Project on Cyber Risk to Financial Stability

The virtual workshop on Cyber Risks to Financial Stability focused on seasoned reinsurance broker Tom Johansmeyer's research on catastrophic economic losses, comparing their impacts with those of large-scale natural disasters. In this session, Johansmeyer, who specializes in global index risk transfer, presented his research, Rewriting History: Understanding Historical Catastrophic Cyber Economic Losses.

Abstract: Cyber security strategy suffers from a gaping hole in the historical literature: Estimated economic impact. The ongoing debate over the potential severity of different forms of cyber attack, including cyber war, rages on without any quantitative reference points. While a lack of historical data is usually offered and accepted as a reason for this, the path of least resistance overlooks a rich history of twenty-four major events over the past twenty-five years. This article offers the first such analysis of the estimated economic losses from historical catastrophic cyber attacks. The reliance on publicly available estimates results in a complicated and nuanced process for developing the dataset, but accepting the significant limitations in the data and thus the study on which it is based yields a starting point not just for improved cyber security scholarship but also deeper analysis and ongoing refinement of the underlying data. Without data, study of the nexus of cyber security and economic security is an exercise in guesswork. Guesswork is not necessary, and this article provides the foundation for a new line of scholarship, not to mention improvements areas of ongoing study.

The virtual workshop on Cyber Risks to Financial Stability focused on financial economists Steven Baker and Dimuthu Ratnadiwakara's research, Cyber Risk in Banking: Measuring and Predicting Vulnerability. The authors research explores the use of cybersecurity ratings, cyber incident data, and regulatory financial data to predict which U.S. banks will experience a cyber incident.

Abstract: We construct a bank–quarter panel linking external cybersecurity ratings, realized cyber incidents, and regulatory financial data for U.S. banks (2015–2024). Using quarterly rolling-window random forest models with dynamic feature selection, we predict whether a bank will experience a cyber incident within the next year. Both bank characteristics and cybersecurity posture provide independent and complementary predictive content, with the combined model achieving the highest out-of-sample accuracy. Predictive performance remains robust across bank sizes and forecast horizons and is not driven by simple persistence in incident history. Interpretation of the fitted models highlights the consistent importance of size, balance sheet composition, and specific security controls, along with interactions between these controls, in predicting cyber incidents.

The virtual workshop on Cyber Risks to Financial Stability discussed Bitsight's report titled Under the Surface: Uncovering Cyber Risk in the Global Supply Chain authored by Ben Edwards. The report explores the interdependence of modern businesses and the significant impact cyber risks can have on the supply chain. To prepare for this CRFS, Bitsight has extended the already excellent research in the report, to dive even more deeply on the finance sector.

Your supply chain isn’t just a series of links—it’s a vast, tangled web of dependencies, many of which have weak security. This report uncovers the critical but often-overlooked providers that could be the next cybersecurity weak spot, along with data-driven insights to help you mitigate risks before they disrupt your business.

The virtual workshop on Cyber Risks to Financial Stability discussed the paper Voluntary Investments, Mandatory Minimums, or Cyber Insurance: What Minimizes Losses? by Adam Hastings and Simha Sethumadhavan

Abstract: In recent years there has been significant interest from policymakers in addressing ransomware through policy and regulations, yet this process remains far more of an art than a science. This paper introduces a novel method for quantitatively evaluating policy proposals: we create a simulated game theoretic agent-based economic model of security and use it as a testbed for several policy interventions, including
a hands-off approach, mandatory minimum investments, and mandatory cyber insurance. Notably, we find that the bottleneck for better security outcomes lies not in better defender decision-making but in improved coordination between defenders: using our model, we find that a policy requiring defenders to invest at least 2% of resources into security each round produces better overall outcomes than leaving security investment decisions to defenders even when the defenders are “perfect play” utility maximizers. This provides evidence that security is a weakest-link game and makes the case for mandatory security minimums. Using our model, we also find that cyber insurance does little to improve overall outcomes. To make our tool accessible to others, we have made the code open source and released it as an online web application.

