofeligiblebanksandnon-bankfinancialfirms,suchasprimarydealers,moneymarketfunds,andgovernmentsponsoredenterprises.31TheEPN’sonlyassetswouldconsistofFederalReservedeposits,presumablyattheFederalReserveBankofNewYork.EacheligibleEPNaccountholderwouldhaveastandingdepositaccountattheEPN,normallyholdingzeroordeminimisbalances.AsdepictedinFigure4,duringacrisis,theEPNwouldbecomeavailabletoitsaccountholdersforsendingandreceivingpayments.Dependingonthetypeofaccountholder(bankversusnon-bank),paymentscouldbesettledbyanEPNinitsowndepositsorinreserves.AnEPNisthereforeaformofnarrowbank.32Giventhenatureofitsbalancesheetandpaymentfunction,theEPNwouldpresumablyhavenoregulatorycapitalrequirementsotherthanperhapsthecapitalrequirementassociatedwithoperationalrisk(Afonso,Curti,andMihov,2019).Analogously,intheaftermathofthefinancialcrisisrepomarketparticipantsconsideredsettingupaspecial-purposefinancialinstitutionthatcouldbeactivatedinanemergencytobackstopatri-partyrepoclearingbank.33This“NewBank”projectnevercametofruition,possiblybecauseofthesignificantassociatedneedforstandbycapitalcommitments.

31TherelevantsetofEPNaccountholderscouldbesimilartothesetoffirmsthatiseligibletoparticipateintheFed’sReverseRepurchase(RRP)facility.AsstatedbytheFederalReserveBankofNewYork,“Participationinthe[RRP]operationsisopentotheFederalReserve’sprimarydealersaswellasitsexpandedRRPcounterparties.ExpandedRRPcounterpartiesincludeawiderangeofentities,including2a-7moneymarketfunds,banks,andgovernment-sponsoredenterprises.AdditionaldetailsontheRRPcounterpartiesareavailableontheNewYorkFed’swebsite.”https://www.newyorkfed.org/markets/rrp_faq.html32Asamatterofdisclosure,oneoftheauthorsisamemberoftheboardofdirectorsofTNBInc.,whichproposestoofferanunrelatedformofnarrow-bankingproducttocashinvestors.33SeeFederalReserveBankofNewYork(2010)atFootnote13.

AlthoughanEPNwouldnotbeperfectlyimmunetoacyberevent,undernormalsafeguardsitwouldbesignificantlymoreresistanttocyberriskthanalargeoperatingbank,giventheextremelynarrowfunctionofanEPN,thehighlyproscribedsetofeligibleaccountholders,thelimitedpointsofnetworkaccess,andthelackofactivityoutsideofanoperationalpaymentcrisis.

Figure4.Schematicoftheroleofanemergencypaymentnode(EPN),beforebeingdeployedforanoperationalpayment-systememergency(“Before”),andafterbeingdeployed(“After”).Withoutcountervailingprotections,anEPNcouldacceleratearunonbanksbecauseitwouldbeanexcellenthavenfordepositorsseekingbothsafetyandliquidaccesstothepaymentsystem.ThisflightriskcanbemitigatedbyrestrictingtheabilityofEPNaccountholderstousetheiraccountsheavilyasastoreofvalue.Whilenon-zeroEPNaccountbalanceswouldbenecessarytoobtainintra-daypaymentnettingefficiencies,verylargebalanceswouldbeunnecessary.IntheeventthatflowstotheEPNdobegintostresstheliquidityoflargebanks,theFedremainsanavailablesourceofliquiditytothosebanks.TheEPNcouldperhapsbeoperatedandgovernedasanindustryutility,inthespiritoftheNewYorkClearingHouseAssociation(NYCHA),whichwasacrisisbackstoptothebankdepositsystembeforetheFedexisted(Gorton,1985).LikeanEPN,theNYCHAwasnotonlyaninter-bankclearinghouse–italsoprovideddirectaccessto

