Systemically Important Technology

Article - Volume 101 - Issue 4


The debate about how to regulate dominant technology platforms and, more generally, dangers in the increasingly important technology sector, misses an essential dimension. It is the same oversight that financial regulators committed prior to the Global Financial Crisis: under-appreciating systemic risk.[1] Fortunately, the responses those regulators eventually developed provide a template to avoid a similar disaster in tech.

For all the fire and fury, discussions about reining in “Big Tech” cover a limited set of policy concerns. Addressing them could under-solve important challenges that technology platforms pose. These issues—information quality, privacy, and antitrust—are important.[2] But each of them has become, in different ways, partisan and logjammed.

We think that an exclusive focus on these issues comes at a cost. In particular, it displaces thinking about the costs if these firms fail. Our dissatisfaction with the existing technology ecosystem should not induce us to ignore its vulnerabilities. Technology platforms have reached the point where they are so interconnected, and so essential to the functioning of modern life, that their failures could be more than an inconvenience. They could be catastrophic. Moreover, these failures will not necessarily occur where we expect. Seemingly small platforms may have disproportionate significance, and seemingly safe ones may fail through unanticipated interaction effects.

There is a model of a regulatory regime that takes the question of systemic resilience as its raison d’être. Financial regulation is designed to promote the safety and soundness of institutions, as well as to protect the consumers who depend on those institutions.[3] Financial stability and systemic risk have become watchwords of the post-financial crisis regulatory settlement in the United States.[4]

In our view, the financial-regulation paradigm can usefully be applied to significant risks of our current technological environment in a way that could promote stability and resilience. This approach would appeal across the political spectrum as a means to reduce the likelihood of a technology disaster.

In particular, we propose two steps. First, we recommend that technology regulators use the paradigm that financial regulators use to identify firms of systemic importance.[5] Those regulators evaluate a number of factors to identify firms capable of damaging the financial system, including size, interconnectedness, substitutability, leverage, and other characteristics.[6] Firms that meet the test for systemic importance would be subject to heightened regulatory scrutiny.[7]

Second, we recommend that federal technology regulators join a council that meets regularly to discuss and identify issues of systemic risk in technology, adopting the framework of the Financial Stability Oversight Council (FSOC, or the Council) created by the Dodd-Frank Wall Street Reform Act.[8]

Our proposal offers a number of advantages over the current system. It consolidates a balkanized regulatory landscape and rationalizes a regulatory mission. It offers a different perspective on technology regulation, one that addresses real problems that have—so far—bedeviled both important technology firms and their government minders. It takes the best features of a resilience regime that successfully managed to pass a stern test during the COVID-19 pandemic and applies those features to a critical new part of the economy. In what follows, we make the case for the systemic importance of parts of the technology industry, outline the systemic-stability oversight regime in financial regulation, and describe how we would apply that model to technology. We propose a designation process for systemically important network institutions, or SINIs, and outline our vision for the Technology Stability Oversight Council, or TechSOC.

I. Big Tech as Systemically Important

A. They Might Be Giants

1. Size and Scale

We all know Big Tech is big. Just how big and important, and in how many ways, is striking.

Seven of the world’s nine most valuable companies by market capitalization in 2021 were technology platforms, including the American “GAFAM” quintet (Google/Alphabet, Apple, Facebook/Meta, Amazon, Microsoft) and the Chinese giants Tencent and Alibaba.[9] And if anything, this understates the case. GAFAM alone represent more than one-fifth of the entire value of the Standard & Poor’s index of the 500 largest American companies.[10] And market value is not the only measure on which Big Tech is big. Apple and Amazon trail only Walmart on the 2021 Fortune 500 list of the largest American companies by revenue.[11] Facebook’s 2.85 billion monthly active users in the first quarter of 2021 represent a third of the world’s population, and 1.88 billion of those users access Facebook daily.[12] Amazon employs more than 950,000 Americans and 1.3 million people worldwide.[13] Despite a global pandemic—or perhaps in part because of it—Google reported quarterly profits of nearly $18 billion in April 2021, its third straight quarter of record profits.[14] Consider how few companies even generate that number in revenues over an entire year. The other dominant platforms have similarly gaudy statistics.[15]

