“Hostile agents must find one part of the system to attack, while the defenders must protect the entire system. We call it the defender’s dilemma,” said Jón Danielsson, director of the Systemic Risk Centre in the department of finance at the London School of Economics. These malicious agents may be terrorists, criminals and/or nation-states.

Danielsson commented that the resources needed to attack are much lower than the resources needed to defend. “The asymmetry between the defenders and the attackers continues to grow the more we use AI.” He thinks that the only possible solution is a more diversified system, making it more resilient.

Nicolas Veron, senior fellow at Bruegel and at the Peterson Institute for International Economics, expressed his concerns about the “highly antagonistic” impulses of the current US administration against its allies. On cyberattacks, countries that need to be considered as potential threats “have to expand that to the US… if we want to think in terms of tail scenarios.”

A good crisis must hit banks liquidity

“We must both consider financial system instabilities and technology instabilities. The risk lies on the intersection,” stated Danielsson. He argued that a cyberattack during a period of liquidity strain or low confidence in authorities, such as in 2008, would be far more damaging for the system. “A cyberattack would have acted as a systemic crisis amplifier.” Interestingly, he suggested that a successful cyberattack nowadays would need to be coupled with a liquidity crisis for successful mayhem.

“Liquidity buffers in an age of AI and the way we calibrate LCR [liquidity coverage ratio] may well be outdated given the way AI speeds up liquidity management.” Danielsson also suggested that central banks need to adapt to AI-driven crisis reactions with automatically triggered liquidity facilities, as upcoming crises will reduce the need to react to hours--or even minutes--thanks to AI.

ECB: European banks displaying mixed preparation against cyberattacks

“Banks used to come to me and talk about how cyber was the one thing that kept them awake at night but did no profit, so they couldn't spend on it,” said John Berrigan, director general for financial stability, financial services and the capital markets union at the European Commission. Despite banks’ reluctance to share information between themselves, he noted positively that banks are starting to talk to each other and have started to realise mutual benefits. “If a bank could be attacked by cyber, well, the next day, I could be attacked by the same person.”

There’s acknowledgment that preparedness has improved, especially with legislation like the Digital Operational Resilience Act (Dora), which codifies how financial institutions should organise their defences. Yet Berrigan commented that addressing systemic cyber risk, where the entire financial system is under attack simultaneously, requires further attention.