Vulnerabilities Beyond CVEs: Cyber Resilience and the Next Financial Crisis

Good morning. Welcome again to day two of B size Las Vegas. Woo! Look at this room. All these beautiful people. Welcome Stacy Shrift. She's talking about vulnerabilities beyond CVE, cyber resilience in the next financial crisis. Sounds super serious. I'm ready for this one. But first, let's thank all of our sponsors. We need them. We need their money and we need you guys too. So, thanks for coming. The guests, the donors, all that stuff. Adobe Aikido drop zone AI profit run zero. Thank you very much. No phones. Silence them. Let's be respectful. No pictures. We don't like that either. Questions will be at the end. Maybe one, two, zero. We'll see how stfield. Yeah, I think that's all the

housekeeping. Anybody got a good joke? I'm out of jokes. So, somebody give a good joke. No. All right. How about a dad joke? Uh, where did the dad keep all of his jokes? >> And his dad a base. Thank you, Mr. Dad with his kid over here. Very cute. All right, without further ado, Stacy, take it away. >> Good morning. I'm going to talk with you today about vulnerabilities. some very fundamental vulnerabilities that are always present in our IT and information security systems and that make them susceptible to disruption from cyber attacks and other cyber incidents. I've been studying the risk of these events for a long time now and the good news is that we have not had a financial

crisis caused by a cyber attack. But increasingly we have cyber attacks that disrupt some part of the financial system. Let me give you an example, one where we could measure it. It was a cyber attack on a bank technology service provider. By which I mean a type of firm that sells an entire suite of software applications to banks. And so one day this PSP discovers that it's been infected with malware and it takes its systems offline and its bank customers now don't have access to its software applications. A colleague and I were able to show that on the first day that TSP was offline, its customers sent on average 45% fewer payments by dollar value

on average compared to the average other bank that did not rely on this TSP. That is a huge effect. It didn't totally go away until the TSP was back online. But that's not the really concerning part. The worst part is that through the normal channels of the financial system, this ended up disrupting activity at other banks because these customers sent fewer payments. Other banks received fewer funds in from them. So, they had fewer funds to send their own customers payments and some of them ended up having to get loans overnight to fulfill their obligations. We call that a liquidity event at those banks and it's a very serious matter. The number one point that I hope you

take away from today is that these really fundamental vulnerabilities that are always present in our IT systems and make them susceptible to disruption from cyber attacks. They are the same vulnerabilities that are always present in our financial system and that make the financial system susceptible to disruption and in the extreme to to financial crisis. Now, when I say the word vulnerabilities, the long word with all the syllables, I do not mean CVEes, so we're clear. Never CVE matter. They really do. But the I'm going to make the case that the vulnerabilities I'm going to talk with you about matter more because they amplify the harm that CVEes can do. The vulnerabilities I have in mind are

always present. They don't come and go. Their severity varies over time. Sometimes they're elevated and sometimes they're muted. If we have good data, we can measure them, how high and low they are and monitor them and we can take steps, policies to try to keep them lower. I really like medical examples because we all deal with them. And hypertension is a great example here. Hypertension refers to chronic high blood pressure. If you have hypertension, you are more vulnerable, more susceptible to harm if you to more adverse outcomes if you contract some other medical condition like COVID or the flu. And you can measure your blood pressure and how high or low it is and take steps to keep it

down. CVS on the other hand are usually things recently discovered. If they existed but nobody knew about them, it doesn't really count. Their severity does vary, but not over time. It's really compared to other CVE. So we can prioritize the urgency of taking action and we can develop patches and apply them. The analogy here is to strep throat. You could have had it for a while and not known, but once you know it's a bacterial infection and there's an antibiotic that usually takes care of it. Now, some people have vulnerabilities like the kind on the left side of the screen that make them more susceptible to strep throat. Their immune system doesn't protect them as

well. I spent a lot of my time thinking about vulnerabilities. People in my field who try to assess the risk of a financial crisis study the vulnerabilities and try to measure how high or low they are. The other thing we spend time thinking about is the likelihood of shocks. Shocks are adverse, usually unexpected events that if they happen and hit some vulnerability could end up destabilizing the financial system. We say shocks are unexpected because given the harm they could do, we would take steps to prevent them if we could. You want to remember the phrase shocks hit, vulnerabilities break. This photograph is of a building that was damaged in a hurricane in Florida. And I

