 So, welcome to this second session of this wonderful conference. Many of us were always convinced that research is for all functions of a central bank or a provincial authority and if not yet clear to you, then this conference is proof of that. So the tradition that only monetary policy is researched, we have left long behind us. So we have a nice session. So I'm thinking about what kept these three papers of this session together. I was thinking, they all talk a little bit about how problems that you may think could be limited to individual institutions actually could be systemic. So we're going to start with an empirical paper about cyber risk when an IT services company that serves many banks has a cyber attack and how that affects the banking system as a whole. Then we're going to go to a more theoretical contribution about cross-border banking where the regime of how ring fencing and or cross-border support is dealt with, how what the attitude of the supervisory authorities has an impact about the efficiency and allocation of capital and so on. And then third, we turn back to something more empirical that has a bit of a flavor of the first paper of today. But this time it's not about Columbia, this time it's about Europe. So it's about the forward-looking provisioning in Europe. I'm very curious to see, I try to read like what the differences and similarities are with the first paper, but we're probably going to discuss that. So let me call the first speaker to the floor. I think it's Antonis Cotidis actually and so with the paper on the cyber attacks, your floor is yours. You have 20 minutes. Please everybody stick to time. Thank you. Excellent. So let me thank the organizers for including this paper and this conference. It's an important conference. I should also say, unfortunately, I'm not there with you. I would love to, but family reasons kept me back in Washington. Let me start by introducing a little bit myself. I'm Antonis Cotidis. I'm an economist at the board. This is joint work with Stacey Shreft, Stacey is a deputy director of research in the OFF, the US Treasury Department, given our affiliations, the usual disclaimer applies. So I will start my presentation with a very simple fact. The fact is that at the time of unprecedented digital transformation of the global financial system, a new threat to financial stability has emerged, cyber attacks. And everyone seems to be worried. Our policymakers are concerned that a cyber attack could trigger a financial crisis. Cyber attacks have emphasized cyber attacks as a financial stability risk and some of them even call for more cyber monitoring and even more macro potential regulation. At the same time, industry participants consistently cite cyber risk as a top risk in surveys. Yet to the best of our knowledge, there's no paper of an actual cyber attack that potentially threatened financial stability. So what we're doing this paper is that we study an actual multi-day cyber attack, which is a fairly representative of many others in the nature of the attack on a major technology service provider. Neither today nor in the paper, I'm going to tell you which DSP was impacted. I'm not going to tell you when the attack happened. I'm not going to tell you how long it lasted for. What I will tell you, though, is that given the size and scale of operations of these DSP globally, that was potentially a financial stability event. What happened? As soon as the DSP discovered evidence of an attack on its computer network, it disconnected affected service from the internet in order to contain the attack. The banks that were relying on these DSP in order to connect and send payments over Fedwire, which is the main payment system in the United States, immediately lost their ability to do so. At the same time, other banks that were relying on alternative DSPs in order to connect and send payments over Fedwire were doing business as usual. So what we do here is that we study the financial stability effects of this event as well as contagion through the payment system. Why the payment system? Because it is a common yet crucial transmission channel for stress in the financial system, as we know from past literature. So if you had access to the raw Fedwire data, probably the first thing to do would be to just plot the payment activity by users of the DSP and non-users of the DSP before during and after the cyber attack. So that's exactly what I showed you here. On the left, you see the number of payments by users in blue and non-users in red before, during and after the cyber attack, and on the right, you see the value of payments. On the X axis, we have days, the Fedwire data is daily data, however, you don't really see days. All you see is equal to zero, which is the first day of the event, and this is because you want to protect a little bit of sensitivity if you want to pay that. And you may have also noticed that both lines on the Y axis have been normalized so that both start from one. Again, this is in the spirit of protecting the confidentiality of the event. Despite our interventions to the raw data, there are some key takeaways from these graphs. One, the greatest disruption was on the first day of the attack, which is depicted by the first red vertical dashed line and consistent with the idea that banks switch to alternative ways in sending payments after the DSP went down and the DSP gradually restoring services for these users. We see some gradual normalization both in terms of the number and in terms of the value of payments on subsequent days. And importantly, we see very similar trends in payment activity of users and non-users both before but also after the cyber attack. And I'm saying this is important because it gives us confidence when we plot the raw data that the divergence that we observe during that period can in principle be attributed to the cyber attack itself and not potentially of anything else that are potentially happening at the same time, okay? So before I start digging deeper into the findings of this paper and what we do, I think it is important to just fix ideas. So what I show you here is a concept, what I'm going to present is a conceptual framework that's going to inform our empirical analysis. So this is a typical Fedward trading day, okay? So starting from the far left, we have Bank 1. Bank 1 sends $100 payments to Bank 