






































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The significance of cyber risks as systemic risks in the global economy, the interconnectedness of financial institutions, and the methods for managing and mitigating these risks through various tools and regulations. It also touches upon the history of risk management and the importance of stress testing.
Typology: Study notes
1 / 46
This page cannot be seen from the preview
Don't miss anything!







































Kristin N. Johnson *
TABLE OF C ONTENTS
I. I NTRODUCTION .................................................................... 548
II. U NDERSTANDING , M ANAGING , AND M ITIGATING S YSTEMIC R ISKS .................................................................. 556 A. IDENTIFYING RISKS ........................................................ 556 B. WHY ARE SYSTEMIC RISKS SPECIAL? .............................. 559
1. Understanding Systemic Risks .............................. 560 2. A Brief Survey of Risk Management Approaches .... 561 C. SYSTEMIC RISK MITIGATION ........................................... 565
III. E MERGING S YSTEMIC R ISK C ONCERNS : C YBERSECURITY THREATS .................................................. 568 A. DEFINING CYBERSECURITY THREATS ............................. 569 B. CYBER RISKS AND FINANCIAL INSTITUTIONS ................. 571
IV. R EGULATING C YBERSPACE .................................................. 576 A. TOWARD TRANSPARENCY AND INFORMATION SHARING ... 577
1. The Cybersecurity Information Sharing Act of 2015 ......................................................................... 578 2. Weaknesses of the CISA .......................................... 580 B. ALTERNATIVE INITIATIVES ............................................ 583
V. C ONCLUSION ....................................................................... 591
548 GEORGIA LAW REVIEW [Vol. 50:
I. I NTRODUCTION
Cybersecurity concerns are an ever-increasing threat. 1 The rising cost, frequency, and severity of data breaches^2 now dominate risk management discussions.^3 Over the last ten years, more than 4,000 known data breaches have shocked, debilitated, and even (temporarily) paralyzed markets. 4 Commentators estimate that potentially billions of records containing confidential or sensitive data have been compromised. 5 Experts suggest that data breaches cost the global economy more than $400 billion dollars of losses annually.^6 Heads of state around the world have committed to enhance cybersecurity, to protect intellectual property and confidential or sensitive data, and to aggressively
(^1) See Tom C.W. Lin, Financial Weapons of War , 100 M INN. L. R EV. 1377, 1381 (2016) (discussing financial infrastructure as a “new theater of war”); Matthew Goldstein, Brokerage Firms Worry About Breaches by Hackers, Not Terrorists , DEALBOOK, N.Y. T IMES (Feb. 3, 2015, 11:54 AM), http://dealbook.nytimes.com/2015/02/03/brokerage-firms-most-wo rried-about-hackers-and-rogue-employees-finra-report-sa ys/?_r=0 (discussing the threat of hacking faced by financial firms); Sam Jones, Cyber Security: Business Is in the Front Line , F IN. T IMES (Apr. 29, 2014, 10:35 AM), http://www.ft. com/intl/cms/s/0/11b41ac4-c3cb-11e3- a8e0-00144feabdc0.html#axzz3hFamiepE (noting an increase of data breaches by 63% in 2013); see also David E. Sanger & Julie Hirschfeld Davis, Hacking Linked to China Exposes Millions of U.S. Workers , N.Y. T IMES (June 4, 2015), http://www.nytimes.com/2015/06/05/us/ breach-in-a-federal-computer-system-exposes-personnel-data.html (reporting that a large breach of federal employees’ data originated in China). (^2) Data breaches occur when cybercriminals hack into businesses or corporations to steal confidential information such as credit and debit card numbers, e-mail addresses, and phone numbers. E.g. , Rachael M. Peters, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws , 56 A RIZ. L. R EV. 1171, 1173 (2014) (discussing sizable data breaches at Target, Home Depot, and JPMorgan Chase). (^3) See infra Part II.B. 2. (^4) Protecting Consumer Information: Can Data Breaches Be Prevented? Hearing Before the H. Subcomm. on Commerce, Mfg., and Trade , 113th Cong. 1–2 (2014) (statement of Lisa Madigan, Att’y Gen. of Illinois), http://energycommerce.house.gov/hearing/protecting-consu mer-information-can-data-breaches-be-prevented. (^5) See C TR. FOR STRATEGIC & INT ’ L STUDIES, N ET L OSSES: E STIMATING THE GLOBAL C OST OF C YBERCRIME 3 (2014), http://mcafee.com/US/resources/reports/np-economic-impact-cyber crime2.pdf (“The cost of cybercrime includes the effect of hundreds of millions of people having their personal information stolen—incidents in the last year include more than 40 million people in the US, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China. One estimate puts the total at more than 800 million individual records in 2013.”). (^6) Id. at 2.