think it's pretty clear that the stability depends less on the weather, the shock of a hurricane coming through and more on the vulnerabilities inherent in it that made it susceptible to damage. The vulnerabilities, the fundamental vulnerabilities I'm going to be talking to to you about are leverage, liquidity, linkages, and leadership. For the rest of my talk, I'm going to go through each going to describe them. And as we go through, you'll see that any one of them being elevated makes the others worse. And then I'm going to show you how it was a factor in the 2008 to 2009 financial crisis. That was the last crisis we had. It was a horrible crisis. I see the age mix in

the audience. So, some of you remember it unfortunately and some of you don't. It was the worst crisis since the Great Depression and it was accompanied by a really horrible recession as tends to be the case. And then I'm going to show you how that same vulnerability is present today and every day in our IT systems. So let's get going. Leverage. Leverage refers to means doing more with less. Leveraging our resources. In finance, it usually means doing less with our money and more with other people's money. It amplifies returns, can be really wonderful, but it also increases fragility. I can't think about leverage without thinking about my dad. And when I was about 17, he said, I need to talk to

you. So, I figured I'm in some kind of trouble here. And he says, I want to talk to you about leverage of all things. Someday, he said, if you can come up with just 20% of the price of a house, a bank will lend you the other 80 and you can buy the house and enjoy living in it. And house prices tend to go up over time and you will get all the appreciation. That will be your equity. It'll be all yours even though you only paid 20% of the price of the house. Leverage is wonderful, he said. And the third time in a period of months when he sat me down for this conversation, I

finally said,"Wh are you doing this to me?" He said, "Your mom doesn't believe in leverage. She doesn't believe in borrowing. She thinks if something goes wrong and you can't make your debt payments, you could lose the asset. You could lose your investment. You could default." In this case, mom and dad were both right. So, let's do an example because this is really important. Suppose you want to buy an asset. It costs $300. You have $10 to put into it. You borrow the other 290. You are leveraged 30 to1. 300 divided by 10. Now suppose the price goes up30th. That's $10. I kept the math easy. So it goes from 300 to 310. Your debt hasn't changed. So now your

equity has gone up by the $10. It's doubled. You have a 100% return on your investment. If you paid full price, you'd only have about a 3% return the increase of the 130th. So you can see why dad said leverage is wonderful. Of course prices could have gone down 130th $10. So then it goes from 300 to 290. And now if you can't make those debt payments and you have to sell, you just get enough funds to pay off the debt. Your equity has been wiped out. You lose the asset. You lose your equity. You have a 100% loss. If you paid full price, you'd have a 3% loss. But it gets worse. Suppose a price

fell any more than 130th. You would be underwater in that investment. If you have to sell, you're not going to raise enough funds to pay off the debt and you're going to have to come up with funds somewhere else or you will be in default. And now you hear mom's side of the story. So what happened in the crisis? Well, every financial crisis is preceded by a financial boom period during which times are great and people borrow heavily. financial institutions borrowed, consumers borrowed, non-financial businesses borrowed. For the purposes of this example, I'm going to you talk about mortgage back securities and the collapse of Lehman Brothers, but please know that the financial crisis and even the use of

leverage was a lot more than both of those things. I'm keeping it simple. A mortgage back security is created when someone takes a bunch of mortgages and bundles them together and sells them as an investment itself. and mortgage back securities been around a couple of decades by then and they tended to be pretty safe because even though any of the mortgages in the bundle could default, the likelihood that a whole bunch would default at the same time, well, it just not happened. This picture shows you the increase in house prices in the US from one year to the next in the 1990s and 2000s. In the 1990s, you see they're going up about two to 3% a

year. That is average. By the end of the 90 1990s, interest rates had fallen to about where they are now. So, we think that's expensive and it is, but it was better than it had been. And in the early 2000s, they kept falling and they were hitting historic lows. When interest rates come down, debt becomes more affordable, right? The interest payments are lower. So, the demand for things we buy with debt goes up. The demand for houses went up and the demand for mortgage back securities bought with leverage went up. And so as demand goes up, other things equal, it helps push price up. We just saw what happens if you're leveraged and the price of the assets goes up. You get

