Note: The figure shows the proportion of recipient banks that may run into problems due to an operational problem at one of the three large banks (A, B and C). The simulation was carried out for each day in 2019 (2014); the figure shows the five days with the greatest effect.
A cyber incident could also lead to a systemic crisis if confidence in one or more banks is lost. In this scenario, the consequences of the incident remain unclear for a long time, and concerns about it are reinforced by negative media coverage. Customers and market participants lose confidence, which makes it harder for the bank to attract loans and induces customers to withdraw their savings. This stress scenario leads to a significant outflow of deposits, but the average Dutch bank still has plenty of liquid assets left. For the average Dutch bank, on top of the already assumed stress, 25% of stable deposits would have to be withdrawn before the bank runs out of liquidity. When additional market financing outflows are included, this point is reached at a deposit outflow of 13%. These are significantly higher percentages than the 5% outflow that banks must be able to absorb under the regulations.
The stress scenario analyses show that a cyber incident does not develop into a systemic crisis overnight, but that it is possible in certain situations. For example, operational problems may occur at a larger scale and simultaneously at several large banks. In that case it is more likely that the banking sector will run into trouble. Also, an incident may initially cause damage through the operational channel, and subsequently lead to a confidence shock. Therefore, further analysis of more complex scenarios is necessary.
Supervisory authorities and institutions focus on preventing contagion
Even if it has not happened to date, in the future a cyberattack could take place in the Netherlands that endangers financial stability. The efforts of supervisory authorities and financial institutions are therefore not only aimed at limiting the impact of cyberattacks on individual institutions, but also at preventing contagion to the rest of the financial system. As part of this, we are working to further improve our monitoring of cyber incidents to gain a better insight into the various channels through which a cyberattack can develop into a systemic risk. It is important that this also happens on a European and international level, and we strongly advocate this. On this basis, we can take measures where needed to limit the further spread of the shock and to increase the resilience of the system.