Federal Reserve Vice Chair for Supervision Michael Barr said
In a live-streamed, moderated discussion on cyber risk in the banking sector, Barr called cybersecurity a "top risk" that banks and regulators should be addressing proactively, especially in light of the rapid evolution of digital technology and related threats.
"There's a real risk that we have a cyber arms race using generative AI, with defenders and attackers in a constant struggle," he said. "So we do need to make sure that we are, and banks are, investing in the kind of technology that is useful not only today but in the near future."
Barr outlined his concerns during a half-hour conversation with Lisa Ryu, a senior associate director with the Fed's division of supervision and regulation. The stream was part of the Large and Foreign Banking Organizations Cyber Conference hosted by the Federal Reserve Bank of Cleveland.
Barr noted that cyberattacks against large banks could have implications that stretch far beyond targeted institutions. He noted that ripple effects that contaminate payments systems or liquidity facilities could destabilize the sector as a whole.
To prevent these types of episodes, Barr said it will be critical that banks have systems in place to boost their resilience to such attacks. Beyond that, he added, banks need to subject these systems to frequent and substantial tests, noting that the biggest banks could be held to higher standards on this front, especially when it comes to their ability to recover from significant hacks.
"We need banks to be quite creative about the kinds of tests they do, to try different angles on the test, to do exercises, war games, to make sure that they understand not only the prevention side, which is so critical, but also when things go wrong because they [have to] have the operational capability to serve their clients," Barr said. "Of course, our expectations for recovery are linked to the criticality of the function of the banking system. Institutions that are absolutely at the core of the financial system need to have the most amount of resiliency and recovery, and our standards are tailored appropriately to the risks that spill over from the institution we're talking about."
Barr said cybersecurity readiness could be included as part of the so-called "reverse stress testing" regime he has floated in the past.
Unlike traditional stress testing, which explores whether a bank would fail under certain adverse scenarios, reverse stress tests presume a bank does fail and seeks to determine the various circumstances that could have led to its failure.
"Humans are so good at pattern recognition, we're really good at finding things that have happened before, but maybe we're less good when a pattern is not one we've seen before," he said. "And so, challenging ourselves, questioning ourselves, using reverse stress testing to think about different patterns is a way of overcoming that human bias."
Barr noted that, unlike the annual stress test that the largest banks are put through to determine their stress capital buffer, the reverse stress testing he is considering would have no capital implications for banks.
As much as banks will be expected to safeguard their own systems from cyber threats, Barr said they will also have to be vigilant about risks transmitted through third-party vendors and services providers. He added that this is especially critical for small banks that outsource many of their information systems and even core banking functions to other firms.
"The banks need to treat the third-party risk management as if it were their own risk within their institution, because legally it is, and from the supervisory perspective it's required, and it's just essential in terms of the safety and soundness of the financial system," Barr said.
Barr said it is not enough to have a plan in place; banks need to take steps to show they are ready to use it in a pinch. He pointed to the string of bank failures that occurred earlier this year as evidence that banks are not always ready to act when critical moments arise.
"Preparedness in March was one of the key things missing. We had banks that, for example, were not