non-bankdepositorswhowereconcernedaboutholdingtheirfundsinconventionalbankaccounts.34TheNYCHAwasdesignedtomitigaterunriskassociatedwithuncertaintyoverthecreditqualityofbanks,ratherthantheriskofpaymentslowdownsorgridlockassociatedwithoperationalrisk.IncorporatingcybereventsintostresstestsGiventhepotentialforadverseimpactsonfinancialandeconomicstabilitythroughshortfallsinbankliquidityandthefluidityofthepaymentsystem,howdowegoaboutmoreeffectivelyaddressingthisthreat?Muchoftheliteratureoncybersecurity,particularlyasitpertainstothebankingsystem,isvague.Thisisprobablypartlybydesign,toavoiddisclosureofdefensesthatmaybeinstructivetomaliciousactors.Official-sectorU.S.preparednesspolicies,summarizedinAppendixB,havefocusedonguidelines,metrics,andinformationsharing.Thenaturesandtargetsofcyberattacks,nottomentiontheirdownstreamimpacts,varyenormously.Scenarioanalysis,despiteitslimitations,hasprovenvaluableforthepurposeofpreparingforextremebutplausibleadversesystemicevents.ExamplesincludethefamousLong-TermStudiesgroupatRoyalDutchShell(WilkinsonandKupers,2013).Thefinancialprivatesectorhasalreadyengaged—inpartnershipwiththeU.S.Treasuryandothergovernmentagencies—inthe“HamiltonSeries”ofcybereventsimulations.35Goingfurther,bankregulatorscouldincludecyberscenarioanalysesintotheirDodd-Frankmandatedstress-tests,withintheexistingframeworksforoperationalrisk(FederalReserveBoard,2018).Giventheinteractionsthatwehaveoutlinedbetweencyberruns,financialstability,paymentsystems,andthemacro-economy,holisticscenariosincorporatingcyberrunscouldrevealsomeofthemostpertinentsystemicinteractions.Consistentwithouremphasisontestingfortheimplicationsofcontagioninacyberevent,KashyapandWeltherit(2018)statedaprincipleof“cyberstressteststhatexplorecommonvulnerabilitiesthatmayamplifytheimpactofacybershock.”TheBankofEngland,setinmotionbyitsFinancialPolicyCommittee,planstoconduct

34AsnotedbyGorton(1985),“Duringthepanicsof1893and1907clearinghousestookthefurtherstepofissuingloancertificates,insmalldenominations,directlytothepublic.Sincethisdidnotinvolvereplacinggoldintheclearingprocess,butinsteadwasthedirectmonetizationofbankportfolios,largeamountsofmoneycouldbecreatedandissuedtothepublicinexchangefordemanddeposits.”35TheFinancialSystemicAnalysisandResilienceCenter(FSARC,2016)wasstoodupbytheFinancialServices-InformationSharingandAnalysisCenter(FS-IAC)inorderto“proactivelyidentify,analyze,assessandcoordinateactivitiestomitigatesystemicrisktotheU.S.financialsystemfromcurrentandemergingcybersecuritythreats.”FSARCranthe“HamiltonSeries”ofsimulatonsinconjunctionwiththepublicsector,toimprovethecapacitytoidentify,resolve,andrecoverfromcyberincidents(Feeney,2017;Waterman,2018).

cyberstresstestsin2019withthisprincipleinmind,andwithafocusonpayments.36Itwouldbeusefultoincorporatenon-bankliquidityoutlets—includinggovernmentMMFs—intocyberstresstests,giventheirpotentialtoactasdefactopaymentnodesduringacyberrun.Recentlyrevised2a-7moneymarketfundrulesdorequiresomestresstestingofMMFs,butthesetestsfocusmainlyonoutflowstriggeredbycrediteventsandinterestrateshocksratherthanstressesassociatedwithsurgesininflowsandturnover(Berkowitz,2015).Unfortunately,thespecificnatureofscenarioanalysisisalsoalimitation.Historyoffersrelativelylittleguidanceregardingthemostlikelyproximatecausesandchannelsofcyberstresses.Nevertheless,buildingthemachinetoanswerthequestionsisakeypartofthevalueoftheexercise.Indesigningandrespondingtocyberstresstests,regulatorsandsystemicallyimportantinstitutions—includingbanksandMMFs—areforcedtothinkholisticallyandgranularlyaboutlikelyscenarios,propagationchannels,andresponses.Thisisespeciallyusefulintherelativelyunchartedareaofcyberruns. ReferencesAblon,Lillian,2018,“DataThieves,”TestimonybeforetheHouseFinancialServicesCommittee,SubcommitteeonTerrorismandIllicitFinance,March.https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdfAfonso,Gara,FilippoCurti,andAtanasMihov,2019,“ComingtoTermswithOperationalRisk,”LibertyStreetEconomics,FederalReserveBankofNewYork,January7,2019. https://libertystreeteconomics.newyorkfed.org/2019/01/coming-to-terms-with-operational-risk.htmlAshcraft,AdamandDarrellDuffie,2007,“SystemicIlliquidityintheFederalFundsMarket,AEAPapersandProceedings,Volume97,pages221-25.Ashcraft,Adam,JamesMcAndrews,andDavidSkeie,2009,“PrecautionaryReservesandtheInterbankMarket,”FederalReserveBankofNewYork,StaffReportNumber370,May.https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr370.pdfBaklanova,Viktoria,AdamCopeland,andRebeccaMcGaughrin,2015,“ReferenceGuidetoU.S.RepoandSecuritiesLendingMarkets,”FederalReserveBankofNewYorkStaffReportNo.740,December.https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr740.pdf