a really nice return. That return enticed people to borrow even more so they could buy more houses and more mortgage back securities. So we had this positive feedback loop of debt driven demand pushing up price pushing up demand until we start to worry that we're seeing an asset price bubble that prices are going up just because people are betting that the price will keep going up and they can make a nice return without paying attention to any of the risk. So what happened? Lehman Brothers was a 158-year-old wellrespected investment bank. It was like a pure of Goldman Sachs at the time. It went bankrupt in 2008. Layman Brothers was making mortgages. It was issuing mortgage back securities and

it borrowed really heavily to buy mortgage back securities as an investment. It turned out it was leveraged 30 to1. Hence my example. And so you've all seen from that example that Lehman Brothers left itself no leeway for the price to fall. If it fell just 3.3% it would be underwater in assets in which it was leveraged 30 to1. The other thing that happened was that as this housing boom was wearing on financial institutions wanted to keep making mortgages because they made money from the fees and from selling them to be put in mortgage back securities. So they wanted to grow the pool of consumers who could they could sell mortgages to. So they lowered their

credit standards so that more consumers would qualify and they started lending making mortgages to subprime borrowers which is the lower class below prime of of consumers. And to help them qualify they were selling them adjustable rate mortgages which had teaser rates very low rates for the first couple years which helped get that down. In fact, some of them were no interest rates, no interest at all for the first couple of years. And so these adjustable rate subprime mortgages got bundled in with more traditional mortgages into these mortgage back securities, which changes the risk profile. And it's not that nobody noticed, but a lot of investors were not paying attention, and there was no history with these things. So, back

to our house price graph. Now I filled out the far side of the graph and you see that house prices peaked up double digits in 2005 before they or the the rate of appreciation peaked before it cooled off. What happened was with the economy booming and overheating to contain inflation and with credit risk rising. Interest rates started to rise in mid 2004 and when interest rates go up, debt affordability goes down. So that should cool off the demand for houses and mortgage back securities bought with leverage. That by itself is not enough to cause a financial crisis. But you see here that that the price appreciation does cool off. And in the financial crisis, house

prices go down and down and down. From 2008 to 2012, they're falling. Interest rates alone would not have caused the crisis. However, interest rates rose in a world with subprime mortgages. There were adjustable rate mortgages and a bunch of other stuff. And it formed the perfect storm that was the shock that hit this very indebted financial system. And it started the debt the process of the debt unwinding. And so interest rates rise and now the interest that subprime borrowers have to pay on their adjustable rate mortgages go up and they can't pay and they default and the banks repossess the homes and dump them on the market in foreclosures. So not only do you have

demand cooling but now you have some very quick force sales which helps put downward pressure on prices and these mortgages which were defaulting were living they were owned by the investors of the in the mortgage back securities. So now the returns in those securities aren't as good. They're not as attractive. Their prices are going down. So investors start selling them to get out before price goes down more. But we saw what happens if you're leveraged and the price of the asset goes down. Eventually, investors end up underwater, and that can force them to sell. So, now everything unravels and you have h asset sales pushing down prices, encouraging more asset sales. When you're selling under duress in a market with falling

prices, we call that an asset fire sale. And the problem with fires is that they spread. If you don't get enough money from selling in one market, you're going to have to start selling assets in other markets. And so, that pushed those prices down. Now, I spent a lot of time on leverage because I don't think you can have a crisis without it. It is the the sudden increase in defaults that causes borrowers to lose the asset, lose the money they put into it. Their lenders now incur losses and those lenders are themselves borrowers, so they can default, which starts spreading losses, and assets are being sold off. Likewise, we use leverage in our IT and

information security systems. We leverage our resources when we take our workers and we augment them with technology and automation. We try to get more. They can do more with that technology or we can do more with fewer workers. We leverage our human and our technology resources. When we outsource, we do less with our resources and more with other people's resources. It's a direct analogy. And it's great because it makes our systems more scalable. Dad would love this. He would say leverage is wonderful. And presumably we're doing this because it lowers costs overall which raises our earnings, makes us more profitable, but it also increases fragility because that incentive to leverage our resources here is present at every