550 GEORGIA LAW REVIEW [Vol. 50:
Cyberattacks capture national and international attention because of their pervasive effects. For example, in December 2013, Target announced that the discount retailer company had suffered a data breach.^15 The hackers who orchestrated the crime obtained the confidential credit and debit card information of more than 40 million customers. 16 As investigations ensued, Target continued to adjust its estimate of the number of records accessed, ultimately reporting that hackers captured the personal data of as many as 110 million customers.^17 In 2014, in a data breach involving a similar method of deception, hackers invaded home improvement retailer Home Depot’s records and acquired 56 million customers’
mes.com/2015/03/16/business/dealbook/authorities-closing-in-on-hackers-who-stole-data-from- jpmorgan-chase.html (“[H]ackers gain[ed] access to email addresses and phone numbers for 83 million households and small businesses... .”); Jones, supra note 1 (“[C]riminally-motivated cyber breaches are not just related to cyber theft, but can increasingly involve market manipulation. One international lawyer says he is aware of attacks that targeted his and other similar law firms to mine information on merger and acquisition activity in London and New York.”). (^13) See, e.g. , Fighting China’s Hackers: Is It Time to Retaliate Against Cyber-Thieves? , ECONOMIST (May 25, 2013), http://www.economist.com/news/united-states/21578405-it-time-r etaliate-against-cyber-thieves-fighting-chinas-hackers (“American officials... report that intellectual property (IP) is being stolen on an unprecedented scale, and that passive defenses no longer work.”). (^14) See, e.g. , David E. Sanger & Nicole Perlroth, Bank Hackers Steal Millions via Malware , N.Y. T IMES (Feb. 14, 2015), http://www.nytimes.com/2015/02/15/world/bank-hackers-steal- millions-via-malware.html (describing how hackers forced an ATM to dispense cash); Ian Wylie, Danger in the Digital Age: The Internet of Vulnerable Things , F IN. T IMES (Apr. 26, 2015, 11:59 PM), http://www.ft.com/cms/s/0/fc2570f0-cef4-11e4-b761-00144feab7de.html#axz z3r0dmZUid (“Less well understood are the growing cyber threats to physical assets, as the online world merges with the real one.”). (^15) See Rachel Abrams, Target Puts Data Breach Costs at $148 Million, and Forecasts Profit Drop , N.Y. T IMES (Aug. 5, 2014), http://www.nytimes.com/2014/08/06/business/target- puts-data-breach-costs-at-148-million.html (discussing how hackers stole Target customers’ credit card and other personal information in a data breach). (^16) Elizabeth A. Harris & Nicole Perlroth, For Target, the Breach Numbers Grow , N.Y. T IMES (Jan. 10, 2014), http://www.nytimes.com/2014/01/11/business/target-breach-affected- 70-million-customers.html. (^17) Harris & Perlroth, supra note 16; see also Nicole Perlroth, Target Stuck in the Cat-and- Mouse Game of Credit Theft , N.Y. T IMES (Dec. 19, 2013), http://www.nytimes.com/2013/12/ 20/technology/target-stolen-shopper-data.html (“Target said that from Nov. 27 to Dec. 5 hackers stole customer names, credit or debit card numbers, expiration dates and three- digit security codes... .”).
