Trader Talk

A cyberattack could trigger the next financial crisis, new report says

Key Points
  • There is agreement that the next financial crisis will not look like the one that hit 10 years ago this week.
  • Interconnectivity and the concentration of key businesses at a handful of firms raise the risk a cyberattack on one of them could send shockwaves through the rest of the financial system.
Caution tape outside the New York Stock Exchange in New York.
Adam Jeffery | CNBC

A cyberattack could trigger the next financial crisis, a new report suggests.

Imagine this hypothetical scenario: A criminal gang or a state actor hacks into a central bank, a custodial bank or a clearing firm that settles daily stock, bond and derivative trades. There are not many of these firms, so they are "systemically important." Say this hack disrupts the operations of one or more of these firms to the point that their services shut down and key data is damaged or destroyed. It's difficult to replicate all the services these firms provide, so the effects ripple across other financial services firms.

When it comes to a financial crisis, everyone seems to agree that the next one will not come in the same form as the one that hit 10 years ago this week, which was tied to a housing bubble and shoddy mortgage lending practices.

"We tend to fight the last war," former Treasury Secretary Hank Paulson said in an interview Wednesday with CNBC's Andrew Ross Sorkin at the Brookings Institution.

But determining what the next crisis will look like is a lot like talking to a bunch of blind people who are petting an elephant. Their impression of the elephant depends on what part of the elephant they are touching.

Talk to credit guys, and they will scream that excessive debt could bring on the next crisis. We transferred massive debt from consumers to corporations and governments, they say. Corporate debt is at a record high. Government debt is at a record high. Household debt is rising.

Talk to the regulatory guys, and they say the old battles are still being fought. They say we still haven't resolved what to do about large banks that might fail. They say all the financial institutions are bigger — much bigger — than they were 10 years ago, as are internet lenders and mortgage lenders.

The officials who led the rescue of the U.S. economy a decade ago — former Federal Reserve Chairman Ben Bernanke and former Treasury Secretaries Timothy Geithner and Paulson — have been making the rounds recently, even writing a joint editorial for The New York Times.

They warn about efforts underway to dismantle parts of the financial system regulatory reform known as the Dodd-Frank Act. They say emergency powers they had in 2008 are weaker today, like the power to make emergency loans to support troubled banks. They, too, warn that debt levels are higher, and the Fed has less room to lower interest rates in the event more stimulus is needed.

Talk to market guys, and they will scream about fragmented markets and thin liquidity. J.P. Morgan recently wrote a long piece arguing that that collapse of liquidity in the mortgage markets was a primary cause of the financial crisis, and that central banks stepped in and provided massive amounts of liquidity, purchasing $10 trillion in financial assets.

The reversal of that action will begin in 2019: "Such outflows (or lack of new inflows) could lead to asset declines and liquidity disruptions, and potentially cause a financial crisis," the bank wrote.

Predictably, they also say the rise of passive investing and ETFs could be a problem: "The shift from active to passive asset management, and specifically the decline of active value investors, reduces the ability of the market to prevent and recover from large drawdowns."

Talk to the economic guys, and they will talk abut trade tensions, rising nationalism and the threats to long-standing international partnerships and alliances like NATO or the European Union.

So who's right? They may all be, but the cyberattack angle is getting a lot of attention as a potential source of serious disruption.

On Wednesday, the Depository Trust & Clearing Corp., which provides clearing and settlement for the financial markets in the U.S., released a report, entitled "The Next Crisis will be Different: Opportunities to Continue Enhancing Financial Stability 10 Years After Lehman's Insolvency." It discusses several macroeconomic and market-related risks to the financial system but specifically said that cybersecurity threats "have grown to a point where they may have become the most important near-term threat to financial stability."

Cyberthreats have consistently been ranked as the number one concern by respondents to Depository Trust's Systemic Risk Barometer since the survey began in 2013: "The motivation of cyber-attackers is shifting from purely achieving financial gains to disrupting critical infrastructures, such as through nation-state attacks, which threatens the basis for confidence in the financial system and even national or international stability."

They aren't the only ones worried. After the financial crisis, the Dodd-Frank Act established the Financial Stability Oversight Council to identify and monitor excessive risks to the U.S. financial system. The chairman is the secretary of the Treasury.

The Office of Financial Research provide financial data and research to the council and each year publishes a Financial Stability Report on risks to the financial system.

The most recent report, published in December, came to the same conclusion as the Depository Trust: "A large-scale cyberattack or other cybersecurity incident could disrupt the operations of one or more financial companies and markets and spread through financial networks and operational connections to the entire system, threatening financial stability and the broader economy."

The good news is no incident, not even last year's much-publicized hack of credit reporting giant Equifax, has yet had systemic effects. Nothing has yet shut down the financial system.

The bad news is we have already had incidents that have disrupted corporate activities. The oversight council report notes that an outage at Amazon's cloud computing service disrupted thousands of websites for four hours. The outage was caused by an operational error during system maintenance, not an attack, and it did not involve a financial institution.

Still, oversight council said, it showed the potential risks of relying on a single key provider.