The financial system could probably withstand one large institution getting knocked out, but if multiple large financial institutions were shut down by a cyberattack, the disruption could last for weeks, he said.
Additionally, if attackers struck during a particularly volatile period in the markets — for example, on one of the “triple witching” Fridays that occur each quarter when stock options, stock index futures and stock index options all expire on the same day — the effects could be amplified.
Such an attack would require skill, resources and immense coordination, which so far adversaries have not shown. Most cyberattacks against financial institutions to date have involved criminal theft of bank card numbers and account credentials; although a few incidents involving nation-backed actors have occurred, they’ve been contained in scope and impact.
In late 2011, Iranian hackers associated with the Islamic Revolutionary Guard Corps launched a monthslong denial-of-service campaign against dozens of U.S. financial institutions, including American Express, JPMorgan and Wells Fargo, according to Justice Department documents. The onslaught disabled banking websites and locked hundreds of thousands of customers out of online accounts. And in 2016, hackers associated with North Korea broke into Bangladesh Bank and hijacked employee credentials in an attempt to steal $951 million via the Swift network, a messaging system used by financial institutions. They succeeded in nabbing $81 million.
More sophisticated and destructive attacks are not out of the question, however. The New York Cyber Task Force — a group of government and private industry experts convened by Columbia University and led by Mr. Rattray — examined a “severe but plausible” scenario involving multiple financial institutions. In the theoretical scenario, described in a report the task force published this year, North Korean hackers compromise a third-party service provider, such as a cloud computing company, to slip into a financial institution’s network and install a self-propagating digital worm that wipes data. As other financial institutions communicate with the infected bank, the wiper spreads to their networks as well. The scenario highlights how swiftly an attack could cascade and how financial institutions that are focused on securing their own networks from adversaries could miss the risk of being compromised by the network of trusted partners.
If this scenario were to occur as the task force imagined, an initiative called Sheltered Harbor would help address at least the loss of data. The program, launched by the industry in 2015, is designed to protect banks from losing valuable data because of cyberattacks — the data of participating banks is encrypted and backed up daily to offline secure storage so that if it gets deleted or altered, or access to it is blocked, it can be restored.
It’s not just about banks
Under a 2013 White House executive order, the Department of Homeland Security was asked to identify critical infrastructures for which a cybersecurity incident could have “catastrophic regional or national effects on public health or safety, economic security or national security.” Within the financial sector, D.H.S. and the Treasury Department identified more than two dozen key financial institutions that fit the description, according to sources who asked not to be named because the information is sensitive.