company including the ones that are our vendors and our service providers and digital services. The provision of that tends to be highly concentrated with something like one to three large companies really dominating in those markets. So while we might be counting on scalability, if everybody needs to scale at the same time, it's not clear that that scale can be there. We saw that with the challenges with network capacity at the beginning of the pandemic when everyone started working from home. And so when we leverage our resources, if we stretch them too thin, and that's happening too widely, small issues can end up being big disruptions. I'm going to use the example of the 2017 Equifax data breach. The really

confidential, sensitive financial information of 148 million Americans was compromised in that breach. That's about 40 to 45% of the American public. After the fact it was determined that Equifax, their IT team was really understaffed. They had something like thousands of critical CBEEs not patched. They relied on automated vulnerability scanning that missed this the issue. They had insufficient oversight. So they didn't know they missed it. So a critical CV is announced with a patch. Equifax was told about this. Two months go by, nobody notices that things that do imply the patch and the scanning missed it. The breach occurs and another two to three months go by before anybody notices that. Leverage systems are ones really

susceptible to delays in patching and defining breaches when they happen. So I think leverage plays a really critical role in the success of many cyber attacks. Liquidity is the second vulnerability. It refers to the availability of critical resources that lets us cover expenses and deal with the unexpected. It is always the case that our financial markets are liquid until the moment they aren't. Liquidity just dries up in a second. Liquidity takes the form of cash on hand or the ability to sell quickly and at a fair price without taking a big hit. Back to our asset fire sale and our debt collapse. If borrowers in that cycle leading up to 2008, in 2008, if they had been a liquid enough

that they could have kept making their debt payments, there wouldn't have been the defaults, there wouldn't have been the asset buyer sales. But we generally see that leveraged investors and leveraged borrowers tend to have too little cash on hand and so they really need markets to be liquid liquid. And so while I just told you a story a moment ago with this figure about asset sales pushing down prices, I didn't really say much about the other side, right? If demand had been robust, even if people wanted to sell, if demand was still robust, price wouldn't have been falling. But in a crisis, demand dries up. And that is the same as saying liquidity is drying up. Nobody's there

wanting to buy. Mortgage back securities became toxic. And so a lack of liquidity always worsens that downward price adjustment. and the asset fire sale. When we are heavily leveraged, liquidity is even more important. Likewise, in our IT systems, we take for granted that our systems are available. Our business functions start the business day. They just trust that everything's going to work and run as it should. And most days it does until one day it doesn't. There's some outage that actually does disrupt our business operations. And at that point, we discovered we're leveraged. We have limited staffing and expertise to find and fix the problem. We might also have limited funding if we have to go and buy lots of equipment to

rebuild systems or hire a great forensics team to help us find the problem. And we don't get to wait till all that stuff is on sale or we can negotiate a good price because our business has been disrupted. So, we have to pay top dollar. And of course, because our business business has been disrupted, it's pretty clear we had some limitations in our business continuity planning. I'm going to use the example of the 2021 Colonial Pipeline ransomware attack. Colonial Pipeline is a company that pumps gas from refineries in the Gulf up and down the East Coast, mostly in the Southeast. One day, it discovers it's infected with ransomware and it takes its systems offline. And I believe it was a billing

system that was hit, but it took all its systems offline to be safe. And that included the system that pumped the gas. So gas stations, especially in the southeast, initially started running out of gas. It lacked redundant systems to to shift over to so it could continue pumping gas. It lacked a recovery playbook. It lacked clean backups. It was not really well positioned to get back up and running quickly. As soon as gas stations started running out of gas, the news broke about this and all of a sudden people discovered there's a company called Colonial Pipeline, which no one had heard of. And public officials got on TV and encouraged people in up and down the East Coast

that if you don't need gas right now, could you please stay home so that those who need it can get it and and in a few days Colonial Pipeline will be back up and running and we won't run out of gas. So what happened? Everybody ran to the gas stations and the TV now has long lines and something like 70 to 80% of gas stations ran out of gas. For somebody who does what I do, studying financial crisis, this was fascinating because exactly what we worry about is some technology disruption at a financial firm that causes panic and people to run on financial institutions and financial markets. And here we had exactly that, but it was at an obscure pipeline

