If Congress Dismantles Dodd-Frank, It Should Not Ignore Systemic Cyber Risk

Alex Lloyd George is a research associate at the Greenberg Center for Geoeconomic Studies at the Council on Foreign Relations.

Ever since Donald Trump’s election victory, financiers and free-marketeers have been salivating at the prospect of the Dodd-Frank Act disappearing. A suite of financial regulations passed by Democrats in the wake of the 2008 financial crisis to clamp down on the risks taken by financiers, Dodd-Frank is unsurprisingly unpopular in banking circles. Republicans now in control of the White House and Congress have long railed against the law’s perceived overreach. This opposition has now taken concrete form in the Financial CHOICE Act, legislation released last week. While the legislation focuses on rolling back regulatory requirements on financial institutions, it also affects systemic cyber risk, a relatively new threat to which elements of the financial system remain uncomfortably exposed. Much as Republicans would like to lessen the regulatory burden on finance, they should take this opportunity to deepen—not weaken—scrutiny of systemic cyber risk.

The nature of financial cyber risk has been largely idiosyncratic so far, involving the theft of funds or customer data from specific institutions. In the most prominent attack last year, North Korea is alleged to have stolen $81 million from a Bangladeshi central-bank account at the New York Federal Reserve. This type of breach is alarming, but unlikely to set off a systemic event—given banks’ billion-dollar balance sheets, hackers would have to steal an astronomical amount to trigger a panic.

The larger threat posed by cyber risk is less apparent. The wheels of the global financial system are greased by “financial market utilities,” (FMU) which allow institutions to make payments, trade currencies, settle contracts, and otherwise conduct their business. These utilities, like the Chicago Mercantile Exchange derivatives marketplace or the CLS foreign-exchange trading system, are vital enough that the Financial Stability Oversight Council (FSOC)—the governmental body tasked with keeping an eye on risks to the stability of the financial system—has christened a number of them “systemically important.” This category is typically reserved for big banks whose failures would have regulators waking up in a cold sweat. The fact that in this categorization the FSOC also includes financial market utilities, the “plumbing” of global financial markets, is a sign we should take them seriously.

The Financial CHOICE Act, however, abolishes the “systemically important” and FMU designations. This reform dilutes scrutiny and supervision of utilities, making it less likely that threats will be detected. The legislation also removes the ability of these institutions to borrow from the Federal Reserve during emergencies. During such situations, regulators will be less able to aid FMUs in trouble. The combined effect is that the Financial CHOICE Act makes it more difficult both to detect problems as they arise and to solve them when they do.

The prospect of looser scrutiny is concerning because, operating with budgets considerably smaller than those of megabanks, market utilities are more vulnerable to cyberattack. JPMorgan estimated that it would boost its cybersecurity spending to half a billion dollars in 2016, a sum that nonetheless must still be placed in the context of the firm’s $93 billion in 2015 revenue. By contrast, CME Group—the company that owns the Chicago Merc—took in just over $3 billion the same year. That’s a much smaller piggy bank to dip into for cybersecurity spending.

The disparity is telling. In May 2016, then-SEC Chair Mary Jo White warned that certain exchanges and clearinghouses had policies that were “not tailored to their particular risks.” This has proven true in practice as well as in theory—the Bangladeshi heist was carried out by hacking into SWIFT, a cross-border payment-instructions network, which warned in December that copycat attacks remained likely. Though SWIFT instituted significant new security protocols in April, recent revelations that the National Security Agency may have compromised one of the network's service bureaus is unlikely to calm concerned observers.

This cocktail of gravity and fragility means that cyber theft should be the least of anyone’s worries. It is systemic risk to payment, clearing, and settlement mechanisms that should send a shiver down the spines of regulators. A World Economic Forum white paper solemnly noted that “any significant or prolonged disruption” to those systems “could touch all major aspects of financial risk.” The language might be staid, but the reality wouldn’t be. Markets are predicated on the notion that contracts will be fulfilled and transactions carried out; if these expectations are dashed, panic ensues.

Republicans eager to do away with Dodd-Frank should reframe the realm of financial supervision with these dangers in mind. While the urge to spur commerce through deregulation is understandable in a time of persistently low growth rates, it should be balanced with the need for security. Weakening supervision of utilities that are already vulnerable and tightening the leash on regulators’ ability to act in grave situations does not accomplish this. Sponsors of the Financial CHOICE Act should consider the entire fabric of the financial system, not just the firm-level stability of the JPMorgans and Wells Fargos of the world, or else the shadow of cyber risk will come back to haunt Republican reformers.