Payments Failure

The processing of retail payments traditionally has been the domain of regulated banks, but technologically sophisticated players like Venmo, AliPay, Bitcoin, and Ripple, and potentially, Facebook’s Libra, are making incursions into the market. Even within regulated banks, payments processing is becoming increasingly reliant on new technologies—JPMorgan Chase’s “JPMCoin” is just one example. Limited attention, however, has been paid to the new kinds of operational risks associated with these methods of processing retail payments. This Article argues that technological failures at a payments provider—either a bank or non-bank—could be amplified in unexpected ways as such failures interact with technological failures at other payments providers. In a worst-case scenario, a cascading failure of payments technologies could cause significant parts of the retail payments system to shut down—an eventuality that would harm the broader economy if people were unable to transact for a prolonged period of time. This Article is the first to raise the possibility of a financial crisis precipitated primarily by operational failures. Such a crisis would look more like a rolling blackout than a bank run. Because of this possibility, this Article argues that it is insufficient to approach the risk of payments failure with a purely prudential strategy. This Article therefore makes the case for a complementary “macro-operational” approach to regulation, rooted in complexity theory, to deal with the possibility that the systemic interactions of operational risks could hobble our retail payments system—and the broader economy. Using this framework, this Article analyzes the potential threats posed by different technologies and business models to the orderly functioning of our retail payments system. Further, this Article suggests the beginnings of what proactive macro-operational regulation of the retail payments system might look like

The effect of cyberattacks on European financial institutions: an event study approach

openCyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain.Cyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain

Too-Big-To-Fail 2.0? Digital Service Providers

The Article explains why addressing Too-Big-To-Fail 2.0 has not yet become a political and societal priority. First, digital service providers are technology companies, which, many believe, are shaped by market forces such that they fail and succeed in equal measure without producing negative ripple effects on the economy or society. Second, technology giants are not as carefully regulated as banks becauseunlike banks, they do not take insured deposits backed by the government. Third, even heavily regulated financial institutions have not been required until recently to focus on cybersecurity. Finally, some believe that there is no point in worrying about Too-Big-To-Fail 2.0 as it is difficult to prepare for theoretical unknowns. Despite these arguments, however, the Article contends that given the factors outlined in the Critical Service Provider list of criteria, such as size, business involvement in multiple industry sectors, and impact on technology, the economy, and cyber-social systems, Too-Big-To-Fail 2.0 is a valid concern. Recognizing this problem, the Article then calls for the design of a new systematic approach, resembling to a limited extent that of the Dodd-Frank Act, to understand which entities qualify as Critical Service Providers and why they should have enhanced risk management procedures. The Article proposes certain criteria to ground such an approach. Finally, the Article suggests that the companies designated as Critical Service Providers should be subject to some type of supervisory scrutiny, which would be the product of a collaborative private-public initiative and result in better risk management and internalizing

Global Risks 2015, 10th Edition.

The 2015 edition of the Global Risks report completes a decade of highlighting the most significant long-term risks worldwide, drawing on the perspectives of experts and global decision-makers. Over that time, analysis has moved from risk identification to thinking through risk interconnections and the potentially cascading effects that result. Taking this effort one step further, this year's report underscores potential causes as well as solutions to global risks. Not only do we set out a view on 28 global risks in the report's traditional categories (economic, environmental, societal, geopolitical and technological) but also we consider the drivers of those risks in the form of 13 trends. In addition, we have selected initiatives for addressing significant challenges, which we hope will inspire collaboration among business, government and civil society communitie

Cybersecurity, Cyber insurance, and Small-to-Medium-sized Enterprises: A Systematic Review

Purpose: This study offers insights into the state-of-research covering cybersecurity, cyber insurance, and Small-to-Medium-sized Enterprises (SMEs). It examines benefits of insurance to an SME’s security posture, challenges faced and potential solutions, and outstanding research questions. Design/methodology/approach: Research objectives were formulated, and the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocol (PRISMA) was used to perform a Systematic Literature Review (SLR). Nineteen (19) papers were identified from an initial set of 451. Findings: Our research underscores the role of cybersecurity in the value proposition of cyber insurance for SMEs. The findings highlight the benefits that cyber insurance offers SMEs including protection against cyber threats, financial assistance, and access to cybersecurity expertise. However, challenges hinder SME’s engagement with insurance, including difficulties in understanding cyber risk, lack of cybersecurity knowledge, and complex insurance policies. Researchers recommend solutions, such as risk assessment frameworks and government intervention, to increase cyber insurance uptake/value to SMEs. Research limitations/implications: There is a need for further research in the risk assessment and cybersecurity practices of SMEs, the influence of government intervention, and the effectiveness of insurers in compensating for losses. Our findings also encourage innovation to address the unique needs of SMEs. These insights can guide future research and contribute to enhancing cyber insurance adoption. Originality/value: This is the first SLR to comprehensively examine the intersection of cybersecurity and cyber insurance specifically in the context of SMEs

Understanding Malicious Attacks Against Infrastructures - Overview on the Assessment and Management of Threats and Attacks to Industrial Control Systems

This report describes approaches to the assessment and management of malicious threats and attacks relating to critical infrastructures in general, and electric power infrastructures in particular. Securing infrastructures implies taking into account both the natural and man-made (intentional) events. While protecting against the natural disruptive events is a feasible (yet not trivial) task, benefiting by well-established practices, dealing with intentional attacks comes up across many difficulties, especially due to the unpredictability of such events. The report outlines the state-of-the-art in dealing with threats and malicious attacks, considering both physical and cyber actions. Several approaches taken at national and international levels towards securing the critical infrastructures are also provided.JRC.G.6-Sensors, radar technologies and cybersecurit

Best Practices for Critical Information Infrastructure Protection (CIIP): Experiences from Latin America and the Caribbean and Selected Countries

Over the past few decades, Latin America and the Caribbean (LAC) has witnessed numerous changes in its development, with most being beneficial. Positive changes relate to sizable growth and expansion of the region’s network infrastructure sectors, such as transport, energy, and information and communications technologies (ICT), among others. In many cases, ICT interconnects these critical infrastructures, creating substructures referred to as critical information infrastructures (CIIs). This publication is written to provide insights to the strategic thinking behind the creation of the national critical information infrastructure protection (CIIP) frameworks. It also builds its recommendations on in-depth analysis of the best CIIP practices around the world, with consideration of the region-specific landscape to originate a base line from which further development can be delineated