36SeeBankofEngland(2018),Box1,atpp.40-41.

BankofEngland,2018,FinancialStabilityReport,”Issue43,June.https://www.bankofengland.co.uk/-/media/boe/files/financial-stability-report/2018/june-2018.pdfBankforInternationalSettlements,FinancialStabilityInstitute,2017,“RegulatoryApproachestoEnhanceBanks’Cyber-SecurityFrameworks,”BankforInternationalSettlements,Basel.http://www.asbasupervision.com/en/bibl/recommended-reading/1556-lr241/fileBech,Morten,AntoineMartin,andJamesMcAndrews,2012,“SettlementLiquidityandMonetaryPolicyImplementation,”EconomicPolicyReview,Vol.18,No.1,March.https://www.newyorkfed.org/research/epr/12v18n1/exesum_mart.htmlBelton,Terry,2018,“TreasurySupply,Liquidity,andDemandforReserves,”presentedatReserveReduction,MoneyMarkets,andFuturesFrameworks,aconferenceattheColumbiaSchoolofInternationalAffairs,September.https://www.newyorkfed.org/medialibrary/media/newsevents/events/markets/2018/Terry-Belton-Treasury-Supply-Liquidity-and-Bank-Demand-for-Reserves.pdfBerkowitz,Jeremy,2015,“MoneyMarketMutualFunds:StressTestingandNewRegulatoryRequirements,”HarvardLawSchoolForumonCorporateGovernanceandFinancialRegulation,July.https://corpgov.law.harvard.edu/2015/07/14/money-market-mutual-funds-stress-testing-new-regulatory-requirements/BoardofGovernorsoftheFederalReserveSystem,OfficeoftheComptrolleroftheCurrency,andFederalDepositInsuranceCorporation,2016,“EnhancedCyberRiskManagementStandards,”JointAdvancedNoticeofProposedRulemaking,BoardofGovernors,OCC,andFDIC,WashingtonD.C.,October.https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20161019a1.pdfBoer,Martin,andJaimeVazquez,2017,“CyberSecurityandFinancialStability:HowCyber-AttacksCouldMateriallyImpacttheGlobalFinancialSystem.InstituteofInternationalFinance.www.iif.com/system/files/iif_cyber_financial_stability_paper_final_11_13_2017_clean.pdf[Thislinkisbroken.Needtoobtainaccesstothispaper.]Borghard,Erica,2018,“ProtectingFinancialInstitutionsAgainstCyberThreats:ANationalSecurityIssue,”CarnegieEndowmentforInternationalPeace,September.https://carnegieendowment.org/2018/09/24/protecting-financial-institutions-against-cyber-threats-national-security-issue-pub-77324Bouveret,Antoine,2018,“CyberRiskfortheFinancialSector:AFrameworkforQuantitativeAssessment,”WorkingPaper18/143,InternationalMonetaryFund,June.https://www.imf.org/~/media/Files/Publications/WP/2018/wp18143.ashxCarnegieEndowmentforInternationalPeace,2017,“TowardaGlobalNormAgainstManipulatingtheIntegrityofFinancialData,”March.https://carnegieendowment.org/files/Cyber_Financial_Data_white_paper.pdf