credit and debit account information and 53 million customers’ e- mail addresses.^18 In both the Target and Home Depot data breaches, malicious software (malware) infected the business’s cash register system enabling hackers to view, record, and alter data.^19 One risk from such a breach of customers’ credit and debit card information and personal data is that hackers may make counterfeit cards and commit fraud. 20 Research firm Aite estimates that the costs of counterfeit fraud reached $1.35 billion in 2008 and accounted for 15.7% of the total $8.6 billion in credit and debit card fraud in the same year. 21 These large-scale data breaches are not unique to chain retailers. While cyberattacks against retailers are troubling, hackers’ efforts to breach the firewalls of financial institutions and exchanges at the center of international commercial enterprise— financial institutions—could threaten to destabilize global economic systems. The architecture of modern markets makes financial institutions critical to global commerce and to the operations of local, state, national, and foreign governments.^22 The universe of
(^18) Shelly Banjo, Home Depot Hackers Exposed 53 Million Email Addresses , WALL ST. J. (Nov. 6, 2014, 8:03 PM), http://www.wsj.com/articles/home-depot-hackers-used-password-stole n-from-vendor-1415309282; see also Maggie McGrath, Home Depot Confirms Data Breach, Investigating Transactions from April Onward , FORBES (Sept. 8, 2014, 5:32 PM), http:// www.forbes.com/sites/maggiemcgrath/2014/09/08/home-depot-confirms-data-breach-investigat ing-transactions-from-april-onward/ (discussing Home Depot’s payment data systems breach). (^19) See Banjo, supra note 18 (“The hackers evaded detection in part because they moved around Home Depot’s systems during regular daytime business hours and designed the malware to collect data, take steps to transmit it to an outside system and erase its traces.”); Andrea Peterson, Secret Service Estimates Type of Malware that Led to Target Breach Is Affecting Over 1,000 U.S. Businesses , WASH. POST (Aug. 22, 2014), https://www.washingtonpo st.com/news/the-switch/wp/2014/08/22/secret-service-estimates-type-of-malware-that-led-to-tar get-breach-is-affecting-over-1000-u-s-businesses/ (“The malware remotely exploits businesses’ administrator accounts and steals consumer’s [sic] payment data, such as their credit and debit card numbers.”). (^20) For a general discussion of the concept of risk, see infra Part II.A. (^21) FED. RESERVE SYS., THE 2013 FEDERAL RESERVE PAYMENTS STUDY: RECENT AND LONG- TERM PAYMENT TRENDS IN THE UNITED STATES: 2003–2012, at 41 tbl.3.3.1, 42 tbl.3.3.2 (2013), https://www.frbservices.org/files/communications/pdf/research/2013_payments_study_summa ry.pdf. (^22) See infra Part III.A.
consequences for businesses, governments, and individuals around the world. Cyber risks are evolving and this metamorphosis requires a prompt regulatory response. Unlike liquidity, credit, market, and other types of financial market risks, cyber risks threaten to trigger a series of losses far more debilitating than a run on any individual financial institution. Cyber risks, by their nature, reflect a sophisticated and complex concern. Cyber risks threaten disruptive attacks against interconnected and systemically important banking and non-banking financial institutions. Even a temporary disruption in banking, payment, and financial instruments trading platforms may destabilize markets. The consequences of a well-targeted cyberattack cast a shadow that may reach institutions and individuals all over the country and possibly in many countries around the world. It is possible that concerns regarding cyber threats and financial markets are overstated. While cyberattacks have yet to undermine the national economy, hackers continue to develop new methods of penetrating proprietary systems. The Carbanak cyberattack in 2013 evinces the imminent nature and high probability of this new front and establishes that we are on the edge of a new digital frontier.^26 In late 2013, the Carbanak cybergang unleashed a cyberattack on more than one hundred financial institutions across thirty different countries.^27 Over a period of several months, Chinese and European hackers remotely programmed automatic teller machines (ATMs) to dispense cash and transfer millions of dollars in funds from customers’ accounts in Europe, the United States, and Japan. 28 Hackers gained control over the internal operational systems of the individual financial institutions by baiting bank employees with e-mails that appeared to be from colleagues, urging the employees to download malware.^29 For nearly two
(^26) Sanger & Perlroth, supra note 14 (“[T]he ‘Carbanak cybergang,’ named for the malware it deployed, represents an increase in the sophistication of cyberattacks on financial firms.”). (^27) See id. (“[T]he scope of the attack... could make it one of the largest bank thefts ever.”). (^28) Id. (^29) Id.