2 and Bank 3. And as soon as banks 2 and 3 receive $100 payments from Bank 1, they go ahead and send $100 payments each to Bank 4. Bank 4 on the far right, as soon as it receives $200 payments combined by banks 2 and 3, it goes ahead and send $100 payments back to Bank 1 and this completes the picture. Now, the devil here is in the details. What exactly do I mean when I say that Bank 1 sends $100 payments to Bank 2? Practically speaking, it means that stuff in Bank 1 are sitting in the front of a software which has been purchased by the TSP, okay? They're logged in with their credentials and their passwords and they're able to connect to Fedward and send Fedward payments, okay? The problem is that the software is not working anymore. Exactly because the TSP just disconnected affected servers on the internet in order to contain the attack. Well, for Bank 2, this is not a problem because it's not a user of the TSP. However, for Bank 3, although Bank 3 is still receiving $100 from Bank 1, exactly because Bank 1 is able to send $100 payments to Bank 3, Bank 3 cannot log in anymore to the Fedwire and as a result cannot send $100 payments to Bank 4, okay? A mechanical effect here is that its reserves that it has at the Fed are going to jump from $50 to $150. That's a mechanical effect and we'll have it in the paper, okay? Now, the interesting part is what happens with Bank 4 on the far right. Bank 4 now only has access to $150, 50 as reserves and $100 we're saving from Bank 2 in order to make a payment of $200 back to Bank 1. So unless Bank 4 finds an alternative source of funding, which in this case, since reserves are not enough, can either borrow from the interbank market or from the scoundrel window, unless it finds an alternative source of funding, then Bank 4 will only be able to make a payment of $150 back to Bank 1 and you see how the initial shock to technology service provider affecting and propagating through the rest of the system. So when I will refer to the first round effect, I will essentially be comparing the differential payment activity of Banks 2 and 3. When I will refer to the second round effect, I will study the incoming payments of Bank 4 and when I will refer to the third round effect, I will study the outgoing payments of Bank 4, which is this propagation of the rest of the system. So starting with the first round effect, I will ask two very simple questions here. The first one is what share of all Fedware payments would have been lost had zero payments gone through. Remember what I said earlier, when the TSP went down, Banks actually did switch to alternative ways in sending payments which were more manual and time consuming. So this counterfactual exercise here is gonna give us an upper bound estimate of what would have happened had Banks not switched at all. So we're gonna use this as a benchmark if you want. The number of the answer is 0.7%, which is simply the share of users value in total payments in headwire. And this may seem small, but we know that in payment systems, there's large concentration in terms of the value of payments for GSIPS. We find that the responses by the official and private sectors cut this effect almost by half, okay? Especially on the first day of the event when the disruption was most severe. And as a matter of fact, I can push forward this argument here and try to decompose the responses of the official sector, try to quantify the response of the official sector and the private sector separately. So on the left here, I rerun the regressions by excluding the extensions in the trading day granted by the Fed. And what we find is that the effect on the first day would have been half percent compared to this 0.42% that I showed you earlier that includes these extensions in the trading day. And on the right, we rerun the regressions by excluding the restoration efforts by the TSP, which were material toward the end of the event. And what we find is that the effect on the last day of the event, essentially will have been the same as on the first day of the event. You see that economic significance is essentially the same. So taking together these evidence suggests that the actions and the steps, both by the official sector, the central bank as well as the private sector, the banks themselves as well as the TSP helped mitigate the impact of cyber attacks. Let me just go quickly to the second and third round effects. If there is a second round effect, that should be on non-users of the TSP themselves that are on the receiving end of those payments. And again, we're interested in two questions. The first one, was there a drop in payments non-users received? This is a second round effect. And if so, how did these guys respond to the liquidity shortfall? Did they send fewer payments themselves? This is the third round effect. We run our models. We find that incoming payments or receiver banks dropped, especially on the first day of the event when this fraction was more severe and consistent with the evidence I showed you earlier, the drop was less severe on subsequent days. Okay. How did the receiver banks address the liquidity shortfall? What we find is that small receiver banks were more likely to borrow from the discount window, especially those with no alternative sources of funding, meaning that their Fed funds pouring was zero, and especially those with relatively few reserves. Okay. So to put it differently here, if you're a small bank with no access to the interbank market and you have relatively few reserves, then we find that this bank is gonna go to the, is more likely to borrow from the discount window. How about large banks? Those large receiver banks with more reserves relied on those reserves, especially on the first day of the attack when this fraction was more severe, while the rest of the large receiver banks increased borrowing from the interbank market, especially those with relatively few reserves. And taken together, we find that these responses were sufficient to avoid the third round effect and broader financial instability. Let me just provide some policy lessons here as a concluding remark. First of all, official and private sectors responses do matter. Bank users switched to alternative methods in sending payments, which allowed them to send payments after business hours using Fed's extension of the trading day. However, they did not