Cyber Risk and Security Investment for Financial Infrastructure

How much should we care about the security of our financial assets and sensitive personal data, and will infrastructure providers implement the necessary safeguards? The genesis of this idea began several years ago as David Cimon and I embarked on an Eastern Canada road-trip to the Canadian Economics Association annual conference in Antigonish. Given the massive theft at Mt. Gox in 2014 and the hot-off-the-presses 2017 WannaCry attack, it seemed that vulnerability of everything from digital assets to data was becoming an increasingly public concern--but did institutions have the incentive to safeguard assets that didn’t belong to them? The consensus was that this was a problem we should look into, but we didn’t really know if security breaches like the WannaCry attacks were simply rare, isolated events. It would be three months before the motivation we sought, which (reportedly) began in May of 2017, would be public.

In the first week of September of 2017, Equifax, one of the “Big Three” providers of consumer credit scores in the U.S., announced that they had suffered a major data breach of personal data records for over 140 million Americans, as well as some British and Canadians citizens. The breach spawned several lawsuits that led to the difficult question, “how much is my data worth?”. It turns out that after legal fees, the answer is “about $5”.

Inspired by the Equifax breach, we began working towards a model of how financial infrastructure providers might optimally invest in security to guard against a profit-maximizing hacker, but with a twist: instead of working to secure their own assets, we injected that key principal-agent problem: infrastructure providers—banks, exchanges, cryptocurrency platforms, credit agencies to name a few—did not host assets that were theirs, but instead would facilitate transactions for clients that paid them to do so. In this way, clients pay an agent to complete a task, but do not stipulate or enforce just how much effort they put in to ensure the transaction completes. Sure, providers may not get paid if they fail at the task, but if the failure is somewhat random based on their own security and the arrival of a hacker, then it may be worth it to skimp on security investment, or to charge a higher margin for any security they do provide.

When visiting David at the Bank of Canada, we met up with Ryan Riordan (of Queen’s University) to discuss the idea. This led us to the competition element of the problem: can infrastructure provider competition improve client welfare? We expanded to a broader conversation on the role of monopolistic/large financial firms and databases in safeguarding data: could consolidation in financial markets lead to overinvestment in security, relative to what is demanded by clients? (the answer is yes). Comparatively, competition in these markets leads to lower fees for services and benefits from venue diversification, leading to more efficient security provision; the catch is, however, that “efficient security provision” doesn’t mean less vulnerable. Our paper suggests that there is a level of “efficient cyber risk”, beyond which the returns to security investment are too low.

Given that an “efficient cyber risk level” may be politically unpalatable in the face of large firms arguing that their pooling of investment may ameliorate security concerns, we show that a second-best result can be obtained where the break-up of a monopoly leads to client welfare improvement, while maintaining the monopoly level of vulnerability. To inject a hint of contemporary comedy, I had initially pitched the title “Financial Markets Can Have a Little Cyber Risk as a Treat”, but was out-voted.

N.B: The original title proposed by David was “All Your Data Belong to Us: Cyber Risk in Financial Markets”, to unearth an ancient meme; admittedly, I thought it was pretty funny.