554 GEORGIA LAW REVIEW [Vol. 50:
years, the hackers used software to monitor employees’ daily routines, captured videos and screenshots, and reviewed and recorded video feeds. 30 Hackers later used the intelligence they gathered to access the banking institutions’ systems and impersonate employees while the malware remotely triggered ATMs to dispense cash and to transfer funds. 31 Data breaches that result in fraud and theft create noteworthy risks for financial institutions and many scholars and commentators have explored these issues. This Essay suggests that the most significant cyber threats facing financial institutions loom under-explored and under-theorized. Cyber threats against financial intermediaries that link systemically important financial institutions create systemic risk concerns. Financial institutions are critically dependent on technology to conduct their business and their role in the domestic and international economy suggest that disastrous consequences may follow if the operations of these channels of commerce experience disruption. In 2011, one of the largest international securities exchanges, NASDAQ, confirmed that its computer network was hacked and confidential documents were accessed. 32 The brazen penetration of this venerable exchange, which provides a securities platform impacting market prices and economic stability around the world, shocked market participants. Theories regarding the hackers’ motivations range from presumptions that the intruders were seeking nonpublic inside information to whispers of terrorism, theft, or wire fraud. The intentions that prompted the hackers to attack the exchange’s network are far less troubling than the mere fact that their efforts were successful. Adopting the perspective that cyber risks may engender catastrophic loses, Congress adopted the Cybersecurity Information Sharing Act of 2015 (CISA).^33 The Act designates a
(^30) Id. (^31) Id. (^32) Devlin Barrett et al., Nasdaq Confirms Breach in Network , WALL ST. J. (Feb. 7, 2011, 12:01 AM), http://www.wsj.com/articles/SB100001424052748703989504576128632568802332. (^33) H.R. 2029, 114th Cong., div. N., tit. I §§ 101–111 (enacted). See also Orin Kerr, Op., How Does the Cybersecurity Act of 2015 Change the Internet Surveillance Laws? , VOLOKH CONSPIRACY, WASH. POST (Dec. 24, 2015), https://www.washingtonpost.com/news/volokhconsp
556 GEORGIA LAW REVIEW [Vol. 50:
federal agency-proposed alternatives to the growing cyber risks that threaten domestic and international financial institutions.
II. U NDERSTANDING , M ANAGING, AND MITIGATING S YSTEMIC R ISKS
Financial market regulation and literature exploring regulation frequently implore market participants to take action to reduce the likelihood that “systemic risks” will materialize. The notion of systemic risk animates discussions regarding the causes of the recent financial crisis and justifications for the imposition of regulation designed to prevent future crises. Notwithstanding the use of this popular term, there is no widely accepted or uniform definition of systemic risk. Unable to define systemic risk, scholars, commentators, and regulators struggle to develop well- tailored regulation to manage and mitigate systemic risk. Part II. A identifies several commonly occurring risks in financial markets. Part II. B argues that the definition of systemic risk is evolving, creating challenges for regulators attempting to manage or mitigate systemic risk.
A. IDENTIFYING RISKS
The term risk is used colloquially to suggest that an action or decision may lead to a negative outcome. 35 In truth, risk taking may lead to either a positive or negative outcome. 36 Risk simply describes an element of uncertainty or the chance for a range of possible outcomes. 37
(^35) Cf. G EOFFREY P ARSONS M ILLER , T HE L AW OF G OVERNANCE, R ISK M ANAGEMENT , AND C OMPLIANCE 535 (2014) (“The traditional notion conceives of risk as the chance of something bad happening.... The more modern approach, however, sees the chance of something bad happening as only one aspect of risk. A more general understanding would also include the chance of something good happening. Risk in this sense is measured by the dispersal of outcomes rather than simply the chance of a bad one.”). (^36) Id. (^37) See Roger Miller & Donald Lessard, Evolving Strategy: Risk Management and the Shaping of Large Engineering Projects 4 (MIT Sloan Sch. of Mgmt., Working Paper No. 4639-07, 2007), http://ssrn.com/abstract=96260 (“Risk is the possibility that events, their resulting impacts, and their dynamic interactions will turn out differently than anticipated. Risk is typically viewed as something that can be described in statistical terms, while
Financial markets and financial institutions face various classes of risk including credit, liquidity, interest rate, and market risk. 38 Lending arrangements give rise to credit risks or concerns that a debtor may fail to repay an outstanding debt obligation. There are several types of contractual arrangements that create credit risk. When a creditor, such as a local community bank, extends a loan to a borrower to buy a home, the possibility that the borrower will not repay the outstanding principal or interest obligation creates a credit risk. 39 Credit risks are an immutable characteristic of lending arrangements and arise in contracts involving a diverse spectrum of borrowers.^40 Liquidity risks involve the potential that the debt obligations of an enterprise may exceed the assets of the business.^41 Consider, for example, the activities of a conventional depository bank that maintains savings account deposits and issues home loans. The bank may face a liquidity crisis if all savings accountholders run to the bank demanding return of their deposits at a time when the bank has issued their deposits to borrowers seeking home loans. The residential mortgages may have terms of ten, twenty, or thirty