CommitteeonPaymentsandMarketInfrastructuresandBoardoftheInternationalOrganizationofSecuritiesCommissions,2016,“GuidanceonCyberResilienceforFinancialMarketInfrastructures,”BankforInternationalSettlements,June.https://www.bis.org/cpmi/publ/d146.pdfCurti,Filippo,andAtanasMihov,2018,“DiseconomiesofScaleinBanking:EvidencefromOperationalRisk,”Workingpaper,FederalReserveBankofRichmond,April.https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3210206Diamond,Douglas,andPhilipDybvig,1983,“BankRuns,DepositInsurance,andLiquidity,”JournalofPoliticalEconomy,Volume91,pages401-419.Duffie,Darrell,2018,“Post-CrisisBankingRegulationsandFinancialMarketLiquidity,” PaoloBaffiLectureonMoneyandFinance,Bancad'Italia,Eurosystem,March.https://www.darrellduffie.com/uploads/policy/DuffieBaffiLecture2018.pdfEnnis,Huberto,andDavidPrice,2015,“DiscountWindowLending:PolicyTrade-offsandthe1985BoNYComputerFailure.”EconomicBriefno.15-05.Richmond,Va.:FederalReserveBankofRichmond,May.https://www.richmondfed.org/%7E/media/richmondfedorg/publications/research/economic_brief/2015/pdf/eb_15-05.pdfFederalFinancialInstitutionsExaminationCouncil,2015,“CybersecurityAssessmentTool,”WashingtonD.C.,June.https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdfFederalRegister,2016,“EnhancedCyberRiskManagementStandards,”Volume81,No.207,pages74315-74326,WashingtonD.C.,October.https://www.govinfo.gov/content/pkg/FR-2016-10-26/pdf/2016-25871.pdfFederalReserveBankofNewYork,2010,“Tri-PartyInfrastructureReform,”WhitePaper,May.https://www.newyorkfed.org/medialibrary/media/banking/nyfrb_triparty_whitepaper.pdfFederalReserveBoard,2017,“FederalReservePaymentsStudy:2017AnnualSupplement,”WashingtonD.C.,December.https://www.federalreserve.gov/newsevents/pressreleases/files/2017-payment-systems-study-annual-supplement-20171221.pdfFederalReserveBoard,2018,“Dodd-FrankActStressTest2018:SupervisoryStressTestMethodologyandResults,”WashingtonD.C.https://www.federalreserve.gov/publications/files/2018-dfast-methodology-results-20180621.pdfFeeney,Christopher,2017,“TestimonyonBehalfoftheBusinessRoundtabletotheUnitedStatesSenateCommitteeonHomelandSecurity&GovernmentalAffairs,”WashingtonD.C.,June21.https://www.hsgac.senate.gov/imo/media/doc/Testimony-Feeney-2017-06-21.pdf

FinancialServicesInformationSharingandAnalysisCenter,2016,“FS-ISACAnnouncesTheFormationOfTheFinancialSystemicAnalysis&ResilienceCenter(FSARC),EstablishedbyFinancialInstitutions,FSARCDeepensAnalyticCapabilitiestoCombatCyberRiskandStrengthenResiliencyofU.S.FinancialSystem,”PressRelease,FS-IAC,October24.https://www.prnewswire.com/news-releases/fs-isac-announces-the-formation-of-the-financial-systemic-analysis--resilience-center-fsarc-300349678.htmlGorton,Gary,1985,“ClearinghousesandtheOriginofCentralBankingintheUnitedStates,”TheJournalofEconomicHistory,Volume45,pages277-283.Healey,Jason,PatriciaMosser,KatherynRosen,andAdrianaTache,2018,“TheFutureofFinancialStabilityandCyberRisk,”BrookingsInstitutionReport,October10,2018.https://www.brookings.edu/wp-content/uploads/2018/10/Healey-et-al_Financial-Stability-and-Cyber-Risk.pdfHowell,JenPatja,2018,“CybersecurityandFinancialStability,”TheLawfarePodcast,November3,2018.https://www.lawfareblog.com/lawfare-podcast-cybersecurity-and-financial-stabilityIhrig,Jane,EdwardKim,AshishKumbhat,CindyVojtech,andGretchenC.Weinbach,2017,“HowHaveBanksBeenManagingtheCompositionofHighQualityLiquidAssets?”FederalReserveBoard,FinanceandEconomicsDiscussionPaper2017-092.https://www.federalreserve.gov/econres/feds/files/2017092pap.pdfKacperczyk,MarcinandPhilippSchnabl,2010,“WhenSafeProvedRisky,”JournalofEconomicPerspectives,Volume24,Number1,pages29–50.https://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.24.1.29Kacperczyk,Marcin,andPhilippSchnabl,2013,“HowSafeAreMoneyMarketFunds?”TheQuarterlyJournalofEconomics,Volume128,pages1073-1122.Kashyap,Anil,andAnneWetherilt,2018,“SomePrinciplesforRegulatingCyberRisk,”BankofEngland,PrudentialRegulatoryAuthority,December.http://faculty.chicagobooth.edu/anil.kashyap/research/papers/Some_Principles_for_Regulating_Cyber_Risk.pdfKopp,Emanuel,LincolnKaffenberger,andChristopherWilson,2017,“CyberRisk,MarketFailures,andFinancialStability,”InternationalMonetaryFundWorkingpaper17/185,August.https://www.imf.org/en/Publications/WP/Issues/2017/08/07/Cyber-Risk-Market-Failures-and-Financial-Stability-45104Lacker,Jeffrey,2003,“PaymentSystemDisruptionsandtheFederalReserveFollowingSeptember11,2001,”Workingpaper03-16,FederalReserveBankofRichmond,December.https://www.richmondfed.org/~/media/richmondfedorg/publications/research/working_papers/2003/pdf/wp03-16.pdfMcAndrews,JamesJ.,andSimonPotter,2002,“LiquidityEffectsoftheEventsofSeptember11,2001,”FRBNYEconomicPolicyReview,Volume8(1),pages59-79.