switch to them quickly enough in order to avoid contagion. As a result, bank non-users on the receiving end of those payments had a material dropping payments received. We also find that the restoration of services by the TSP helped mitigate some of these effects. The second policy lesson here is that liquidity buffers matter. Banks non-users with sufficient reserves relied on those reserves to make their own payments, while the rest, they had to borrow funds either from the Fed or from the interbank market. And we know that when you borrow funds, essentially this has an opportunity cost. Finally, central bank support matters. We find that the traditional tools that the central bank has are effective in mitigating the impact of non-traditional shocks, such as cyber attacks. And in this particular case, we find that Fed, by extending, by injecting time to the system, mitigated the first round effect and by injecting liquidity to the system, mitigated the second round effect. This concludes my presentation. And I look forward to the discussion and any questions. Thank you so much. Wow, that was fast. So Andreas didn't have to raise any sign. So Jakob, the floor is yours. So who would be a better discussant for such a paper than somebody who is in charge of looking at risks in the EBA? So the expectations are sky-high at that moment. Jakob Gündelback from the EBA. There we go. So thanks for the, anyway, thanks for inviting me, right? I think it's excellent to have a research conference here. I think it's about time. So well done for the organizers. And thanks for inviting me. Now, so let me see if I can do this, right? So just to be clear, I think this is an excellent paper, right? In a sense, it's reassuring, right? We have a good small example, but big enough to learn from, but not big enough to break the system. So we've got to be thankful for the opportunities the nature provides here, right? Now, so basically I'm not gonna do this recap, but it's on the slide, right? I just think, for me, this is exactly what I would think would happen, right? There's nothing surprising in this. It's kind of comforting to say, okay. And as I think, as you said, look, the Fed tools were pretty effective in mitigating the impact on the liquidity side for the system, yeah? Now, okay. But then, you know, what does that mean? Well, for me, just in terms of critiquing the paper very quickly, right? This is a pretty unique case study. Now, I know, having worked on the evil capitalistic side for a while, there are many other examples where there are cyber attacks that have impacts on banks and the system, right? I think the lesson here would be, it'd be good to see more examples, particularly the ones that are now a little bit old, but still relevant, right? So for those of us who know, maybe there's an obligation to try and bring them out in the nice way as it's done here, yeah? I think it's clearly relevant as we're moving into a much more computer-based digital payments world, right? We have, there's an awareness in Europe. We have legislation coming, right? We have Dora coming down the path. We have new entrants coming in. So there's a whole movement on the technology side here, which at least from my perspective has mostly already happened, but there's no doubt more to come. So it's highly relevant, right? I think, again, on one of the strengths, very simple, very clear, graphs are elegant, right? It's very easy to see what's going on. Regressions are understandable, right? They know not much bells and whistles needed here to make the point. Now, what could be done? I think, usefully, it could be to say, look, there's a few papers out now on theory that looks at spillover effects and network structures. Might be good to see some link to the newer theory. And I can give names on papers I'll send to the author, but there is a growing body of work that looks at this from a liquidity risk to the spillover effect. It harks back to the olden days of Hirschsted risk papers and whatnot. So there's a number of things. I know Philip has done work in this as well, so it's not all new, right? So I think maybe look at those theory papers and say, where are we? What do we learn from this, right? Does it match what the models would suggest or are there lessons here? I guess the other point I would make is now we have a third party being attacked, but how does that compare to own homemade messes by the banks? Well, it's the banks themselves that mess things up and are able to pay. Is there a big difference? What does that, how does that compare? And as I already said, if we could compare with other cases that might be helpful to see if there are nuances we would take home, yeah? So that's basically my sort of my suggestions for the paper as is. Now given that I'm here in the hallowed halls of a supervision, right? Just let me take five more minutes to say what are the wider implications here, right? Well, I think it's clear that it's important to maintain in-house hygiene. I think one of the points made is that this ability to recover and come back was a big part of what reduced the impact. You know, it's clear that we have a number of TSPs out there that look a bit like the ones shown and they're all out there and they can have the same impact on preventing payments from being made, right? So I think this is another point to make that maybe this one TSP is not that special even though it looks at the Fed wire system, there are many other examples of third party providers that have key rules and payment systems, yeah? Again, what are the other lessons learned? Well, business continuity, recovery plans make a difference, right? Recovery not in ending the bank, but in being able to come back, have a secondary way to transmit money matters, right? Again, I think what we also learn is it's important to see what are the liquidity impacts here, right? The Fed did have to step in, to step in there was a need even for larger banks to get extra cash, yeah? So there's also a lesson, right? And I wonder if there are any financial market implications of this, is this had an impact wider out into, in addition to what the banks did in the sort of narrow Fed wire system, did this have an impact on other things they did? Yeah, I don't know, but I think it could be there. Now, what does that mean for us? Well, there's clearly a perimeter question, right? If