Working Paper: CEPR ID: DP13324
Authors: Anil K. Kashyap; Anne Wetherilt
Abstract: We explain why cyber risk differs from other operational risks in the financial sector. The form of cyber shocks differs because of their intent, probability of success, possibility of a hidden phase and evolving form of the risks. The impact differs because problems can spread quickly and because uncertainty over the possibility of a hidden phase can impact responses. We explain why private incentives to attend to these risks may differ from societies’ preferences and develop six (micro- and macroprudential) regulatory principles to deal with cyber risk.
Keywords: cyber risk; stress test; macroprudential regulation
JEL Codes: G18; G28; L51; O33
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| cyber risks (K24) | regulatory responses (G18) |
| private sector incentives (L33) | underinvestment in preventive measures (H54) |
| regulatory intervention (G18) | adequate investment in cyber resilience (K24) |