The virtual workshop on Cyber Risks to Financial Stability discussed the paper Do Software Companies Spread Cyber Risk by Giorgio Ottonello and Antonino Emanuele Rizzo from the Nova School of Business and Economics. 

Abstract: We show that software companies are a key source of cybersecurity risk due to software vulnerabilities that spread to customer firms throughout the digital supply chain. We introduce a novel database that connects vulnerability discoveries and related cyberattacks to software companies and their customers. Customers' exposure to vulnerabilities i) increases the likelihood of cyberattacks and firm-level risk metrics and ii) negatively impacts customers' investment rates as well as sales growth. Market participants are slow to react to vulnerability announcements, likely overlooking the supply chain connections between software companies and their customers. The documented effects are magnified when the vulnerability originates from a software company with a larger market share. Our paper sheds light on the origins and transmission of cybersecurity risk and has significant policy implications for regulators seeking to effectively mitigate these risks.

Presentation 

The virtual workshop on Cyber Risks to Financial Stability discussed the paper Understanding Cyber Market Failures by Jason Healey, Carina Kaplan, and Christine McNeill. 

The White House’s National Cybersecurity Strategy mentions no fewer than five times that there are market failures for which the government must regulate. We don’t disagree, but most of what is written on cyber market failures is mostly anecdotes and examples. This paper dives into far more detail, examining subcategories of failures across information asymmetries, negative externalities, market power, and public goods.

The tenth virtual workshop on Cyber Risks to Financial Stability discussed the paper The Supply of Cyber Risk Insurance by Martin Eling, Anastasia V. Kartasheva, and Dingchen Ning

Abstract: Cyber risk insurance has been introduced for more than two decades in the United States, yet the insurance market for cyber risk is tiny amounting to 1% ($6.5 billion) of premiums in the U.S. property-casualty insurance market in 2021. In this paper, we analyze what constrains the insurance industry from providing larger capacity. We argue that cyber risk is special in that it is both information-intensive to underwrite and heavy-tailed. It leads to the tension between the need to raise large amounts of external capital to finance heavy-tailed risks and the high compensation demanded by capital providers due to information frictions. Hence, the suppliers are large insurance groups with a deep internal capital market, and their capacity is constrained. We start by providing empirical evidence that the cyber risk insurance market is dominated by large insurance groups and that, compared to other types of insurance, cyber insurance relies heavily on the groups' internal capital market. Then, using an exogenous shock on the tax treatment of the non-U.S. affiliated reinsurance in 2017, we establish the causal inference that insurers primarily rely on the internal capital market to supply cyber risk insurance.

Discussion Summary: Cyber risk is becoming a major concern with considerable uncertainty. There are not a lot of discussions around transferring the risk through traditional financial institutions such as insurance. The cyber insurance market is growing however, the premium is very small in the insurance market. This raises the question: what are the supply-side factors that curtail the development of the cyber insurance market? The research finds that the supply of cyber insurance depends on the internal capital market. The insurance groups with large capital markets dominate the market as there is a significant correlation between cyber insurance supply and the reliance of affiliated reinsurance. Moreover, heavy tails, information asymmetry, and risk certainty are characteristics of cyber risk that limit insurers from raising external capital to support the supply of cyber insurance. The impact of cyber lines on the profitability of other lines and entry and exit decisions in the cyber insurance market remain as next steps. 

The participants engaged in lively discussions around characteristics of other insurance vs cyber insurance, incentives for attackers, calculation methods for losses and size effects of cyber insurance.

The ninth virtual workshop on Cyber Risks to Financial Stability discussed the working paper City Hall Has Been Hacked! The Financial Costs of Lax Cybersecurity by Filippo Curti, Ivan Ivanov, Marco Macchiavelli, and Tom Zimmermann.

Abstract: State and local governments are attractive cybercrime targets because of inadequate cybersecurity and ample access to sensitive information. We show that external data breaches translate to higher financing costs for governments including negative abnormal bond returns in the secondary market and higher offering yields and bond pricing uncertainty in the primary market. We also find that governments increase total spending around cyberattacks, suggesting higher operating costs as the likely channel behind the spike in financing costs. Exploiting state-level variation in the timing of breach notification laws, we show that they have not significantly strengthened cybersecurity.