uncertainty is viewed as something that applies to situations in which potential outcomes and causal forces are not fully understood.”). (^38) A NTHONY S AUNDERS & M ARCIA M ILLON C ORNETT , F INANCIAL M ARKETS AND INSTITUTIONS 576 tbl.19-1 (5th ed. 2012). Credit risk, for example, is “the risk that promised cash flows... may not be paid in full.” Id. Liquidity risk may result from unexpected liability that forces a firm “to liquidate assets in a very short period of time and at low prices.” Id. Interest rate risk is “incurred... when the maturities of [a firm’s] assets and liabilities are mismatched and interest rates are volatile.” Id. Financial institutions face these and several other risks. See, e.g. , id. (defining risks in financial institution). Because the attributes of the business models of financial institutions vary, the risks described here may present differently for each type of financial institution. (^39) See Heath Price Tarbert, Comment, Are International Capital Adequacy Rules Adequate? The Basel Accord and Beyond , 148 U. P A. L. R EV. 1771, 1775 (2000) (“The bank’s role as a financial intermediary involves many specific risks, of which the most predominant is credit risk—that a borrower will default on a loan.”); Kristin N. Johnson, Governing Financial Markets: Regulating Conflicts , 88 WASH. L. R EV. 185, 206 (2013). (^40) See Kristin N. Johnson, Addressing Gaps in the Dodd-Frank Act: Directors’ Risk Management Oversight Obligations , 45 U. M ICH. J.L. REFORM 55, 64 (2011) (“Large, complex financial institutions originate loans to many types of borrowers including corporations with operations around the world; other banks, thrifts, and more sophisticated financial institutions; hedge funds; and private equity firms.”). (^41) FDIC RMS M ANUAL OF EXAMINATION P OLICIES, L IQUIDITY AND F UNDS M ANAGEMENT § 6.1-2 (2015).
trading desks of financial institutions expose these businesses to significant market risk. 49
B. WHY ARE SYSTEMIC RISKS SPECIAL?
Recent turmoil in financial markets 50 casts a spotlight on the perils of risk management failures in financial markets. Commentators, regulators, and financial market participants express concerns that a single shock or series of shocks may trigger a daisy chain of losses and lead to the insolvency of one or more systemically important financial institutions. 51 Scholars and commentators describe the risk of a series of financial institution failures as systemic risk. Yet, systemic risk is not a term of art with a simple, precise, user-friendly definition. Interpretations differ regarding the types of threats that constitute systemic risk. Notwithstanding popular use of the term, the existing literature
(^49) S AUNDERS & C ORNETT , supra note 38, at 583. The named examples of risks are generally self-explanatory. For a careful and valuable examination of reputational risk and the theory of misconduct risk, see Christina Parajon Skinner, Misconduct Risk , 84 F ORDHAM L. REV. 1559 (2016). It bears mentioning, however, that the sovereign risk described here refers to “[t]he risk that repayments from foreign borrowers may be interrupted because of interference from foreign governments.” S AUNDERS & C ORNETT , supra note 38, at 588. Unlike loans to domestic corporations, where there are available remedies for default, loans to foreign subsidiaries may not be paid back because “the government of the country in which the corporation is headquartered may prohibit or limit debt repayments due to foreign currency shortages and adverse political events.” Id. If a foreign country is unable or unwilling to repay their debt, the loaning financial institution “has little if any recourse to local bankruptcy courts or to an international civil claims court.” Id. at 589. Insolvency can result in the failure of a significant financial institution, which could disrupt the domestic and global economy and even trigger a domino effect of global losses. See, e.g. , id. (describing the failure of two major financial institutions, Washington Mutual and Citigroup, due to insolvency). (^50) See, e.g. , F IN. C RISIS INQUIRY C OMM’ N , T HE F INANCIAL C RISIS INQUIRY R EPORT : F INAL R EPORT OF THE N ATIONAL COMMISSION ON THE C AUSES OF THE F INANCIAL AND E CONOMIC C RISIS IN THE U NITED S TATES, at xv (2011), http://fcic-static.law.stanford.edu/cdn_media/fci c-reports/fcic_final_report_conclusions.pdf (“As this report goes to print, there are more than 26 million Americans who are out of work, cannot find full-time work, or have given up looking for work. About four million families have lost their homes to foreclosure and another four and a half million have slipped into the foreclosure process or are seriously behind on their mortgage payments. Nearly $11 trillion in household wealth has vanished, with retirement accounts and life savings swept away.”). (^51) See, e.g. , Steven L. Schwarcz, Systemic Risk , 97 G EO. L.J. 193, 204 (2008) (defining systemic risk).
