系统性网络风险（英）

Steven D. Baker|Michael Junho Lee Abstract We propose a quantitative framework to track systemic risk arising from cybervulnerabilities of the U.S.financial system. Synthesizing financial, economic, cyber,and network data that covers thousands offinancial institutions and technologicalfirms, we develop an index that tracks financial-system-levelcyber vulnerability(SCV) for the financial system. Geopolitical risk, ransomware and malware incidents,and seasonal factors significantly drive the estimated adversarial component. Estimatedtechnological andfinancial components exhibit fat tails in the distribution. Inthe cross-section, SCV is attributable to asmall set of the largest firms. Large technologyfirms, including Microsoft, Google, Cisco, and Apple,emerge as key contributorsto SCV. These providers also represent the largest cumulative count ofvulnerabilities,pointing to financial stability considerations arising from the common exposureto clientfirms. SCV for service providers co-varies with that of financial institutions,which could amplifyfinancial stability risks. The framework puts forth an approachto include a broad set of entities into anaggregate assessment of cyber vulnerability. JEL classification:G21, G23, G28, G29, O33Keywords:financial system architecture, index, cyber risk, systemic risk, financial stability This paper presents preliminary findings and is being distributed to economists and other interestedreaders solely to stimulate discussion and elicit comments. The views expressed in this paper are those ofthe author(s) and do not necessarily reflect theposition of the Federal Reserve Bank of New York, theFederal Reserve Bank of Richmond,or the Federal Reserve System. Any errors or omissions are theresponsibility of the author(s). 1Introduction Among cybersecurity experts, the question is notifa cyber attack will trigger a sys-temic event, butwhen.Cyber risk has grown to be broadly recognized as a source offinancial stability vulnerability (Healey et al., 2018; Kashyap and Wetherilt, 2019; Brandoet al., 2022). Just in the past five years, virtually every layer of the financial system ar-chitecture has experienced a material cyber attack, including the Treasury market (e.g.ICBC-FS), Derivatives markets, global payments and settlement (e.g. Finastra), and tech-nical infrastructure (e.g. Move, Solar Winds). Significant work is dedicated to understanding the financial stability risks posed bycyber risk. Quantitatively tracking systemic cyber vulnerability requires accounting fora complex set of factors, including the strategic behavior of threat actors, evolving tech-nological vulnerabilities and exploits, cybersecurity strengths and resilience of financialand non-financial firms (Erol and Lee, 2025; Hastings and Sethumadhavan, 2025), andamplifications through operational and financial linkages (Duffie and Younger, 2019;Eisenbach et al., 2022; Welburn and Strong, 2022; Eisenbach et al., 2024). This paper addresses this void. We propose a quantitative framework of cyber vul-nerability for the U.S. financial system to monitor financial stability implications arisingfrom cyber risk that is comprehensive, dynamic, and interpretable.We build a mea-sure of financial system-level cyber vulnerability (SCV) that tracks aggregate financialstability risks over time, using granular data from financial disclosures, cyber ratings,cyber incidents, operational and technological linkages, and various other sources cov-ering roughly 5,000 financial institutions, technological service providers, and financialservice providers. The contribution of this paper is threefold. First, this paper serves as a blueprint forfinancial institutions, regulators, and cybersecurity experts to develop a rigorous eco-nomic framework for evaluating and tracking aggregate cyber exposure.Though thispaper is decidedly focused on the U.S. financial system, the approach readily appliesto other jurisdictions, sectors, and systems where systemic risk is a salient concern. Inparticular, it provides a tractable path to synthesizing a breadth of financial, cyber, andeconomic data into an index that is interpretable and actionable.Second, the indexsheds light on latent factors that drive each component of systemic cyber risk in theUS financial system.Notably, the adversarial contribution to systemic cyber risk riseswith geopolitical tension and seasonalities. A dominant pattern is the rise of systemicrisk associated with vulnerabilities associated with ransomware and zero-days, and con-currently firm-level weakeness in their defenses against malware exposure. Third, the index offers comprehensive evidence of significant systemic risks arising from technol-ogy providers, through shared dependencies of financial institutions. We first present a theoretical model of system cyber vulnerability, in which vulner-ability is jointly determined by cyber adversaries and firms. Cyber adversaries allocateresources across various attack vector