Fed's Barr warns of 'concentration risk' in cybersecurity for banks

Michael Barr
Michael Barr spoke to a group of banking cybersecurity experts about risks to the industry.
Bloomberg News

WASHINGTON — Many banks, and even government banking agencies, contract with some of the same tech companies, and that could cause problems for individual banks and the wider financial system, said Federal Reserve Vice Chair for Supervision Michael Barr. 

"We have many, many financial institutions that rely on a small number of providers, in some instances, for critical products and services," Barr said at a fireside chat at a joint meeting of the Financial Services Sector Coordinating Council and Financial and Banking Information Infrastructure Committee, a private-public partnership dealing with cybersecurity housed with the Treasury Department. "So if that service provider has a problem, that can rapidly spread throughout the financial system." 

It's usually small banks that rely on outside tech service providers because their resources are more limited compared with the larger institutions, he said. Still, larger institutions pose risks as they present a larger "honey pot" for bad actors. 

But it's not just banks that tend to use a small number of third-party contractors for their cybersecurity needs, Barr said. Government agencies, like the Fed, also tend to use a small number of outside companies that can overlap with the banks that they oversee. 

"Government agencies use a set of service providers, and many financial institutions use those same service providers," Barr said. "And so if there's a problem at one of those service providers, that's going to be a problem for the financial sector as a whole." 

To counter the risk, Barr said banks should thoroughly vet their third-party contractors, focusing on a company's ability to recover from a hack or a cybersecurity event, in addition to the company's ability to prevent them. 

"Financial institutions need to be paying attention to their concentration risk that comes from these activities," Barr said. "We can't make those go away." 

The risk from cybersecurity breaches is important for both bankers and regulators. Widespread IT outages caused by a buggy update from the cybersecurity company CrowdStrike, for example, caused delays and issues at a number of banking institutions in an event that one analyst called "the most far​-​reaching impact we have ever seen with a security tool." 

Chinese and Russian hackers recently accessed government and company executives' email accounts, bringing scrutiny to the tech giant's security practices.

June 19

The Treasury Department has made cybersecurity a cornerstone of its work on banking. Project Fortress, Treasury's largest public-private partnership, offers free cybersecurity tools for banks and a space for bankers and law enforcement officers to counter cyber attackers. 

Barr also addressed artificial intelligence, particularly generative AI, in the banking sector. He warned against an "arms race" between cybersecurity and bad actors as the technology quickly ramps up. 

"AI will change the arms race between the defenders and the attackers," he said. "On one side, generative AI is going to be used in more sophisticated ways for malicious attacks. Just the ability to iterate attacks in a much more creative and fast way, to deploy those attacks with AI models, is going to be a real risk." 

He echoed concerns from other regulators about ubiquity in AI models between financial firms and the impact that could have on financial stability. 

"When you have automaticity and you have speed and you have ubiquity, those three things together can generate significant financial stability risks for the financial system," he said. 

Barr also said that AI could be used in a discriminatory way if the data is biased, or if the way the AI is trained presents bias. And if banks have no insight as to why an AI has, for example, denied credit to a consumer, then that could create problems. 

"If you have a model and you can't explain why it had a denial of credit, or had a price change on credit, that creates a fair lending concern," he said. "You might end up with what people call digital redlining, where the generative AI could be deployed in a way that has the effect of cutting off access, when what you want to do is use the generative AI or other technologies to improve access and reduce bias in the system." 

For reprint and licensing requests for this article, click here.
Politics and policy Cyber security Cyber attacks
MORE FROM AMERICAN BANKER