560 GEORGIA LAW REVIEW [Vol. 50:
leaves important questions regarding the specific details of systemic risk unresolved.
1. Understanding Systemic Risks. Interpreted literally, systemic risk refers to concerns that threaten the stability of an organizational system. In the context of financial markets, the “system” refers to the financial institutions, payment systems, and trading platforms and exchanges that comprise the foundation of the domestic and global economy. Clarifying the meaning of the “risks” that threaten financial market stability is, however, more complicated. While there is no consensus on a definition of “systemic risk” and scholars and regulators’ accounts of the events that engender systemic risks differ, descriptions of systemic risk possess some common elements. It is widely agreed that systemic risk refers to “a trigger event, such as an economic shock or institutional failure, [that] causes a chain of bad economic consequences—sometimes referred to as a domino effect.”^52 Yet, it is unclear how substantial volatility must be to register as systemically significant. Is the metric for volatility tied to whether fluctuating prices have significant adverse effects on the real economy? Or should the focus be on whether volatility may lead to a disruption and not a crisis? E. Gerald Corrigan, a former Federal Reserve President, proposes that focusing on the impact of risks—whether risks lead to a mere disruption and not a prolonged period of slow growth—helps us evaluate when risks ought to be classified as systemic. 53 This Essay adopts the perspective that one must evaluate the probability that a risk will materialize and the magnitude of the impact of risk that transforms the threat into a systemic risk.
(^52) Id. at 198. Professor Steven Schwarcz instructs that “[t]hese consequences could include (a chain of) financial instruction and/or market failures... [or] [l]ess dramatically... (a chain of) significant losses to financial institutions... [and] can deprive society of capital and increase its cost... or decrease[ ] its availability.” Id. (^53) Hedge Funds and Systemic Risks in the Financial Markets: Hearing Before the H. Comm. on Fin. Servs. , 110th Cong. 8 (2007) (statement of E. Gerald Corrigan, Managing Dir., Goldman Sachs & Co.) (“[S]ystemic risk of a financial nature is... a financial shock that brings with it the reality or the clear and present danger of inflicting significant damage of the financial system and the real economy.”).
562 GEORGIA LAW REVIEW [Vol. 50:
key element in financial market regulation.^56 Scholars describe efforts to identify, assess, or mitigate outcomes that could lead to losses as risk management strategies. 57 Successful risk management strategies may engender a multitude of benefits and are as diverse as the businesses and industries that adopt them. To manage risks, business may rely on a wealth of endogenous tools, such as enterprise risk management (ERM) strategies 58 or corporate governance structures, and exogenous solutions, such as minimum capital ratios or living wills. 59 Risk management thus “involves organizational processes that generally include risk identifying, measuring, and mitigating procedures.” 60 Risk management is, “at its most fundamental level... about identifying bad outcomes that could occur in an uncertain future and taking deliberate action to shift the odds in a firm’s favor.”^61 Modern risk management theory began at the turn of the twentieth century when Louis Bachelier pioneered a model of
(^56) See generally Pierre Duguay, Dep’y Governor, Bank of Can., Remarks to the Risk Management Association, Toronto Chapter, Toronto, Ontario (Jan. 8, 2009) (explaining the importance of risk management strategies to achieve financial stability). (^57) E.g. , Nizan G. Packin, It’s (Not) All About the Money: Using Behavioral Economics to Improve Regulation of Risk Management Financial Institutions , 1 U. P A. J. B US. L. 419, 434 (2012) (“Risk managers... attempt to reduce the likelihood of negative outcomes.”); Johnson, supra note 40, at 61 (“[M]ethods developed to measure, mitigate, or manage risk generally focus on estimating the probability and magnitude of risks that lead to losses.”); Miller & Lessard, supra note 37, at 8 (describing several risk management techniques). (^58) See Kristin N. Johnson, Macroprudential Regulation: A Sustainable Approach to Regulating Financial Markets , 2013 U. ILL. L. R EV. 881, 899 (describing the complexity of the risk management strategies businesses adopt, including ERMs, which “attempt to comprehensively measure risks”). (^59) See Victoria McGrane & James Sterngold, Fed Sets Tough New Capital Rule for Big Banks , WALL ST. J. (Dec. 9, 2014, 8:43 PM), http://www.wsj.com/article/fed-proposes-extra- capital-requirement-for-8-biggest-u-s-banks-1481507 (noting regulatory imposition of “fatter capital cushions... to make the financial system less risky”); Ryan Tracy & Victoria McGrane, Big U.S. Banks Refile ‘Living Wills’ After Regulatory Rebuke , WALL ST. J. (July 6, 2015, 10:53 PM), http://www.wsj.com/articles/big-us-banks-refile-living-wills-after-regulatory- rebuke-1436212747 (reporting that, among others, JP Morgan Chase & Co. re-submitted plans for reorganization to help mitigate damage in the event of financial failure). See generally RENÉ STULZ, RISK MANAGEMENT AND DERIVATIVES (2003) (providing insight into the way businesses can maximize corporate value through various risk management techniques). (^60) Johnson, supra note 40, at 63. (^61) Robert Weber, A Theory for Deliberation-Oriented Stress Testing Regulation , 98 M INN. L. R EV. 2236, 2251 (2014) (citing D AN B ORGE , T HE B OOK OF R ISK 4 (2001)).
