As clients know all too well, many of you are waging cyber war against sophisticated attacks likely launched by Iran to retaliate against U.S. sanctions. This is operational risk in stark form, and it’s also a reminder that banks pose systemic risk not only by virtue of their own misdeeds – the premise of all the re-regulation now well under way – but also by falling prey to events wholly outside their control. On Tuesday, we’ll be releasing a study that surveys the landscape of major prudential rules to identify possible unintended consequences. One big one demonstrated by the cyber attack is that the blizzard of new rules dangerously distracts us from the tornado of new risk.
A major problem highlighted by the crisis is the lack of robust capital sufficient to ensure resilience under solvency stress. Now, regulators often call capital the “cornerstone” of new rules and, of course, a revised regime is under construction around the globe. Those of you still reviewing the comment letters due Monday in the U.S. need no reminder of how far-reaching the capital rewrite will prove, but the U.S. Basel III standards form only one part of the capital barricades being built for the biggest banks.
Another trench is the FRB’s latest round of stress tests (see the in-depth report on the new rules sent earlier this week to clients). Based on the new capital standards, the FRB’s stress tests kick big banks across three scenarios to be sure the bank is still standing at the end of each of them. Like the capital rules, this is a necessary contribution to a re-engineered, robust banking system. But, like them, it’s insufficient.
Which brings me back to cyberspace. All of the work going into all of these capital rules and capital-based stress tests – work consuming both banks and regulators – reduces the risk-management resources needed to ensure resilience to all the other risks that can also crater a company. So far, the cyber attacks have been inconvenient to customers and embarrassing to banks – it’s in fact astonishing the degree to which some in the press are using them not to focus on risk, but rather yet again to lambast banks for not caring enough about their customers. But, these attacks are very serious and if they go for the cyber jugular, a serious systemic threat.
This isn’t a threat banks should be expected to counter on their own – here, the industry is a stand-in for America and, thus, the government needs to stand with the banks. But, banks are the first line of attack. To resist it, banks need to dedicate the resources, risk controls and senior-management attention necessary to ensure resilience and, if required, recovery. One might hope banks would throw all this firepower into battle out of a sense of citizenship and, indeed, many do. But, regulators still need to require appropriate operational risk management and, when it’s found lacking, impose sanction. This they can’t do if the only stress tests everyone runs are single-minded capital ones.
The last case of terrorist attacks against financial institutions is, of course, 9/11. After a very close call with catastrophic payment-system meltdown, the banking agencies required an array of recovery plans, plans to some degree referenced in the new living wills required by Dodd-Frank. Still, so much focus is now so monomaniacally devoted to capital – bankers and regulators can only do so much at one time – that the lessons of the last operational-risk crisis have faded. In the face of a new one, it’s vital to remember that banks count on more than capital.