I could say like that, so here I would say the main lesson for me is we need to know what the network looks like, looks like, who's out there, what is the structure of the ecosystem that we have? Because if we don't know the structure of the ecosystem, we don't really know what's at risk here, who are actually the critical TSPs out there, like the one that was demonstrated here in the paper, right? So for me, there's a definite need to take a lesson here and say, look, we did that back in 08 when we started mapping out the global financial system with a bit more focus on interconnectedness. Here it seems to me that this is an obvious thing to start doing, right? Again, I would say our view on stress testing, given my current job, is also, look, of course we need to think about operational stress testing, cyber stress testing, liquidity stress testing as linked together, right? You can't just treat it as separate issues, right? They are probably the same short-term, highly linked set of issues we need to address, and we probably need to get going, right? And I would say here, are we doing enough war games? Yeah, have we practiced this? Are the banks practicing this? If not, they should, because it's clearly something that matters, that's it. Thank you. So questions from the floor. Martin Holmke from the London School of Economics. Slightly outside of this paper, but I think something that this paper makes me think about is extrapolating and thinking about the incentives, or say the technology service providers or other involved parties to invest in cybersecurity. How should we think about that and how should bank supervision or cybersecurity supervision, I don't know, think about that? And I wonder whether what you found in the incident that you looked at gives any guidance for that. Thank you. Jean-Doir Collier from HCC Paris. I like this topic a lot. I think it's very relevant. I was wondering, I mean, in a sense, maybe this cyber attack, fortunately, was targeting a point in the system that is maybe not that weak. So I was thinking, are there concerns that instead of attacking the flows, like the payments, people could attack the stocks, like the registers where we keep information and who owes what to whom. And so because if this information gets destroyed, then this is a whole different mess, I guess. I was also wondering, what about the connections between the banks and the central banks? Because here, the banks could still operate with the Fed, and so it's reassuring, but not very surprising to see that then when you still have access to the lender of last resort, all goes well. But what if this particular infrastructure is targeted? Is the Fed thinking about that? So I would be curious to know your views. Thank you. Okay, Antonis, you want to answer to your discussant and the three questions that were asked? Yes, so first of all, many thanks, Jacob, for this great discussion and the questions. Let me just, a couple of things I have to note here. So your suggestion to connect you to theory a little bit better. We have some theoretical papers in the literature review, but I agree with you, we can do better. So I will be reaching out to you to share this literature that you mentioned. I think we can do better on that end. I think one comment in the discussion was what if banks were attacked directly? Well, so here's the thing, like in this case, the TSP was impacted and banks were indirectly essentially impacted because the TSP went offline. Like I said, banks were able to switch to alternative ways in sending payments, but if a bank is directly attacked, they will not be able to do so. So the effect, if anything, will have been way larger because banks wouldn't have been able to switch to alternative ways in sending payments. And this goes back to your first point, Jacob, that we need more examples. Yes, we need more examples. We need more examples that not only TSPs are impacted. We need examples that banks, key players, are impacted even though the impact is not, even if it is like a long, hours long event. We need to understand a little bit better how banks, how prepared they are and what we, the central bank, can do in order to mitigate the effects. There was another point in the discussion about we need to understand what the network looks like. I can't agree more on this, frankly. Like the extent to which the system is digitally interconnected, I'm afraid like it remains completely in the dark, okay? Mainly because of lack of data. But we know from the past that when we don't understand something sooner or later, it's gonna bite us back. So this digital interconnectedness, I think it is a key point or if you want a concentration risk, there are some key players in this market and a whole set of questions arise. Are they supervised? Who supervises them? Or maybe if they're not supervised, maybe we should, et cetera, et cetera. On the questions from the audience, let me start from the last question. The connections from the bank has with the central bank. So essentially here, a very dark scenario is like, what if the central bank itself is under a cyber attack? Because then you don't have the lender of last resort. You don't have the coordinator of last resort because essentially when the Fed extends the trading day, essentially coordinates reserves among banks and in their master account. So this is a very dark scenario. I'm not sure I wanna think what would happen in this case, but it is a scenario that some people are thinking of. Finally, the TSP and its incentive to invest in cybersecurity. Yeah, so I mean, this is a classic principal agent problem, right? Like if I'm a bank and I essentially delegate this, my whole cybersecurity defense to another company, what is the optimal investment of this TSP on cybersecurity incentives? I mean, there are a couple of theory papers which I'm happy to share with whoever asked the question. There are a couple of theory papers. Actually, Tony Anert, who's at ECB, has a very nice paper on this. And they study the incentives of these PSPs, these players to invest in cybersecurity in the presence of this delegation. Thank you very much. If there are no further questions, definitely an area where we need to see much more research and particular much better data to understand better the systemic risks that may be associated with those developments.