company and people are running on gas stations. Linkages. Linkages can be direct or indirect and they expose us to what's going on in other linkages. Our financial system and our IT systems are complex webs of connections. In normal times, links are created. Our financial system cannot provide financial services without creating links. Every time a loan is made, the lender and the borrower are linked by the borrower's ability to repay. Leverage creates links. When two people buy shares of stock in the same company, they are linked through their shared ownership to the fate of that company. When a we buy something from a seller, we in our bank and the seller's bank and the seller are linked through the

payment system that has to move money from us to the seller. And when we take or exposed to risk and we buy insurance, we and the insurance company are linked to the chance that uh how the risk is realized. This is just some of the ways our financial system creates linkages. And so our financial system is this complex set of linkages that we're building up especially with l with leverage. And we don't we can't even really fully understand the risk from our direct links because we have no idea what they're connected to. But then things start to break. The links break when people default, when asset fire sales are occurring and asset prices are falling. And that helps us

start realize that there's a lot more risk out there directly that we've taken on or through entities that we've dealt with. When Lehman Brothers went bankrupt, we realized there were some really large nodes in this network, entities that had grown really big and grown through leverage. And so for for Leman Brothers who borrowed as much as it did, there had to be a lot of entities out there that had lent to it that were now going to incur losses. And no one knew who was the next Leman Brothers, who had done the kind of things that Lehman Brothers had done. Fear, stress, panic spread because no one knew who was safe to lend to or what

assets were safe to hold. Fear, stress, panic spread through the direct links. You can think of that as the popcorn channel and the indirect links, you can think of that as the domino channel. Those are technical terms. Of course, I didn't coin them. The example of the bank TSP that I gave you with the cyber attack was both, which is why it was fascinating because when the TSP went down and its customers lost access to their technology, that was the popcorn channel spreading stress to them. when their inability to send payments disrupted funding at other banks. That's a chain reaction through the domino effect. In the crisis, the increased risk of default on mortgage back securities was a common

stress for all mortgage back securities and their investors. The collapse of Lehman Brothers, as I just said, led to widespread distress because no one knew who was going to go under because Lehman Brothers went under or who was had behaved and and was at as big a risk as as Lehman Brothers was. And then there was risk through the supply chain. When the risk of default rose on mortgage back securities, that was a problem for AIG, the big insurance company. Turned out AIG had sold a ton of insurance to investors to protect them against the risk of their mortgage back securities defaulting. But AIG had said that had never happened before. These are really safe assets. So

it set aside no reserves to cover paying off on that insurance. And when Lehman Brothers went under, all of a sudden the people who had bought the insurance really wanted to know that AIG would be able to pay off. And AIG ended up rescued by the government. This looks like our typical asset buyer sale except this market is freezing. When fear and panic spread, there are other markets, short-term funding markets they're called, in which lenders suddenly leave. The lenders will not lend anymore. And so, the market just instantly freezes and stops. Short-term funding markets are critical to the economy because that's where pretty big, usually very creditworthy companies go day after day after day, borrowing,

often overnight or for just a few days to raise funds to pay for routine operational expenses like payroll and paying for supplies or financial companies providing financial services. And the people who lend to the entities that lend to them are big financial institutions that have a little extra cash and figure they'll make some extra money. And everybody's managing their cash dayto day. And these these players know each other. Um so they pretty much trust each other. But these are really short-term loans as said often overnight. And so the odds that the borrower is going to go bankrupt and not repay their debt or that an asset that's used as collateral or sold to raise cash

is going to plunge in value. Well, that just doesn't happen dayto-day except in a financial crisis when Lehman goes under and lots of asset prices were falling. And so to use one example, when Lehman went under, all of a sudden the the bank the short-term funding market in which banks lend to each other every night suddenly froze because none of them trusted each other. And when short-term funding markets freeze, it means companies far and wide across the economy do not get the funds they need to make payroll and and do other pay other routine bills. So this sent shock waves through the economy. Likewise, our IT systems are complex systems with long interconnected supply chains and we really can't understand

the risk that we we face through them or fully manage that. Our linkages form for pretty reasonable reasons. We use thirdparty APIs. We use software infrastructure platform as a service through our leverage. We use cloud services. But then a cyber attack happens somewhere at a counterparty, somebody on the other side of a transaction, so a vendor or a service provider. And then there's fear, stress, and distrust. We end up disconnected from this counterparty by force or by choice. And now we have to figure out when will we trust this counterparty again? Are we going to reconnect? Will we ever trust them? If we're not going to trust them, who are we going to trust? Because we've