Discussion Summary: This paper contributes to the ongoing struggle of how cybersecurity plays into understanding of financial stability, propagation of shocks, and pricing of risks.

Cybercrime costs billions of dollars to businesses and the government each year. The cyber criminals monetize cyber vulnerabilities through different vectors however, this paper focuses on data breach specifically with some mention of ransomware. Municipalities are good targets for cybersecurity since they have large amounts of data that are PIIs and inadequate cybersecurity.

The effect of data breaches on municipalities is that after the breach, it leads to 1) increase in financing costs. There are negative abnormal bond returns in the secondary market and higher offering yield at issuance for the primary market.  2) There is an increase in expenditures after breach such as significant remediation and litigation costs. This can mean that there is a room for regulations. However, since 2002, starting with California, until 2021, states have implemented data breach notification laws. Some impose penalties in case of violations. These regulations are found to be ineffective at strengthening cybersecurity posture as there is no effect on incidence of future data breaches though there is a slight increase in expenditure following the implementation of the regulation.

Some of the items discussed for future research include measure of vulnerability by states, geographical spillover effect of data breach incidents, standards on what decent cyber defenses are, impact on different bonds based on different cybersecurity incidents (data breach vs ransomware), relation between those increasing expenditure and ones with large financing cost, consideration of revenue and population for targeted municipalities and others. 

The eighth virtual workshop on Cyber Risks to Financial Stability discussed the working paper Cyber Security and Ransomware in Financial Markets by Toni Ahnert, Michael Brolley, David Cimon and Ryan Riordan

Abstract: Financial markets face the constant threat of cyber attacks. We develop a principal-agent model of cyber-attacking with fee-paying clients who delegate security decisions to financial platforms. We derive testable implications about clients’ vulnerability to cyber attacks and about the fees charged. We characterize which cyber attacks actors choose. We find that ransomware attacks are more successful than traditional attacks and that platforms underinvest in security when security is unobservable. Regulating security investment (e.g., minimum security standards) or improving transparency (e.g., security ratings) can improve welfare. Our results support regulatory efforts to increase transparency around cyber security and cyber attacks. 

The seventh virtual workshop on Cyber Risks to Financial Stability discussed the book Cyber and the City: Securing London's Banks in the Computer Age by Dr. Ashley Sweetman.

Abstract: This book presents the first history of computer security in finance, from the perspective of the banks. It offers a mixture of broad overview chapters that set the scene, alongside more detailed case-study chapters. The chapters provide insights from unseen/unused archival material from various banks, and the London Metropolitan Archives

The sixth virtual workshop on Cyber Risks to Financial Stability discussed the paper When It Rains, It Pours: Cyber Risk and Financial Conditions by Thomas M. Eisenbach, Anna Kovner, and Michael Junho Lee

Abstract: We analyze how systemic cyber risk in the wholesale payments network relates to adverse financial conditions. We show that at the onset of the COVID-19 pandemic, payment activity increased, became more concentrated, and showed intraday liquidity stress. Cyber vulnerability was elevated in late February and early March 2020, with the potential impact of a cyberattack about 40 percent greater than in the remainder of 2020. Policy interventions to stabilize markets mitigated cyber vulnerability, particularly corresponding to large increases in aggregate reserves. We observe that cyber vulnerability and other financial shocks cannot be treated as uncorrelated risks and policy solutions for cyber security need to be calibrated for adverse financial conditions.

The fifth virtual workshop on Cyber Risks to Financial Stability discussed the paper Cyberattacks and Financial Stability: Evidence from a Natural Experiment by Antonis Kotidis and Stacey L. Schreft.

Abstract: This paper studies the effects of a unique multi-day cyberattack on a technology service provider (TSP). Using several confidential daily datasets, we identify and quantify first- and second-round effects of the event. For banks using relevant services of the TSP, the attack impaired their ability to send payments over Fedwire, even though the Federal Reserve extended the time they had to submit payments. This impairment (first-round effect) caused other banks to receive fewer payments (second-round effect), leaving them at risk of having too few reserves to send their own payments (a potential third-round effect). These innocent-bystander banks responded differently depending on their size and reserve holdings. Those with sufficient reserves drew down their reserves. Of the others, smaller banks borrowed from the discount window, while larger banks borrowed in the federal funds market. These significant adjustments to operations and funding prevented the second-round effect from spilling over into third-round effect and broader financial instability. These findings highlight the important role for bank contingency planning, liquidity buffers, and the Federal Reserve in supporting the financial system’s recovery from a cyberattack.

