Jin-Wook Chang, Jacob Dice, Shengwu Du, Adam Flury, Sam Jerow, Seung Jung Lee, Stacey Schreft, and Craig VandreThis paper examines cyber vulnerabilities across the 100 largest US banks, non-bank financial institutions (NBFIs), and their third-party service providers. Our analysis, based on a proprietary cyber risk analytics model, shows NBFIs exhibit greater cyber vulnerabilities than banks, though banks face larger relative losses from routine incidents. We identify third-party service providers as a hidden cyber fault line in the financial system, often having greater vulnerabilities than the institutions they serve and creating systemic risks. Scenario analyses of catastrophic cyber events targeting these providers reveal potential losses up to about 60 times larger than routine incidents for both large banks and large NBFIs, with business interruptions driving most losses. Our findings highlight the need for a holistic cyber risk management approach addressing both individual vulnerabilities and systemic risks from interconnectedness in the financial system.
Nothing contributes so much to the prosperity and happiness of a country as high profits