Cyber Risks and Large Banks: Supporting a Resilient Financial System

21 Oct 2019
Read Time 3 mins
Categories :
Cyber Resiliency


Technology is a part of our everyday lives in a way that it wasn’t just 20 years ago.  The advent of the internet, smart phones and the “internet of things” has ushered in an era in which technology is intertwined with our daily lives for the better.  This is especially true in banking.  Many consumers and businesses use technology to maintain near 24/7 access to their bank accounts so that they can monitor payments, make withdrawals and update their financial plans day or night.  At the same time, given the risks presented by modern technology it is also important that banks be resilient. In this post, we profile recent research suggesting that large banks are resilient to these cyber risks.

Large Bank Resiliency to Cyber Threats 

While large banks take a variety of measures to protect their customers from cyber risks it is also important to think through the potential consequences of a successful cyberattack.  Recent research from the Hutchins Center on Fiscal and Monetary Policy at the Brookings Institution sheds some light on how large banks might weather the fallout of such an event.  More specifically, Darrell Duffie of Stanford University and Joshua Younger of J.P. Morgan Chase & Co. model a cyberattack as prompting a run by large depositors (“wholesale depositors”) who seek to access their funds before the cyber event freezes access to their accounts.  Such a run could occur, for instance, if one institution is affected by a cyberattack and large depositors at other banks begin to immediately withdraw their funds in fear that the attack may spread. 

Modeling the cyberattack as a run implies that the key test of resiliency to a cyberattack is the bank’s liquidity position.  A bank with sufficient liquid resources that can be converted to cash can effectively deal with the demands of depositors while ensuring that the bank continues to function and provide credit to the economy.  Duffie and Younger consider twelve large banks with total assets greater than $250 billion, which includes Financial Services Forum members.  They analyze the stock of liquid asset holdings of these banks and ask whether the maintained amount of liquidity is sufficient to meet the depositor demands associated with a cyberattack.  They make their judgment under their assumptions on how quickly depositors flee in response to a cyberattack and how quickly near-cash alternatives (e.g. U.S. Treasurys) can be converted to cash.  Their main findings are summarized in the figure below.

Source: Cyber runs: How a cyber attack could affect U.S. financial institutions, Darrell Duffie and Josh Younger

The top two curves in the figure depict the total amount of liquidity needed each day to deal with deposit outflows over a 20-day period under “severe cyber” and “adverse cyber” events.  The curves increase over time since the model assumes that more and more depositors flee over time in response to a cyber event.  Duffie and Younger provide a detailed discussion of their assumptions in this regard.  The shaded area in the figure depicts the total amount of liquid resources available to fund depositor withdrawals.  The amount of liquid resources available to meet depositor demands also increases over time as somewhat less liquid resources, U.S. Treasury securities and government-guaranteed mortgage securities (MBS), can be transferred to cash over time.

The results in the figure above are encouraging and should be viewed as a conservative estimate of large banks’ resiliency to a cyberattack because the analysis assumes no ability to borrow cash from markets or existing central bank facilities.  As summarized by the authors, their “analysis, although quite basic, suggests that banks have sufficient liquidity – both stock and flow – to survive even a relatively extreme cyber run.


Technological progress in the past 20 years has been a boon to all walks of life, including banking.  At the same time, new technology carries risks that must be managed.  Large banks such as Financial Services Forum members take these risks seriously and take a number of steps to protect their customers from these cyber risks.  In addition, emerging research on this topic finds that the financial position of large banks is resilient to cyber events.  While cyber risks will continue, emerging research suggests that large banks are committed to being resilient. 

Forum Updates