outsourced the service. So, we've got to find somebody. We have to deal with the disruption meantime. And even if we're doing business with entities that did not suffer this cyber attack, how do we know they won't? Who do we trust now? The popcorn and the domino channels are at work here. Crowd Strike is a perfect example of popcorn. I woke up, I heard about Crowd Strike. It had this outage. Everybody's businesses disrupted and I thought "Popcorn." Solar Winds, its systems were infiltrated and the attacker injected malware into a routine software update that got pushed out to all the customers. That's popcorn. Any worm is a classic case of contagion. An economist couldn't make up a better

example of contagion than that. And the move it supply chain breach will probably go down in history as being the one that really taught us how long and interconnected our our supply chains are. Some entities, even financial companies were had their data breached multiple times by multiple third parties and even fourth and fifth parties, the vendors of their vendors. The last of our um vulnerabilities here is leadership. Leaders can be overconfident in their decision-making. They can engage in herd behavior when they everyone else is borrowing and buying mortgage back securities as an investment. We should too. They can be in denial about the risk and they can delay building resilience. So leaders really shape our risk and our

vulnerabilities. I think I've already made the case that leadership failures contributed to the 2008 to 2009 crisis. being leveraged 30 to1, selling insurance without setting aside any reserves for that, that is beyond weak risk management. When financial institutions were making loans to subprime borrowers, when interest rates were already rising and they knew they couldn't pay that, but they wanted to just raise get some other fee income from making more mortgages. That is a short-term focus. And generally there's that belief that the system even if it might not be resilient forever, it's going to be resilient long enough so you can make your leverage investment and make a killing on it. And likewise in our IT systems, we see weak risk

management when we leverage our resources too much and we ignore how that's going to affect our liquidity, the availability of our systems. We have a short-term focus when we postpone patching that CVE, that critical CVE, because our business business units need us to take care of something today. So, we put it off and it's one day and then another day and another day. We have a short-term focus. When we put off patching legacy systems for another quarter because we just don't want that loss hitting our earnings this quarter and we generally take the resilience of our IT systems for granted. When I hear about his big cyber attack somewhere, I like to go do some

research. It's my fun hobby. And see who owns the organization and how long have they owned it. Are they are they planning to to own this company for the long term, having a resilient, viable company, or are they just planning to turn it around and make a quick profit? H what's the tenure of the senior leaders? A new CEO usually comes with a lot of turnover. any senior leader. I've been in that position. You are drinking from a fire hose for 6 to 12 months and you don't come into the business knowing really what the state of IT vulnerability is. I like to see where on the org chart the IT and info security leaders sit. Do they report to the CEO

or the chief risk officer or chief operating officer? And to what extent do I think those people really understand the cyber risk? Increasingly I see them reporting to a chief product officer or revenue officer. I get that because today it isn't just the back office. In so many businesses the product is a digital technology and they are producing the product and innovating and dealing with the customer customers access to it. And so then I wonder how does a chief product officer, a chief revenue officer who clearly they have sales targets, how do they balance out the need to produce product while also ensuring resilience and finally what's the literacy the cyber literacy of the board and the leadership and how

independent is the board. So to recap, I think we've seen that leverage, liquidity, linkages, and leadership were key vulnerabilities that made the financial system susceptible to the shock and it caused the financial crisis. Not just in 2008, but I can tell you these are the same vulnerabilities all the time. And those vulnerabilities are present in our automation and outsourcing where we leverage our systems and our assumption of of the availability of our systems where we take that for granted and we never have enough business continuity planning. We don't really understand the risk through our complex systems and supply chains and frankly we have leadership failures in my opinion if we don't understand that leverage liquidity and linkages are

fundamental vulnerability is always there. I'm going to use my last few minutes to talk about resilience. After every crisis, people say never again. We never want to live through this again. We realize that the vulnerabilities had really grown beyond what we ever imagined. So we take measures, adopt policies to bring them down and keep them under control. And we did that after the 200809 crisis. A lot of them pertain to the banking system and in particular the very biggest banks that were the you know the central nodes. So our biggest banks since then have been subjected to enhanced supervision. They have to come up with living wills which are long documents where after Lehman Brothers these these documents