McAndrews,JamesJ.,andAlexanderKroeger,2016,“ThePaymentSystemBenefitsofHighReserveBalances,”FederalReserveBankofNewYorkStaffReports,No.779,June.https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr779.pdf?la=enMartin,Christopher,ManjuPuri,andAlexanderUfier,2018,“DepositInflowsandOutflowsinFailingBanks,”FDICCenterforFinancialResearchWorkingPaperNo.2018-02,May.https://www.fdic.gov/bank/analytical/cfr/2018/wp2018/cfr-wp2018-02.pdfOfficeofFinancialResearch,2017,“CybersecurityandFinancialStability:RisksandResilience,”Viewointpaper,OfficeofFinancialResearch,WashingtonD.C.,February.https://www.financialresearch.gov/viewpoint-papers/files/OFRvp_17-01_Cybersecurity.pdfRosengren,Eric,2015,“CyberSecurityandFinancialStability,”RemarksatForumon“StrengtheningFinancialSectorSupervisionandCurrentRegulatoryPriorities,”organizedbytheBaselCommitteeonBankingSupervisionandtheFinancialStabilityInstitute.January.Schmidt,Lawrence,AllanTimmermann,andRussWermers,2016,“RunsonMoneyMarketMutualFunds,AmericanEconomicReview,Volume106,pages2625-2657.https://www.aeaweb.org/articles?id=10.1257/aer.20140678U.S.DepartmentofJustice,2016,“SevenIraniansWorkingforIslamicRevolutionaryGuardCorps-AffiliatedEntitiesChargedforConductingCoordinatedCampaignofCyberAttacksAgainstU.S.FinancialSector,”Pressrelease,March24.https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-chargedWaterman,Shaun,2016,“BankRegulatorsBriefedonTreasury-LedCyberDrill,”Fedscoop,July20,2016.https://www.fedscoop.com/us-treasury-cybersecurity-drill-july-2016/Wilkinson,Angela&RolandKupers,2013,“LivingintheFutures,”HarvardBusinessReview,May.

AppendixA:IllustrativerunoffassumptionsAspartofthisexercisewehaveassembledseveralrunoffscenariosunderdifferentassumptions.Tosummarize.

1. LCRrunoff:Weassume30-daycumulativeoutflowsconsistentwithweightednetLCRassumptionsforagivenbank,includingindustryaggregatesoraverages,basedon3Q2018disclosure(24%foranaveragemoneycenterbank).Fortiming,weassumea10%initialrunoffrateconvergingtoaconstantdailyrateoveratwoweekperiod.

2. Adversecyberrun:Weassumearunoffrateof20%onthefirstdayoftheincident,remainingat10%forthenextweek,beforeslowingtoaconstantrateconsistentwith50%cumulativerunoffover30businessdays.