Major tech markets are marked not only by huge firms but also by significant market concentration. Google’s market share in search is roughly 90% worldwide, despite the efforts of major competitors such as Microsoft and Yahoo! over a period of many years.[16] Facebook similarly dominates social media, where Google itself abandoned its competitive effort, Google+, in 2018.[17] Whether these or the other Big Tech behemoths enjoy market power or monopoly status under the formal measures of antitrust is a question that regulators and economists have struggled with.[18] Other significant firms in these markets such as Snapchat and TikTok have managed to avoid being crushed, although they remain far smaller than the GAFAM members.[19] And those five firms compete against each other in various areas. In colloquial terms, however, there is no question that each has staked out a market area in which it reigns supreme. And while much of their growth is organic, these firms have also acquired hundreds of startups and complementary companies.[20] It is difficult to think of any historical corporate entity or group of entities, from the East India Company to the Ma Bell AT&T monopoly, which coordinated the lives of so great a fraction of humanity.[21]

One reason major tech companies are so powerful is that they function as digital platforms.[22] That makes them “[m]ultisided markets” with strong network effects.[23] This is particularly true for advertising-based business models, in which access to the users on one side is effectively sold to the advertisers on the other side. The more users, the more data about them. The more data, the better the algorithms for targeted advertising. The better the advertising results, the more that advertisers will be locked in as well. It is a powerful cycle driven by network effects.

With billions of users engaging in trillions of transactions, the major tech platforms have created historically unprecedented systems of data collection and behavioral targeting.[24] And that is just the starting point. Increasingly powerful computers allow those companies to refine the raw data to generate new insights. Facebook, for example, is building the world’s fastest supercomputer to power its artificial intelligence initiatives.[25] The big platforms also have data-sharing relationships with hundreds of other companies and purchase data from the massive and lightly regulated world of data brokers.[26]

Another dimension of digital platforms is that they are foundations for other services and companies. Platform operators create application programming interfaces (APIs) that allow others to interconnect. These relationships either generate revenues, provide access to new data, or reinforce the lock-in of the core service. For example, Google’s mapping service is an essential foundation for a plethora of location-oriented firms.[27] Ride-hailing services such as Uber and Lyft, although they eventually created their own mapping technology, would never have gotten off the ground without piggybacking on Google Maps.[28] Apple’s iOS App Store hosts nearly two million applications, virtually all created by unaffiliated developers.[29] This model streamlines development and distribution for application creators, but it is also extremely lucrative for Apple, whose non-hardware (services) revenue grew to $68 billion in fiscal year 2021.[30] Anyone challenging Apple (or Google’s Android platform) has to compete not only against the installed base of devices but against the entire platform ecosystem.

These business models, resulting in growth on growth, mean that the largest tech giants provide services to billions.[31] As ever more of our activity moves online, these giants have become essential conduits through which modern commerce and social interaction flows. Their path to such scale is in many ways controversial, but the scale illustrates the importance of these firms.

2. Vital Services

Every firm ranked at the very top in terms of employees, revenues, or market capitalization is important, but their importance is not a linear function of those numbers. Major tech firms have importance above and beyond their size. The large platforms have become increasingly critical, but the businesses on which they rely, or that they facilitate, have also become vital.

Consider Facebook.[32] The fact that it has so many users tells only part of the story. Those users are entrusting their personal information, images, communications, and relationship structures to the social media platform. We trust Facebook with these valuable assets, much as we trust a bank with our savings, despite growing unease about Facebook’s business practices. Facebook has become the way that people stay in touch with family and friends, interact with their social groups or communities, and find products or services. In the words of Nikita Aggarwal and Carl Öhman, “Facebook has, in large parts of the world, become the de facto online platform for communication and social interaction.”[33]

