Cyber Security and Ransomware in Financial Markets

Financial institutions in modern markets often act as online platforms to process transactions, store data and provide advice. As their digital footprint has grown, their vulnerability to cyber attacks has increased as well. Financial institutions often face two types of cyber attacks:

• conventional attacks that steal clients’ assets or data from a firm
• ransomware attacks that seize control of an institution’s information technology system and hold it hostage until ransom payments are made

Firms and clients are interested in preventing successful attacks: Clients want to avoid losses, while firms wish to keep customers happy. This relationship raises some questions:

• What is the impact of the institution’s relationship with clients on cyber security investment and, ultimately, its vulnerability to breaches?
• Does the introduction of ransomware reduce or increase the risk of cyber attack?
• Which types of financial institutions are most affected by ransomware?
• How might a regulator improve the welfare of firms and clients, and does the solution depend on the type of attack (i.e., conventional or ransomware)?

We model the financial system with clients, financial infrastructure providers and cyber attackers. We show that ransomware attacks are more likely to succeed than conventional attacks. When clients do not know how much financial institutions invest in security, these institutions underinvest. A regulator can improve welfare by requiring security investment (e.g., minimum security standards) or by requiring improved transparency (e.g., security ratings). Our results support regulatory efforts to increase transparency around cyber security and cyber attacks.