describe how if they if they've basically need to fail if they failed how they'll be put to death essentially. Um you know how will they be parts be sold off parts go through bankruptcy? How will they deal with the the debts that they owe? How will they shut down without taking the whole financial system with them? That deals with the too big and important to fail problem. They have to hold higher capital requirements, more equity capital and do stress tests that ensure some resilience. They need to hold bigger liquidity buffers so they have some funds availability. They need to have what we call skin in the game. So they can't for some kinds of loans, they

can't just make a loan to a risky borrower and sell it off and not care if the borrower defaults. They have to keep some fraction like 5% on their books so they at least feel some of the pain of a default that should align their attention to risk. And the last one isn't just about big banks. It's about certain kinds of transactions. Mostly some what were some complex derivatives and swaps during the crisis. And those now have to be subject to central clearing. That means all transactions have to be done with a clearing house. A central clearing counterparty. The clearing house becomes the lender to every borrower and the borrower to every lender. So they see every single

transaction and report it, collect data on it. They because they're in them all, they simplify and standardize them, which really reduces complexity. And as a lender to every borrower, they hold all the collateral so they can more easily raise and collateral and manage it if they need to. And these have worked, right? We have not had a crisis since 2008. Um, thank goodness. I would hope they worked and we haven't had one since. But I can tell you that starting in 2017, we started rolling these back and limiting their scope and people are looking to do that further. Now, of course, we should always revisit our our regulations and make sure they are fit for purpose. But

I can guarantee you there will always be another financial crisis. Because while we say never again, when we roll back the reforms that have kept the vulnerabilities in check, those vulnerabilities build and we get too far from a financial crisis. So people don't remember it anymore. As I said, I'm looking around the audience and I see some people who I know were not alive as or at least adults to remember the last crisis. and even those who remember it just seems like it's been so long and these vulnerabilities have stayed contained and times are different. So why do we need these anymore? But that's a little like saying you've been taking your high blood pressure med medicine for 17 years

and it's worked so you don't need it anymore. I believe there are counterparts to each of of the financial reforms that are best practices for cyber resilience. I don't believe that they are as effective because outside of the banking system, we just don't have the same degree of oversight. So in the banking system, we have bank regulators, supervisors who can go on site and actually check that these things are being done. In our IT teams across our economy, for the most part, these are done, you know, in good faith. uh firms attest to doing them, but it certainly is a best practice for critical infrastructure firms to have meet higher standards for recovery and continuity that deals with

the too big and critical to fail problem. Cyber stress tests and threat modeling, that's a great way to build resilience. Redundancy, redundant systems and system bandwidth are great ways to ensure availability. We never really see a lot of that because it's expensive and you know product interoper interoperability issues do make redundancy hard human resource human bandwidth I never hear people worry about that in fact every news report I see these days is how their plans are to automate more and get rid of even more people shared cyber risk responsibility with vendors the whole focus on thirdparty risk management that's really bing now because with all the outsourcing we want disabuse people of the notion that

because you outsource, you now have no responsibility for the risk, but I don't know that people really believe that. And shared threat intelligence, I think we all agree that's probably a good thing would give us visibility across networks, but everyone wants to people to share with them and they don't necessarily want to share. And so I'll wrap up by repeating the number one thing I hope you'll take away from today, which is that there are these really fundamental vulnerabilities in our IT systems that make them susceptible to disruptive cyber attacks. And one day, one of those cyber attacks could spark a future financial crisis. I'm going to leave you with a question. Is your organization really doing enough

to manage those fundamental vulnerabilities, the ones beyond the CVS? Thank you. Thank you, Stacy Strapped. Any questions in the audience? Don't be shy. Raise your hand high.