And it is not just Facebook. Google, whose mission statement boldly states its goal “to organize the world’s information and make it universally accessible and useful,” long ago became a verb because of its inescapable role in the contemporary ecology of knowledge.[34] Apple’s iPhone kicked off the mobile internet revolution and is perhaps the defining product of the twenty-first century so far because of how often so many people around the world use it (or similar devices built on Google’s Android operating system).[35] Amazon transformed commerce and became an essential source of products for the vast majority of Americans.[36] Twitter, despite having “only” 436 million users and a market cap about eleven times smaller than Facebook prior to its sale to Elon Musk, nonetheless occupies a central role in certain aspects of information generation and sharing, as evidenced by the controversy over then-President Donald Trump’s tweets and eventual removal from the service.[37]

In 2019, a New York Times technology reporter systematically attempted to block and avoid the major tech platforms over a period of six weeks.[38] Even as a sophisticated user willing to switch software and hardware, she found it virtually impossible. Her conclusion: “After the experiment was over . . . I went back to using the companies’ services again, because as it demonstrated, I didn’t really have any other choice.”[39] The major tech platforms have their tentacles into so many other services that even when we don’t think we are using them, we are. Facebook has profiles on many millions of people who have never used its service because their friends and relatives provide information that can be used to generate a “digital dossier.”[40] Most smaller online services today delegate their login process to the giants, who already have the identification information and, it is hoped, the systems to maintain security.[41]

There are also technology firms whose significance is disproportionate to their scale. Consider the importance of Zoom during the COVID-19 pandemic. Zoom is, by most measures, no peer for the platform giants. It had approximately 4,400 employees at the start of 2021, and revenues of $2.65 billion.[42] Founded in 2011, Zoom only went public in 2019.[43] Its video-conferencing software earned it a strong following in what was seen as a growing but still relatively niche market. However, when the pandemic forced many millions of workers and students to work from home starting in early 2020, Zoom usage took off.[44] Competing products such as Skype, Microsoft Teams, Blue Jeans, and Google Meet have seen huge take-up as well, but Zoom has been the market leader.[45] It was remarkably effective at scaling up quickly to support massive levels of video traffic. It is difficult to imagine how most major businesses, universities, and K–12 schools could have functioned effectively without it during 2020–2021.[46] Even as firms and schools return to in-person operations, they are continuing to use Zoom for meetings that previously would have been conducted in person. Zoom, or something like it, has rapidly become an essential business tool like email or the Web.

The Zoom example highlights how there has been a critical shift behind the scenes over the past two decades regarding how technology firms operate. The cloud revolution has turned computing power into a utility. Starting with Amazon Web Services, major tech firms such as Google and Microsoft now provide computing, storage, and other functionality as services to other firms doing business online.[47] Even Apple, whose core businesses involve selling hardware and software, now operates massive data centers to handle photos, messaging, application delivery, music, and streaming video offerings.[48]

Cloud computing allows firms to purchase computing as a resource from a large, common pool, analogous to how they purchase electricity. That structure allows firms to quickly scale capacity up or down and provides better reliability through expert centralized management and global redundancy.[49] Although software and hardware products almost inevitably have bugs or security vulnerabilities, users have come to expect always-available digital services. They think of Google or Facebook similarly to the way they think of heating, electricity, and water: as essential utilities.[50]

The utility that operates the electricity distribution network in your city may not be one of the biggest firms in the country, but if the lights go off your life comes to a standstill. With so much of business and daily life dependent on the internet, the infrastructure underlying internet services takes on an outsized role.

B. Who’s Afraid of Big Tech?

1. From Heroes to Villains

When they first took off, the major tech platforms saw themselves—and were widely seen by others—as upstarts, challenging dominant incumbents with valuable innovations in operations and user benefits. That has changed, with widespread dissatisfaction growing over the firms and how they are regulated. As we will see, our proposal can address a serious gap in the regulatory environment now that these big firms have made something of a heel-turn. Microsoft and Apple rode the personal-computer revolution of the 1980s to supplant mighty IBM and other major technology or telecommunications firms of the day.[51] Google and Amazon launched with the internet revolution in the late 1990s, in part positioning themselves against Microsoft, which had become the most powerful company in technology. Facebook, and a host of smaller yet still huge companies, such as Netflix and Uber, came on the scene in the 2000s, as broadband and mobile connectivity set the stage for an era of “Web 2.0.”[52] All these companies have strong entrepreneurial DNA, with visionary founders—Steve Jobs, Bill Gates, Mark Zuckerberg, Jeff Bezos, Sergei Brin, and Larry Page—who steered them from their days in garages.[53] That the internet became such a crucial fact of daily life and business, and that so many services did not charge up-front fees thanks to advertising or other business models, were viewed as triumphs.[54]

