Cyber Security and Ransomware in Financial Markets

Available as: PDF

Financial markets face the constant threat of cyber attacks. We develop a principal-agent model of cyber-attacking with fee-paying clients who delegate security decisions to financial platforms. We derive testable implications about clients’ vulnerability to cyber attacks and about the fees charged. We characterize which cyber attacks actors choose. We find that ransomware attacks are more successful than traditional attacks and that platforms underinvest in security when security is unobservable. Regulating security investment (e.g., minimum security standards) or improving transparency (e.g., security ratings) can improve welfare. Our results support regulatory efforts to increase transparency around cyber security and cyber attacks.