Cyber Risk and Security Investment for Financial Infrastructure
In the first week of September of 2017, Equifax, one of the “Big Three” providers of consumer credit scores in the U.S., announced that they had suffered a major data breach of personal data records for over 140 million Americans, as well as some British and Canadians citizens. The breach spawned several lawsuits that led to the difficult question, “how much is my data worth?”. It turns out that after legal fees, the answer is “about $5”.
Inspired by the Equifax breach, we began working towards a model of how financial infrastructure providers might optimally invest in security to guard against a profit-maximizing hacker, but with a twist: instead of working to secure their own assets, we injected that key principal-agent problem: infrastructure providers—banks, exchanges, cryptocurrency platforms, credit agencies to name a few—did not host assets that were theirs, but instead would facilitate transactions for clients that paid them to do so. In this way, clients pay an agent to complete a task, but do not stipulate or enforce just how much effort they put in to ensure the transaction completes. Sure, providers may not get paid if they fail at the task, but if the failure is somewhat random based on their own security and the arrival of a hacker, then it may be worth it to skimp on security investment, or to charge a higher margin for any security they do provide.
When visiting David at the Bank of Canada, we met up with Ryan Riordan (of Queen’s University) to discuss the idea. This led us to the competition element of the problem: can infrastructure provider competition improve client welfare? We expanded to a broader conversation on the role of monopolistic/large financial firms and databases in safeguarding data: could consolidation in financial markets lead to overinvestment in security, relative to what is demanded by clients? (the answer is yes). Comparatively, competition in these markets leads to lower fees for services and benefits from venue diversification, leading to more efficient security provision; the catch is, however, that “efficient security provision” doesn’t mean less vulnerable. Our paper suggests that there is a level of “efficient cyber risk”, beyond which the returns to security investment are too low.
Given that an “efficient cyber risk level” may be politically unpalatable in the face of large firms arguing that their pooling of investment may ameliorate security concerns, we show that a second-best result can be obtained where the break-up of a monopoly leads to client welfare improvement, while maintaining the monopoly level of vulnerability. To inject a hint of contemporary comedy, I had initially pitched the title “Financial Markets Can Have a Little Cyber Risk as a Treat”, but was out-voted.
N.B: The original title proposed by David was “All Your Data Belong to Us: Cyber Risk in Financial Markets”, to unearth an ancient meme; admittedly, I thought it was pretty funny.