The fourth virtual workshop on Cyber Risks to Financial Stability discussed the paper Financial Markets and Social Media: Lessons From Information Security by Claudia Biancotti and Paolo Ciocca.

Abstract: Discourse on social media increasingly affects personal financial decisions. This may improve market efficiency, yet it may also provide malicious actors with opportunities for disinformation and disruption. Financial authorities, governments, and other stakeholders must work together to counter this threat.

The third virtual workshop on Cyber Risks to Financial Stability discussed the working paper The Anatomy of Cyber Risk by Rustam Jamilov, Hélène Rey, Ahmed Tahoun.

Abstract: This paper uses computational linguistics to introduce a novel measure of firm-level cyber-risk exposure based on quarterly earnings conference calls of listed firms. Our data span 13,000 firms from 85 countries over 2002-2021. We show cyber-risk exposure predicts cyber-attacks, affects stock returns and profits, and is priced in the equity option market. Cyber-risks spill over across firms and pass through from firm to sectoral level. The geography of cyber-risk is well approximated by a gravity model in which financial proximity is key. Back-of-the-envelope calculations suggest that the global cost of cyber-risk is over $200 billion per year.

The second virtual workshop on Cyber Risks to Financial Stability focused on ongoing research on cyber sources for macroeconomic analysis by Jason Healey, Patricia Mosser, Rachel Adeney, and Danielle Murad Waiss.

The first virtual workshop on Cyber Risks to Financial Stability discussed the working paper Pirates without Borders: the Propagation of Cyberattacks through Firms’ Supply Chains by Matteo Crosignani, Marco Macchiavelli and André F Silva.

Abstract: We document the propagation through supply chains of the most damaging cyberattack in history and the important role of banks in mitigating its impact. Customers of directly hit firms saw reductions in revenues, profitability, and trade credit relative to similar firms. The losses were larger for customers with fewer alternative suppliers and suppliers producing high-specificity inputs. Internal liquidity buffers and increased borrowing, mainly through bank credit lines, helped affected customers maintain investment and employment. However, the shock led to persisting adjustments to the supply chain network.

Published by Lawfare in January 2026. Focuses on how AI, automation, and continuous testing could replace checklist cyber compliance with faster, cheaper, and more resilient regulation.

Learn more here »

Published by The Capco Institute Journal in May 2021. It builds on the 2018 "Future of Financial Stability and Cyber Risk" publication, by developing a unique framework to assist analysts trying to assess how specific cyber risks might affect financial stability.

Learn more here »

Published by the Brookings Institution in October 2018. It provides a general review of cyber risk to financial stability, contains a primer on financial stability and cyber risks, and highlights how cyber risks are different from other systemic financial risks. It also summarizes previous reports and efforts of policymakers and industry addressing these issues.

Learn more here »

Examines the growing momentum around the world to bring the cybersecurity and financial stability communities closer together to be better able to manage cyberattacks on banks and other institutions of the global financial system.

Learn more here »

Susan Hennessey spoke to Katheryn Rosen, Jason Healey, and Patricia Mosser. They talked about how to understand financial stability, the unique risks that cyber threats pose to it, and what gaps remain in how to mitigate those risks.

Learn more here »

June 13-14, 2019: Katheryn Rosen participated in the SEACEN Policy Summit on Central Bank Leadership in Combating Cyber Risk that brought together senior central bank and monetary authority officials, private sector representatives, chief information security officers (CISOs), and academics with regional and global thought-leaders to discuss pressing issues relating to cybersecurity, identify challenges and possible solutions, and foster networks that will help put central banks and monetary authorities in the vanguard against these looming threats.