Policymakers and regulators initially endorsed the rapid growth of Big Tech. In 1997, the Clinton Administration issued the Framework for Global Electronic Commerce, which firmly declared that government should avoid undue interference with the emerging internet ecosystem.[55] Legislation such as the Internet Tax Freedom Act[56] and Section 230 of the Communications Decency Act of 1996[57] sought to shield digital platforms from unreasonable or unintended legal obligations. GAFAM were celebrated as great American success stories, with firms such as Alibaba, Didi, Baidu, and Tencent seen in similar lights in China.[58] If occasional academics criticized “the Googlization of ‘everything,’” they were swimming against the tide.[59]

All that changed rapidly in the late 2010s. Big Tech platforms became the targets of intense criticism on several fronts. The recent emergence of neo-Brandeisian antitrust theorists and activists, as well as the ongoing efforts of European competition regulators alarmed at the influence of these largely American platforms, have turned the debate toward the dangers of bigness.[60] Their concern has resonated. The intrusive model of “surveillance capitalism” (to use Shoshana Zuboff’s evocative phrase) and the flaws of mass-scale, algorithmic decision-making have provoked increasing alarm among policymakers and the public.[61] The role that social media firms played in the spread of misinformation during recent presidential elections and in other contexts raised alarms that technology was not just, as Google’s mission statement claimed, making information “universally accessible and useful,” but making us in some ways less informed and serving nefarious ends.[62]

By 2020, Big Tech was the target of intense attacks in scholarship,[63] books,[64] and documentaries.[65] CEOs of the major platforms were hauled before congressional committees to justify their actions, and regulators (especially in Europe) were regularly imposing large fines on them for privacy and competition policy violations.[76] Strikingly, these attacks were bipartisan, although the issues Democrats and Republicans highlighted often differed.[67]

The intensity and prominence of the “techlash” might suggest that there is no need for further action because tech platforms will at some point be subject to sufficient regulatory oversight. However, this is not the case. There are significant unsolved problems and unresolved controversies in the current tech-regulation debates. Most important from our perspective, even if they are addressed, systemic risk will still be a serious blind spot.

2. Shape of the Current Debates

There are two reasons why current approaches to tech regulation do not appropriately respond to systemic risk: substantive focus and procedural frameworks.

First, the major issues of contention in contemporary policy debates over Big Tech do not relate to systemic harms. The most contemporary heat, if not light, in the debate about technology has come from concerns about speech on technology platforms. Liberals have focused their attention on the popularity of disinformation, often designed to activate conservatives, on sites like Facebook.[68] These observers have worried about Russian interference via social media in American elections, have worried about the spread of falsehoods on platforms like Facebook and Twitter, and have bemoaned the popularity of often misleading conservative commentary on current events.[69] The right, on the other hand, has focused on different sorts of platform biases. Conservatives argue that the halting efforts by platforms to remove disinformation from their sites has systematically been biased against right-of-center commentators.[70] In their view, it is liberals who are engaged in speech suppression by seizing the levers of control on platforms and using that control to deplatform non-liberal speech.[71]

The result has been a form of gridlock, as policymakers have debated limitations or repeal of the so-called Section 230 grants of immunity to websites that permit comment from their users.[72] Because it is hard to imagine how platforms would work without this sort of immunity, let alone whether holding companies liable for speech that others make on their platforms would be consistent with First Amendment principles, the policy solution to this question of privileged speech has been difficult to resolve.

