A new Federal Reserve research paper warns that a critical “hidden cyber fault line” runs beneath the U.S. financial system through third-party technology providers whose vulnerabilities can cascade across nearly all major banks and non-bank financial institutions (NBFIs).
The research, released last week, utilizes proprietary cyber risk modeling from CyberCube, which the Fed used to simulate both routine cyber incidents and catastrophic events.
“Our most significant finding is the identification of a hidden cyber fault line within the financial system: third-party service providers,” the report states.
Using CyberCube’s security and exposure scores, the Fed assessed the top 100 U.S. banks and top 100 NBFIs and finds NBFIs are more likely to fall into CyberCube’s high-risk quadrant, defined as low cyber hygiene alongside high exposure to cyber incidents:
“42 NBFIs are located in the ‘High Risk’ quadrant compared to 27 banks,” the report states, adding that CyberCube’s data is predictive of real-world cyber events.
“The security score has a consistently significant negative effect… while the exposure score shows a significant positive effect” on cyber incident probability.
Third-Party Vendors Are “Critical” Flaw
According to the research, CyberCube simulations of routine (attritional) cyber events—malware, data breaches, and network outages—suggest that while banks may appear less vulnerable, their relative earnings exposure is higher.
Routine cyber incidents represent “41 basis points of annual revenue” for banks and “20 basis points” for NBFIs at the 99.9th percentile loss level, according to the report.
The Fed also emphasizes that banks’ third-party providers are the system’s weakest link.
The joint dependency on a small group of major cloud and cybersecurity providers amplifies systemic risk, the research argues. According to CyberCube’s Single Point of Failure (SPoF) assessments, “Approximately 55 percent of all modeled SPoFs fall within the high-risk quadrant… a greater percentage than the banks and NBFIs that appear in the same region.”
Moreover, these providers are ubiquitous. Services like “Microsoft Exchange Online, AWS, DigiCert, CloudFlare, and Microsoft Azure are all connected to 95 or more of the top 100 banks and 95 or more of the top 100 NBFIs.”
This concentration means failures could ripple across nearly the entire financial sector, according to the Fed.
Catastrophic Scenarios: Losses 60x Larger
The researchers used CyberCube’s Portfolio Manager to run 50,000 Monte Carlo simulations of extreme service-provider failure scenarios. The results show that catastrophic events are “up to about 60 times larger than those from routine incidents” for both banks and NBFIs, according to the research.
For banks, the top loss driver is a large-scale data theft at a major e-commerce platform, producing $83.9 billion in 99.9th percentile losses. For NBFIs, the greatest threat is destructive malware impacting a global cloud provider: simulated losses reach “80.6 billion” under this scenario.
Across nearly all catastrophic scenarios: “Business interruptions emerge as the primary driver of losses.”
Policy Implications: Focus on Shared Providers
The authors caution that traditional firm-level supervision misses where risks are actually concentrated. “These service providers appear to have a higher probability of suffering a cyberattack than the financial firms they are servicing.”
They argue for stronger third-party oversight, sector-wide business continuity planning, and improved information sharing among firms and providers to mitigate the risk.