3. Severecyberrun:Weassumeaninitialdailyrunoffrateof30%daily,slowingto20%onday2and10%onday3,remainingthereuntilday10beforeslowingtoaconstantdailyrateconsistentwith75%cumulativerunoffover30businessdays.

WemakesomeassumptionsregardingtheabilityofthatbanktoraisecashfromsalesofHQLA,informedbyPrimaryDealerStatisticsprovidedbytheNewYorkFedaswellasTRACEdatasummarizedbySIFMA.

1. FederalReserves(level1)areavailableforintradayliquidity. 2. Treasuries(level1)canbesoldatarateof$100bnperday,withT+1

settlement. 3. GinnieMaeMBS(level1)canbesoldatarateof$3bnperdaywithT+1

settlement. 4. ConventionalMBS(level2A)canbesoldasarateof$6bnperdaywithT+1

settlement. ItisimportanttonotethatthisignorestheabilityofbankstoraiseintradaycashviaTreasuryandMBSrepo,whichinprincipleprovidesanimportantandsubstantialsourceofshort-termliquidity.Asstatedinthemaintextofourpaper,wealsoignorepriceimpacts.AppendixB:Whatisthecurrentstateofpreparednesspolicy?Resilienceagainstcyberattackhasbecomeakeyelementofnotjusteconomicbutalsonationalsecuritypolicy.PolicyresponsesintheUnitedStatesrevolvearoundtheidentificationandprotectionofcriticalinfrastructure,definedbyExecutiveOrderas“systemsandassets,whetherphysicalorvirtual,sovitaltotheUnitedStatesthattheincapacityordestructionofsuchsystemsandassetswouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombinationofthosematters.”Forfinancialservicesinparticular,the

Sector-SpecificPlan(SSP)putforth37bytheU.S.DepartmentsoftheTreasuryandHomelandSecurityspecificallyenumeratesfourcriticalservicesprovidedbyfinancialinstitutions:“(1)deposit,consumercredit,andpaymentsystemsproducts;(2)creditandliquidityproducts;(3)investmentproducts;and(4)risktransferproducts.”SincetheinitialSSPwaspublishedin2015therehasbeensignificantprogresstowardsestablishingpreparednessguidelinesandmetrics,aswellascoordinationandinformationsharingacrosseachoftheseareas.TheDodd-FrankActof2010ledtothecreationoftheFinancialStabilityOversightCouncil(FSOC),chargedwithmonitoringand—tosomeextent—takingactionstomitigateemergentriskstofinancialstability,includingcyberattacks.38Inthespecificareaofcybersecurity,theFinancialandBankingInformationInfrastructureCommittee(FBIIC39)ischargedwithidentifyingcriticalinfrastructureassetsandtheirvulnerabilities,aswellasfacilitatingsecurecommunicationamongregulatorsandotherpublicsectorstakeholdersintheeventofanemergency.Theprudentialregulatorshavealsomadeanadvancednoticeofproposedrulemakingregardingenhancedcybersecuritystandards(FederalRegister2016).Internationalorganizationshavealsotakenimportantsteps,includingguidancefromtheBankforInternationalSettlements(BIS),astandardizedlexiconforstudyanddiscussionofcyberthreatsfromtheFinancialStabilityBoard(FSB),andproposedglobalnormssafeguardingtheintegrityoffinancialdata.40Ontheprivateside,theFinancialSystemicAnalysisandResilienceCenter(FSARC),stoodupbytheFinancialServices-InformationSharingandAnalysisCenter(FS-IAC41),inorderto“proactivelyidentify,analyze,assessandcoordinateactivitiestomitigatesystemicrisktotheU.S.financialsystemfromcurrentandemergingcybersecuritythreats.”Inconjuctionwithofficial-sectoractors,thetechnologypolicydivisionFinancialServicesRoundtablefacilitatedaseriesofsimulations(the“HamiltonSeries”)thatweredesignedtoimprovethecapacitytoidentify,resolve,andrecoverfromcyberincidents(Feeney,2017).

37 FinancialServicesSectorSpecificPlan,Depts.oftheTreasuryandHomelandSecurity,2015.38See2018FSOCAnnualReport.39Athttps://www.fbiic.gov/40SeeTowardaGlobalNormAgainstManipulatingtheIntegrityofFinancialData,CarnegieEndowmentforInternationalPeace,March2017.41SeeFSARCFormationAnnouncement,10/24/16.