These speech and informational controversies are extremely important. They are linked to the scale and influence of a small number of powerful platforms. Facebook and Twitter making decisions about what content to host or what messages to amplify is entirely different than a small online apparel company making the same kinds of decisions about product reviews on its site. The relevant harms, however, are political, relating to free speech and democracy. They raise the kinds of questions that have long been the subject of media and communications regulation, which were developed in response to earlier dominant information platforms in radio, telephony, and television.[73]

The second major area of tech policy controversy operates through an antitrust lens.[74] Politicians and policymakers have worried that Google, Facebook, and other platforms—but especially Google and Facebook—have become too big. Sometimes this bigness concern is articulated in a way that the early progressives emphasized with the first antitrust laws—a worry that, whatever the effect on the consumer, the problem with amassing so much information in a few platforms is simply unhealthy for the body politic.[75] This model is associated with Justice Louis Brandeis’s concern that the concentration of economic power could lead to a despotic result in the political arena.[76]

The Brandeis critique is often thought to be a progressive one; in recent times, however, conservatives have found common ground with this argument. In particular, they believe that technology platforms are adopting practices that systematically disadvantage right-of-center perspectives.[77] Non-progressives have thus also called for alternatives to the platforms. They believe that if there is no alternative to Facebook, there may be no room for different voices.[78]

In other words, the debate over whether firms have gotten too big to be healthy is rooted not just in fears about bigness in general but also in the belief it privileges the values held by the managers (or in some cases, the employees) of the biggest technology firms.

The American Innovation and Choice Online Act, designed to rein in anticompetitive practices of Big Tech, reached the Senate floor in 2022.[79] A bipartisan agreement on technology trustbusting is not impossible, but it is worth reflecting on the difficulty of winning the ensuing litigation. The government’s two highest profile cases against technology firms on monopolization grounds, the 1980s investigation of IBM and the 1990s Microsoft litigation, ultimately foundered. Breaking up companies through litigation is difficult to do, and the likelihood of victory in the courts is by no means certain.[80]

These competition policy concerns bear some similarity to systemic risk regulation, in that they involve identifying and targeting a subset of firms with sufficient scale, scope, or other market power. However, there is an important distinction from antitrust. The watchwords of systemic risk regulation are importance and resilience, rather than size and power. There have been significant antitrust actions in the sector, such as the Department of Justice blocking the proposed merger of Visa and Plaid,[81]] but these are unconnected with systemic risk oversight. Market concentration is a factor in systemic risk—if there are many relatively small firms competing, it is unlikely the death of any of them would cause market-wide disruption.[82] However, whether economic power is too concentrated in a market is a different question from whether risk is. Otherwise, there would have been no need to establish a bespoke systemic risk regulation framework in the Dodd-Frank Act and other responses to the 2008 Global Financial Crisis.

A final major area of technology policy debate concerns privacy. The major tech platforms built their businesses around aggregation of tremendous amounts of data, including vast troves of personal information about virtually everyone. Privacy-related concerns animate the critiques of “surveillance capitalism,” the model under which tech platforms relentlessly target and then shape users’ interests to feed their advertising businesses.[83] The European Union’s General Data Protection Regulation (GDPR), which came into force in 2018, imposes extensive requirements on all data processors and data controllers.[84] While the United States still does not have a comprehensive federal data-protection law, several major states have passed laws incorporating aspects of GDPR, and there is strong legislative momentum in Congress for further action.[85] A compromise bill with the support of key House and Senate leaders was introduced in mid-2022.[86]

Again, however, privacy is different than systemic risk. Privacy rules focus on whether surveillance practices of tech platforms are harmful to users, not whether the failure of those platforms might be. It is true that the more data firms aggregate, the greater the dangers of data breaches. However, privacy regulation generally focuses on the harms of those breaches to customers of the relevant firm whose information is leaked, rather than the possibility of industry-wide contagion.[87]

3. The Tech Regulation Playbook

In addition to focusing on a limited set of issues, the current tech policy debates apply a restrictive set of tools.

