In recent years, hackers have imposed additional costs to financial infrastructure providers through data theft and service disruptions, leading to losses for both institutions and clients alike. Are institutions reacting appropriately to these threats? How should their clients respond? Most importantly, at what cost?
Crime in the Digital World
In March of 2017, Equifax—one of the largest credit scoring firms in North America—suffered a data breach that most likely affected nearly everyone in the U.S. with a credit score, costing Equifax upwards of $700 million. A 2014 hack of the Mt. Gox cryptocurrency exchange led to a loss of close to $2 billion in Bitcoin. As these attacks increase in frequency, financial institutions have invested heavily in cybersecurity. J.P. Morgan estimates that it employs roughly 3,000 personnel and spends $600 million annually on issues related to cybersecurity. Regulators have put further pressure on infrastructure providers, imposing hefty fines for noncompliance. As one example, British Airways was fined £183.4 million under the EU’s General Data Protection Rule for an attack involving data from 500,000 customers.
What makes cybercrime different from other crimes? In general, cyber-criminals are often difficult or impossible to identify and punish, and victims are often unlikely to receive any meaningful compensation as a result of cyber-attacks. Moreover, while networks or service providers provide defense against cyber-attacks, it is often the users who bear the highest costs of the attacks. As such, service providers and clients face competing incentives when it comes to preventing cybercrime.
A Problem Within a Problem
Financial infrastructure providers face a war on two fronts. To attract and retain clients, firms may invest in security to protect their clients’ assets and data against theft and disruption. Nevertheless, such protection comes at a cost, which must be paid by someone. Firms can entice clients with security benefits, but they must also remain competitive in fees for security services, lest fee-sensitive clients migrate to other providers. We explore this dual problem in our recent paper by combining two classic theoretical games: the attacker-defender game and the principal-agent problem.
The Attacker-Defender Game
In the attacker-defender game, cyber-attackers may invest in attacking power to increase the probability of a successful attack. Doing so is beneficial when the reward for a successful attack is large. Defenders counter attackers’ investments by investing in security to decrease the probability of a successful attack. The problem is similar to a classic arms-race. We interpret the defenders in our framework broadly, to include financial exchange platforms, information intermediaries, or financial institutions. In standard attacker-defender games, the prize that the players go to war over is usually an item possessed by the defender (e.g., a plot of land, or a chest of gold). That item usually does not have a say in how it is protected, and by whom. In the market for financial transactions and data security, however, there is a unique twist: service providers (the defender) do not invest in security because they want to protect the assets at risk directly. Instead, they invest in security to attract the business of those who own the assets that need defending—something of a ‘defender-for-hire’ arrangement. As such, the service provider and client must agree to an appropriate defense contract that jointly maximizes their profits/utility.
The Principal-Agent Problem
By modeling client transactions as the asset, our model includes a classic principal-agent problem: clients pay fees to a platform to complete a transaction, but they also bear some risk of loss. That risk of loss is inversely related to the investments that the platform chooses to make in security. Clients are at the center of the game: the attackers seek to acquire the client’s assets, while the defender wishes to receive the current and future fees for providing a financial service. In our model, we assume that the clients may lose some or all of their assets following a successful attack, whereas the platform forfeits only the transaction fee. Because a platform’s profits are tied to a successful defense of the client’s assets, they have an incentive to invest in security to protect their fee.
Competition for Clients means Competition for Security
We consider the impact of two key factors on cybersecurity investment: (1) the size of the market and (2) the role of competition among providers. Intuitively, we find that investment in security increases with the size of the market, as larger marginal client transactions incentivize cyber attackers to invest more resources in attempting to breach service providers. In turn, clients are willing to pay higher fees to induce investment in security by providers. If the size of the market is too large, clients are willing to accept a certain level of cyber risk, as the fee required to completely deter cyber attackers is too high relative to the costs implied by the risk of a breach.
A fragmented market allows clients to benefit from diversification. Clients allocate their transactions across competing venues that attackers attempt to breach individually. We show that competition for market share between service providers leads to competition in fees, which, in turn, sacrifices security investment to provide cheaper services. While the outcome is an increase in vulnerability to breaches, clients are willing to accept the increase in risk, as the return to less costly services exceeds the risk— akin to a Sharpe Ratio for cyber-risk. As service providers compete in fees, the total rent extracted by providers is lower than in a monopoly market. From a security perspective, our model suggests that large consolidated platforms appear optimal, as they offer the highest security. However, the higher security engenders significant over-investment that makes clients worse off on average.
For empiricists, our model provides several testable hypotheses: (1) large monopolists will experience fewer security events, on average, relative to a fragmented platform; (2) markets with a monopolist institution will charge higher fees for security relative to markets with the competition; and (3) the more similar the operations of competing institutions, the lower fees for security they will charge, which leads to lower security investment.
The Takeaway: A Role for Regulation
Our model suggests that there is a tension between monopolistic and fragmented market environments: clients prefer competition between providers, while service providers prefer consolidation into a monopoly. What makes this result concerning for policymakers is that providers may argue for consolidation on security grounds, as monopolistic providers can reduce the likelihood of breaches when they do not need to compete on fees. We caution that regulators and lawmakers should be wary of arguments to consolidate for security reasons, as the resulting security improvement may be inefficient.
Beyond preventing provider consolidation, we argue that policy-makers may be able to improve welfare by breaking-up large monopolies, paradoxically reducing security but reducing fees even more. We model the case of a regulator who breaks up a monopolist platform but requires the newly fragmented platforms to invest in security as if they were a monopoly. We show that this regulator is able to achieve higher client utility than in a monopolistic market while maintaining a similar attack vulnerability.
Our model supports the idea that monopolists, when providing a higher quality “product,” will extract higher rents from clients relative to competitive platforms. Given the product is platform security and financial system stability, it may be natural to insist that more security is always better. We find that clients seek to achieve something akin to a “Sharpe Ratio for Cyber Risk,” where certain levels of vulnerability are acceptable, if the service provided is sufficiently cost-effective.
Michael Brolley and David Cimon are Assistant Professors of Finance at the Lazaridis School of Business and Economics at Wilfrid Laurier University. Ryan Riordan is an Associate Professor and Distinguished Professor of Finance at Smith School of Business. This post is adapted from their paper, “Efficient Cyber Risk: Security and Competition in Financial Markets,” available on SSRN.
 Sharpe Ratio is the difference between the returns of the investment and the risk-free return, divided by the investment’s volatility.