Brownian motion to analyze fluctuations in the prices of financial assets. 62 In 1939, the American Finance Association met for the first time, and in 1942, they published their first journal, American Finance. 63 The decades that followed ushered in a period of innovation in risk management.^64 Mathematicians and physicists embraced their celebrated role among financial institutions and developed asset pricing models such as the Black- Scholes options pricing formula and the Noble prize-winning Capital Asset Pricing Model. 65 Both models enjoyed tremendous popularity. Beginning in the early 1970s with the collapse of the Bretton Woods system, financial product engineers began to design newly styled currency derivatives products. 66 Financial product engineers posited that these derivatives, currency futures, and options and interest rate swaps would reduce risk exposure and facilitate hedging. 67 During the 1980s and 1990s, market participants engineered and encouraged the development of hedging products including default and credit risk management tools.^68 In the late 1980s, the Basel Committee on Banking Supervision initiated a series of discussions among the central banking authorities of the nations with the largest economies in the world; the discussions led several countries to implement the 1988 Basel Accord—a body of regulations designed to manage risks in the banking industry. 69
(^62) G EORGES D IONNE , R ISK M ANAGEMENT : HISTORY , D EFINITION AND C RITIQUE 6 (2013), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2231635. (^63) Id. ; see also About the Association , A M. F IN. ASS’ N , http://www.afajof.org/details/page/ 10241/About-the-Association.html (last visited Sept. 20, 2015). (^64) D IONNE , supra note 62, at 7. (^65) Press Release, Royal Swedish Acad. of Scis., The Prize in Economics 1990 (Oct. 16, 1990), http://www.nobelprize.org/nobel_prizes/economic-sciences/laureates/1990/press.html; P HILLIPE JORION , V ALUE AT RISK 417–18 (3d ed. 2007) (describing CAPM). (^66) Shinhua Liu, Currency Derivatives and Exchange Rate Forecastability , 63 F IN. A NALYST J. 72, 72 (2007). (^67) See Arthur E. Wilmarth, Jr., The Transformation of the U.S. Financial Services Industry, 1975–2000: Competition, Consolidation, and Increased Risks , 2002 U. ILL. L. REV. 215, 332–33 (noting how the availability of new financial “tools” such as derivatives led to increased hedging by financial institutions). (^68) D IONNE , supra note 62, at 8. (^69) Id.