Yeah, I had a quick question. in the financial crisis. Um you mentioned that the root of all this was the small investors because there were so many of them you being sort of uh enabled beyond what was potentially safe for the the market um in a in a culture that allowed them to get pretty levered up and that that kind of trickled up to these larger organizations which then collapsed and took everything else with them. In cyber security, we often feel that some of this would be overly burdensome to uh mandate for small businesses. Uh and so they have gaps compared to what we would have in a in a larger organization yet they remain

a very very large chunk of our uh overall uh ecosystem and and economy. Do you feel that that actual kind of risk surface area might be leading us to something similar analogous to how the financial crisis unfolded for how some larger uh cyber scenarios could unfold? I do I mean I do realize that the costs are higher on a smaller company but you know every node each company is a node in the network and a risk of intrusion and we end up routinely surprised by the companies that end up with the cyber attacks that end up being very disruptive. I mean I thought move it was a good example of that. Thi this is actually

quite fascinating and I uh like I say I appreciate you're having done this talk and also would strongly encourage you to continue exploring the the comparison of such a large uh failure of the financial system with potential failures in cyber in both directions is pretty fascinating stuff. >> Thank you. >> Thank you. >> Thank you. >> Absolutely brilliant take. I really like this. Uh I'm both a hacker and an MBA. So it's like so you know I I really uh enjoy how you've put this together. Now >> uh a couple of questions and then you know one of those questions is you kind of left at the end well maybe we need some regulations here. I don't think

anybody believes that there's going to be effective regulation uh coming out of the United States anytime soon for any of this. >> Yeah. Um, so just a thought exercise and and uh, you know, I'd like to just kind of get your perspective if you wanted to fix some of this stuff. Um, bearing in mind that during the financial crisis, literally nobody involved in this went to jail and they all got really freaking rich by making the line go up quarter by quarter, hitting their short-term numbers, right? All the incentives are just to go ahead and do it again, right? And so if you look at where we are with uh anything in information security, all

of the incentives are to wave your hands and say AI is going to fix everything. I can get rid of this really expensive cyber cyber team. Uh I'm paying them millions of dollars. Let's just get rid of all of them and replace it with chat GPT. Right? Uh so what's stopping anybody from doing that? uh if all of the incentives are short-term and institutional shareholder services is asleep at the switch and and there's only one thing I've observed which is cyber insurers saying well you got to do some self attestations and check some boxes and then we'll argue with you whether or not we're going to pay your claim even though we'll still take your

premiums. Uh so that's that's kind of where we are today and I I don't think anybody's going to go to jail for just you know getting rid of the whole uh information security team. There's one thing that's keeping it around in my corner of the industry and that's credibility with customers right uh customers rely on our stuff uh where I work to protect their data. uh and so we have to make a really credible effort to actually really do security but it's very very few things that are like that right most of the most of the universe of information security isn't that uniquely positioned so how do you fix this do you start giving this talk to

ISS and and the ISS's of the world what can be shareholder driven that's going to put pressure on boards >> so by giving this talk here I hope that a lot of people. We had a nice crowd. I hope that a lot of people go home and they start talking about some of these things. I mean, and not just the the the vulnerabilities beyond the CVS because these are a risk. I didn't mean to suggest that I thought there should be regulation of the IT to make sure that this is these are these best practices are are used. Although that would be that would be helpful, but we're not going to get that. That's beyond

anything that that we could could see. Um, so this is a real concern. I don't know how to how to solve it other than getting the word out and and trying to raise awareness. And that's all I know to do. So I guess that means you should be concerned. >> Yeah. The the punch line is you have every reason to be concerned I think. But I won't be concerned alone then. So I think it's a great parallel between the two. I've lived through it. I was in financial services when it happens. That was really interesting time. The I think started touching on it with the last one, but I'd really be interested in seeing kind of that mapping to all of

the like vibe coding as being the ultimate leverage against all of technology and the amount of fragility that's going to get introduced in the system and then the amount of debt and value that's going to drive down. And we're on the precipice, I think, of this really bad slope that looks very very similar to that. And I don't know what pulling out of it looks like. So yeah, void coding. Yeah. Um well, that would be if everything really went to dev null, but now it's not. But so I'd be very interested in kind of like do you see that parallel? Is it, you know, how do you get ahead of that using that similar model?

>> I I do see the parallel. I I think I've done my job. If I've got people worrying like this, I I won't be the only one awake at night worrying about it. Uh I I I see all kinds of concerns like that. And I don't know how to get ahead of them. So, I was hoping some of you could could tell me and reassure me, but I don't hear anybody doing that yet.

All right. Anyone else? Last chance. Going once, going twice. In that case, thank you so much. We appreciate you coming all the way out here for us. >> Thank you for the invitation. >> And we hope you enjoy the conference.