In recent months, the financial sector has been hit by a series of setbacks that are raising concerns about risk management in small to medium-sized banks.
The downfall of Credit Suisse and Silicon Valley Bank has those in the financial sector reflecting on the decisions and conditions that allowed this to happen. The events of Credit Suisse and SVB are just two examples of widespread mismanagement of enterprise risk management in many lenders reaching a crisis point. This is a clear wake-up call to top management who are now beginning to prioritize their risk management processes, but is cyber risk management also included in that equation?
Risky Business
The financial sector is highly interconnected. A failure in one bank or one part of the lending process nearly always affects another. For example, the risk of banks needing to sell securities to meet liquidity needs could cause a domino effect and therefore propagate shocks across the banking system, especially small and midsize banks across the globe could potentially be affected, the FDIC chart below highlights the potential risk of unrealized loss and maturity of the debt, that could force the banks to liquidate it’s assets immediately and cause a ripple effect in the financial markets, this also highlights the core of this crisis, Interest were too low for too long.
“The combination of a high level of long–term asset maturities and a moderate decline in total deposits underscores the risk that these unrealized losses could become actual losses should banks need to sell securities to meet liquidity needs."
-FDIC (Federal Deposit Insurance Corporation) Feb 2023
Issues with unrealized gains and losses explain why there are potentially more breakdowns to come and why risk management might become the new black or at least for a while.
The FDIC plays an important role not just for the U.S. financial sector, but also for the global financial sector, FDIC's importance in the global financial sector stems from its role in promoting financial stability and confidence, as well as its regulatory influence and expertise in crisis management.
Similar to how the malpractice of risk in investment securities of small to medium-sized banks can affect other banks, so too can negligence of other risks, including cyber risk.
Systemic Seduction
It is a well-known fact that the banking industry is heavily reliant on technology. But as the number of small and medium-sized banks grows, so does the potential for systemic risk in the event of a cyber attack.
First, let us define system risk. Systemic risk is the risk of an entire system failure due to the interconnectedness of its components. In the context of banking, systemic risk means that a problem in one bank can lead to problems in other banks, and even the entire financial system.
Small and medium-sized banks are particularly vulnerable to cyber-attacks because they may not have the same level of cybersecurity infrastructure as larger banks. They may also rely more heavily on third-party vendors for services like payment processing or loan origination, which can create additional entry points for cybercriminals.
Now, imagine a scenario where a cyber attack successfully breaches the security of a small or medium-sized bank. If the attack is not quickly detected and contained, it could spread to other banks through interbank connections, causing a ripple effect of financial instability.
The potential impact of such an attack could be catastrophic, Small and medium-sized banks play a crucial role in providing credit to small businesses and individuals. A widespread cyber attack on these banks could cause a credit crunch, making it difficult for businesses to access the funds they needed to operate for individuals to obtain loans for things like mortgages and car purchases.
How to improve your cyber risk management:
The good news is that there are steps small and medium-sized banks can take to mitigate the risk of a cyber attack. Here are a few:
Conduct regular cybersecurity assessments and implement robust cybersecurity protocols.
Invest in training for employees on how to identify and respond to potential cyber threats.
Develop a comprehensive incident response plan to quickly contain and mitigate the impact of a cyber-attack.
Conduct due diligence on third-party vendors to ensure they have robust cybersecurity protocols in place.
Work with industry organizations and regulatory bodies to share information and best practices for cybersecurity.
By taking these steps, small and medium-sized banks can reduce the likelihood of a cyber attack and minimize the potential impact on the financial system. So the next time you hear about a cyber attack on a small bank, remember that it's not just that bank's problem - it could be a problem for the entire financial system.