market conditions such as low economic output, high unemployment, stock market crashes, liquidity shortages, high default rates, and failures of large counterparties.” 78 Employing stress tests reveals triggers and weak links that may cause extraordinary losses. 79 U.S. and foreign regulators increasingly emphasize the value of stress testing. 80 Regulators believe that stress tests will (1) facilitate efforts to promote risk oversight; (2) encourage quantitative skepticism within bank risk management departments; and (3) align corporate governance practices among management in industries where externalities endanger significant populations such as, the nuclear power industry or the air traffic control industry. 81
C. SYSTEMIC RISK MITIGATION
Examination of the commonly identified risks in financial markets and a comparison of these types of risk with systemic risks illustrate the rationale for treating systemic risks as unique and carefully regulating these concerns. Credit and capital markets serve as a critical infrastructure resource in international financial markets. 82 Assets flow across territorial boundaries with
(^78) Id. at 2238–39. (^79) Id. at 2239. (^80) See id. (“What is new, however, is the zeal with which lawmakers and regulators have looked to stress testing as a regulatory technique.”). (^81) See id. at 2301–02 (noting three themes regulators should focus on when dealing with regulated firms and the implementation of stress tests). (^82) See John C. Coffee, Jr., Extraterritorial Financial Regulation: Why E.T. Can’t Come Home , 99 C ORNELL L. R EV. 1259, 1269–70, 1269 n.33 (2014) (noting the relevance of “commons” literature to the regulation of financial institutions (citing Kristin N. Johnson, Things Fall Apart: Regulating the Credit Default Swap Commons , 82 U. C OLO. L. R EV. 167, 174 (2011))). Coffee, Johnson, and Steven Schwarcz are among a pioneering group of scholars exploring the application of Garrett Hardin’s tragedy of the commons to international financial markets. Id .; see also Iman Anabtawi & Steven L. Schwarcz, Regulating Ex Post : How Law Can Address the Inevitability of Financial Failure , 92 T EX. L. R EV. 75, 90 (2013) (acknowledging that financial markets can suffer from “a type of tragedy of the commons in which finite capital resources are exploited”); Steven L. Schwarcz, Protecting Financial Markets: Lessons from the Subprime Mortgage Meltdown , 93 M INN. L. R EV. 373, 386 (2008) (comparing the exploitation of scarce resources in a tragedy of the commons to the exploitation of scarce resources in a financial system). The innovative
566 GEORGIA LAW REVIEW [Vol. 50:
ease as market participants simultaneously transact with counterparties in any number of countries around the world. 83 An international network of exchanges and clearinghouses enable financial market participants to execute many of the world’s most significant transactions, transferring cash, securities, commodities, and other assets across national borders in seconds. 84 Technological innovations in international banking, payment, and settlement systems increasingly facilitate cross-border transactions.^85 Advancing technology will increasingly ensure that financial market transactions are uninhibited by conventional boundaries. The development of infrastructural resources, such as international banks, bank holding companies, securities and commodities exchanges, and clearinghouses facilitates the execution of cross-border transactions.^86 These institutions also provide critical benefits, enhance market efficiency, permit more accurate price discovery, and promote greater portfolio diversification.^87 The engineering of these critical market actors
application of the tragedy of the commons parable to financial markets offers alternative solutions to regulatory questions prompted by cross-border transactions or financial market sectors characterized by market participants executing transactions through trading institutions operating in multiple jurisdictions. (^83) See JAMES M ANYIKA ET AL ., M C K INSEY G LOBAL INST ., GLOBAL F LOWS IN A DIGITAL A GE : HOW T RADE , F INANCE , P EOPLE , AND D ATA C ONNECT THE WORLD E CONOMY 23, 61 (2014) (discussing the increasingly international nature of commercial transactions). (^84) See Chris Brummer, Post-American Securities Regulation , 98 C AL. L. R EV. 327, 346 (2010) (discussing how “innovations like the Internet” have drastically improved the rapidity and accuracy of international sales transactions). (^85) M ANYIKA ET AL., supra note 83, at 37 (“[W]e see huge growth in the digital portions of flows of goods and services—a process we call digitization.”). (^86) See Stavros Gadinis & Howell E. Jackson, Markets as Regulators: A Survey , 80 S. C AL. L. R EV. 1239, 1257–58, 1298 (2007) (concluding that many stock exchanges are “expanding their operations across national borders”). (^87) See Jeremy C. Kress, Credit Default Swaps, Clearinghouses, and Systemic Risk: Why Centralized Counterparties Must Have Access to Central Bank Liquidity , 48 HARV. J. ON L EGIS. 49, 65 (2011) (“The benefits of [clearinghouses] include loss mutualization and credit risk homogenization, multilateral netting, and information aggregation.”); Jerry W. Markham & Daniel J. Harty, For Whom the Bell Tolls: The Demise of Exchange Trading Floors and the Growth of ECNs , 33 J. C ORP. L. 865, 882 (2008) (stating that the transparency of modern stock exchanges “provides a price discovery mechanism”); Johnson, supra note 39, at 189, 209 (noting that self-regulatory organizations, including financial institutions such as the British Banker’s Association, “frequently adopt and implement