In the first week of September of 2017, Equifax, one of the “Big Three” consumer credit reporting agencies scores in the U.S., announced that they had suffered a major data breach of personal data records for over 140 million Americans, as well as some British and Canadians citizens. The breach led to several lawsuits which asked the difficult question, “how much is my data worth?”—the answer, it turns out, after legal fees, about $5.
Inspired by this event, in the months that followed, we worked towards a model of how financial infrastructure providers might optimally invest in security to guard against a profit-maximizing hacker, but with a twist: instead of working to secure their own assets, we injected that glaring principal-agent problem: infrastructure providers—banks, exchanges, cryptocurrency platforms, credit agencies to name a few—did not host assets that were theirs, but instead facilitated transactions, storage, etc., for clients that paid them to do so. In this way, clients pay an agent to complete a task, but do not stipulate or enforce just how much effort they put in to ensure the transaction completes. Sure, providers may not get paid if they fail at the task, but if the failure is somewhat random based on their own security and the arrival of a hacker, then it may be worth it to skimp on security investment, or to charge a higher margin for any security they do provide.
When visiting David at the Bank of Canada, we met up with Ryan Riordan (Queen’s University), which led to the competition element of the problem: can infrastructure provider competition improve client welfare? The discussion led to a broader conversation on the role of monopolistic/large financial firms and databases in safeguarding data: could consolidation in financial markets lead to overinvestment in security, relative to what is demanded by clients? (the answer was yes). Comparatively, competition in these markets leads to lower fees for services and benefits from venue diversification, leading to more efficient security provision; the catch is, however, that “efficient security provision” doesn’t mean less vulnerable. Our paper suggests that there is a level of “efficient cyber risk”, beyond which the returns to security investment are too low.
Given that an “efficient cyber risk level” may be politically unpalatable in the face of large firms arguing that their pooling of investment may ameliorate security concerns, we show that a second-best result can be obtained where the break-up of a monopoly leads to client welfare improvement, while maintaining the monopoly level of vulnerability. To inject a hint of contemporary comedy, I had initially pitched the title “Financial Markets Can Have a Little Cyber Risk as a Treat”, but was out-voted.
N.B: The original title proposed by David was “All Your Data Belong to Us: Cyber Risk in Financial Markets”, to unearth an ancient meme; admittedly, I thought it was pretty funny.