October 10, 2018: the Atlantic Council’s Cyber Statecraft Initiative convened key stakeholders from the financial, governmental and academic communities to convene for the release of a joint report by the Brookings Institution and Columbia University’s School of International and Public Affairs, The Future of Financial Stability and Cyber Risk. The panel was moderated by Katheryn Rosen, a Senior Fellow at the Atlantic Council’s Cyber Statecraft Initiative and a Senior Research Scholar at Columbia University School of International and Public Affairs. 

July 10, 2018: workshop further developed the conceptual framework established in the previous gathering and explored amplifiers and dampeners of risk by focusing on a single market - the US treasury securities market.

May 10, 2018: SIPA hosted the first of two workshops that began the process to devise and refine a cyber risk and financial stability framework, emphasizing three pillars: financial stability, cyber risk, and transmission channels between the two. 

April 18, 2017: workshop intended to tie together the work on cybersecurity conducted by the financial sector with the long-existing work of academics and financial experts on financial stability and resilience. The output of this workshop would create the agenda for needed research and policy analysis in the field of financial stability implications of cyber risks.

The Sixth State-of-the-Field Conference on Cyber Risk to Financial Stability was held on 17 April 2025 at the New York Federal Reserve Bank. The 2025 conference explored data security, AI, and infrastructure, focusing on cyber risk int eh financial system.

Key Takeaways on the Teller Window.

The Fifth State-of-the-Field Conference on Cyber Risk to Financial Stability was held on 12 April 2024 at the Federal Reserve Bank of New York. The 2024 conference explored the evolving threats and new approaches to resilience.

Key Takeaways on the Teller Window.

The Fourth State-of-the-Field Conference on Cyber Risk to Financial Stability was held on 14 April 2023 at Columbia University's School of International and Public Affairs. The 2023 conference explored the impact of deglobalization on cyber risks and financial stability.

Key Takeaways on Liberty Street Economics.

28-29 April 2022: The CRFS hosted its third annual State-of-the-Field Conference, in partnership with the Federal Reserve Bank of New York.

The conference will begin with a keynote by Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency. This will be followed by a panel discussion on “Geopolitical Cyber Risks to Financial Stability” which will consider the changing landscape ten years after Iran’s ‘Operation Ababil’. Day one will conclude with a fireside chat with Phil Venables, the Chief Information Security Officer for Google Cloud. Day two will focus on industry perspectives, commencing with a keynote by Tammy Hornsby-Fink, the Chief Information Security Officer for the Federal Reserve System.

14-15 December 2020: The CRFS hosted its second annual  State-of-the-Field Conference partnership with the Federal Reserve Bank of New York.

During the virtual event, academic and industry experts in cybersecurity and financial sectors, came together to discuss the current state of the field, and considered three guiding questions: “What We're Learning?”, “What We're Doing?”, and “What's Next?” in addressing the current and future cybersecurity challenges to the financial sector. The event was a timely discussion on the current state of the field and future steps to be taken, held just days after the disclosure of the Solar Wind cyberattack, in which a hacker group, believed to be affiliated with the Russian government, gained access to the computer systems of multiple U.S. government departments, including the Treasury and Commerce department. Read more about the event on Liberty Street Economics.

12 April 2019: The CRFS hosted its inaugural State-of-the-Field Conference hosted in partnership with the Federal Reserve Bank of New York.

The day’s discussion focused on the need for a common lexicon to define and classify cyber threats and incidents. That way, the industry as a whole can assess their systemic impact and devise macroprudential risk mitigation solutions. They also highlighted the importance of collaboration and information sharing in this field. Remarks were delivered by Mr. Kevin Stiroh, Executive Vice President of the Financial Institution Supervision Group of the Federal Reserve Bank of New York.

Synopsis's Software Integrity Blog: Mentioned "The Future of Financial Stability and Cyber Risk" on April 25, 2019. Read here.

Forbes: Katheryn Rosen quoted on the Cyber Threat to US Finance on March 20, 2019. Read here.

International Cybersecurity Dialogue: “The Future of Financial Stability and Cyber Risk” paper featured in the dialogue and praised as “a major contribution to the academy” on November 25, 2018.