Cyber Security and The Fed
Written by: Kirsten Cutler
On Sunday, April 11th, 2021, CBS News' 60 Minutes featured an exclusive interview with the Federal Reserve Chairman Jerome Powell. Through this televised discussion, Powell expounded to the public that the economy is at an “inflection point.” He expressed high hopes for growth and employment picking up speed in the upcoming months, but also conveyed clear risks to the economy if the haste of reopening leads to a spike in coronavirus cases. Powell urged Americans to "continue to socially distance and wear masks," reassuring them that he's "highly confident" that the economy will emerge from the pandemic "better and more inclusive" than it was before. However, as the economy recovers from the past year of disaster, Powell revealed a new concern for the Fed. He said, "The world evolves, and the risks change as well and I would say that the risk that we keep our eyes on the most now is cyber risk."
Why would cyber risk be a prevalent concern for the Fed? How could it affect our country? Let’s break it down:
What is the Fed?
The Federal Reserve System - often referred to as “the Fed” - is the central banking system in the United States. Established by the U.S. Congress in 1913, the Fed ensures that the United States has a secure and stable monetary and financial system. It consists of 12 regional Federal Reserve Banks which are each responsible for a specific geographic area of the U.S. These are based in Boston, New York, Philadelphia, Cleveland, Richmond, Atlanta, Chicago, St. Louis, Minneapolis, Kansas City, Dallas, and San Francisco. The Fed is “subject to Congressional oversight and must work within the framework of the government’s economic and fiscal policy objectives” (Investopedia), but its decisions do not have to be sanctioned by the president or any other government official, so the Fed is considered to be independent. They have five main duties (listed on the chart below):
- Conducting the nation’s monetary policy (by influencing monetary and credit conditions in the U.S. economy to ensure maximum employment, stable prices, and moderate long-term interest rates)
- Helping maintain the stability of the financial system
- Supervising and regulating financial institutions (to ensure the safety of the U.S. banking and financial system and to protect consumers’ credit rights)
- Fostering payment and settlement system safety and efficiency (providing loans to banks in need of money)
- Promoting consumer protection and community development
Why is cyber security a relevant concern for the Fed?
Following such an uncertain and destructive year for our economy, there has been a lot of speculation about whether or not the government is making blind, risky bets like the ones that lead to the Great Recession of 2008. This concern is especially prevalent because the Fed has made a major push for banks to continue to lend in order to stimulate the economy, and not every transaction has ended with a positive result. 60 Minutes cited one example of a private hedge fund, called Archegos, which collapsed last month after making risky bets on stocks using billions of borrowed dollars. Now the banks are out billions of dollars. Even Powell admitted that it’s “[surprising] that a single customer, client, of one of these large firms could result in such substantial losses to these large firms in a business that is generally thought to present relatively well understood risks.” He assured 60 Minutes that this failure was certainly being reviewed so that future occurrences could be prevented, and he strongly expressed that the chances of a breakdown where banks are making terrible loans and harmful investment decisions is “very, very low. Very low.” That is why he believes that a greater risk than a global financial crisis is cyber security. Powell stated that “[it’s] something that many, many government agencies, including the Fed and all large private businesses and all large private financial companies in particular, monitor very carefully, invest heavily in.” He expanded saying, "There are scenarios in which a large financial institution would lose the ability to track the payments that it's making, where you would have a part of the financial system come to a halt, and so we spend so much time, energy and money guarding against these things."
What is the Fed doing to combat such a serious issue?
The Fed is constantly working to strengthen their Operational Resilience. Operational Resilience is carried out in a series of stages (quoted and paraphrased from federalreserve.gov):
Protection:
- The firm limits access to assets facilities to authorized users and manages access.
- The firm provides cybersecurity awareness education to all employees, including those from third parties.
- The firm encrypts data used in the delivery of critical operations and core business lines.
- The firm protects data based on the criticality and sensitivity of the information.
- The firm creates backups of critical data and regularly tests those backups for completeness and reliability.
- The Fed disposes of critical assets in a secure manner in order to prevent unauthorized recovery of sensitive information.
- The firm maintains and repairs industrial control and information system components consistent with policies and procedures.
- The firm upgrades or replaces information system components before technical support is no longer available from the developer, vendor, or manufacturer.
Detection:
- Unusual activity is detected in a timely manner and the potential impact (including financial impact) is analyzed and understood.
- Information systems and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection processes and procedures are tested frequently to ensure timely action is taken in response to potential cyber attacks.
Response:
- Any cybersecurity incident must be reported in a timely manner (within 36 hours of recognition) so that response processes and procedures can be executed and maintained.
- Response activities are coordinated with internal and external stakeholders, as appropriate, including external support from regulatory and law enforcement agencies.
- The firm will conduct analysis to ensure the proper and most effective response and to support recovery activities ensue.
- Action will be taken to prevent expansion of the disruption, mitigate its effects, and resolve the incident.
Recovery:
- The firm executes disaster recovery plans, and implements procedures to support timely restoration of systems or assets affected by cybersecurity incidents.
- They improve recovery plans for the future based on what they have learned.
- The Fed coordinates restoration processes with internal and external parties (such as internet service providers, owners of compromised systems, other incident response teams, and vendors).
One final protection method:
In 2014 the Fed established a cyber threat sharing group which allowed various banks and financial institutions to gather together and share past and present experiences with cyber attacks and how they have learned from them, recovered, and made changes to their cyber security. By allowing organizations to share with each other the attacks they are seeing, they are decreasing the effective window in which these attacks work. In these frequent meetings institutions share any fishing emails and social engineering that they have noticed so that other organizations are aware and prepared to combat something similar.
Should we be concerned?
While cyber risk is a prevalent concern in this day and age, I do not think that the general US public needs to worry about the safety of their money. As I presented above, the Fed has many measures in place that protect US banks from cyber threats, and an efficient reaction system in the instance that something happens. The Fed is an uniquely qualified organization to protect and monitor the US’s financial system, and our country is stronger because of it.
Vocab Bank:
Monetary Policy - The term "monetary policy" refers to what the Federal Reserve, the nation's central bank, does to influence the amount of money and credit in the U.S. economy.
Operational Resilience - The ability to deliver operations, including critical operations and core business lines through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
Critical Operations - Those operations of the firm, including associated services, functions and
support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Core Business Lines - Those business lines of the firm, including associated operations, services,
functions and support, that, in the view of the firm upon failure would result in a material loss of revenue, profit, or franchise value.
Works Cited
“Board of Governors of the Federal Reserve System.” Federal Reserve Board - Home, www.federalreserve.gov/.
Chen, James. “Federal Reserve System - FRS.” Investopedia, Investopedia, 3 Sept. 2020, www.investopedia.com/terms/f/federalreservebank.asp#:~:text=The Fed's main duties include,stability, and providing banking services.
Federal Reserve Bank of Boston. “2017 Cybersecurity Conference.” Federal Reserve Bank of Boston, 1 Jan. 1AD, www.bostonfed.org/news-and-events/events/cybersecurity-conference/2017.aspx.
Hansen, Sarah. “'Not At All Likely' U.S. Will Reach Maximum Employment This Year: Fed Chair Powell.” Forbes, Forbes Magazine, 4 Mar. 2021, www.forbes.com/sites/sarahhansen/2021/03/04/not-at-all-likely-us-will-reach-maximum-employment-this-year-fed-chair-powell/?sh=5dbf118342c6.
“Jerome Powell: Full 2021 60 Minutes Interview Transcript.” CBS News, CBS Interactive, www.cbsnews.com/news/jerome-powell-full-2021-60-minutes-interview-transcript/.