The roots of technology regulation go back to the regimes for telecommunications and media firms, which were established earlier in the twentieth century.[88] Those, in turn, trace their roots to public-utility regulation created originally for railroads in the nineteenth century.[89] The main pillars of public-utility regulation are common carriage, universal service, and price regulation.[90] The idea of both is that some industries are so foundational and subject to such strong natural monopoly conditions that market forces will not produce outcomes that meet essential public-policy objectives.[91] As a result, firms were required to provide services to all comers without discrimination and were subject to intrusive oversight of the prices they charged. Classic public-utility regulation has been significantly reduced in communications and media industries in favor of a managed-competition approach.[92] The contemporary derivative of those frameworks is network neutrality: the principle that internet platforms should not discriminate against unaffiliated traffic or devices.[93] Essentially, the idea is that digital platforms should be open and fair for all who depend on them, rather than pure profit maximizers for proprietary wealth creation.[94] Under this approach, regulation is typically conducted by a specialized expert agency, such as the Federal Communications Commission (FCC).[95]

Much of the debate about Big Tech has concerned whether it should be something analogous to a network-neutrality framework,[96] and whether a new specialized regulatory agency should be created.[97] Such an agency would focus on addressing practices by the tech platforms that reduce competition or harm users. Antitrust enforcement to block mergers and break up firms that have become too big or powerful would complement the regulatory oversight. While these are very important debates, they are also familiar ones. Similar questions about whether to create a new agency and whether to ramp up antitrust enforcement come to the fore every time market structures change in major industries.[98]

Whether such rules are desirable for Big Tech is beyond the scope of this Article. We take no position on whether further speech, antitrust, or privacy regulation should be imposed or what it might look like. Our focus is on a blind spot in the discussion. The standard regulatory playbook tends to ignore or poorly address a particular category of harms: those arising from systemic risk. As noted earlier, antitrust focuses on concentrated power, while expert agencies focus on industry practices or standards. Neither is well-suited to consider whether some market participants may create disproportionate risk, even if they fail to meet standard market-power tests or engage in otherwise-troublesome behavior. We thus turn to the question of whether systemic risk is a problem in today’s tech sector.

C. Systemic Risks in Technology

1. Defining Systemic Importance

Not all risks are significant, and not all significant risks are systemic. There are many things that companies can do or fail to do, which cause harms to their customers and other stakeholders. The bigger the firm, the greater the magnitude of these risks. Regulation in its varied forms is designed to ameliorate risks not sufficiently addressed through market forces and private mechanisms. As noted in the previous section, the ongoing debates about Big Tech concern whether regulatory and competition policy obligations should be extended in new ways to major digital platforms. Those proposals, however, concern dangers involving the companies themselves, not their potential impact on the overall economic system.

Systemic risk does not have a precise definition.[99] It is generally discussed in the context of financial regulation as the potential that a shock will cause cascading effects, resulting in the financial system as a whole seizing up such that capital is effectively unavailable.[100] The textbook example of systemic risk is a bank run, which occurred during the Great Depression: depositors lost faith in a large number of banks and accordingly attempted to withdraw their funds en masse, which is the sort of thing that banks—who loan out the money depositors give them—are definitionally not prepared for.[101] Similarly, during the Global Financial Crisis of 2008, the failure of Lehman Brothers and prospective failure of Bear Stearns, Fannie Mae, AIG, and other large institutions created a panic across the entire financial system.[102] A key aspect of systemic risk is this notion of contagion: Failures in one institution can spill over to others, even if ex ante they seemed sufficiently robust.[103]

The need for a separate layer of regulation emerges, in part, from the fact that oversight of each individual firm cannot fully internalize the spillovers. The costs of bailing out Lehman Brothers in 2008 were deemed too high because they were weighed against the shareholder losses and other direct impacts of a Lehman bankruptcy, not the dramatically greater costs of the near-Depression that resulted. Firms of systemic importance are also the ones that tend to be “too big to fail”—knowledge of their significance produces moral-hazard dynamics in which gains are internalized but risks are socialized through government bailouts.[104]

The study of systemic risk in the financial sector and what to do about it blossomed after the Global Financial Crisis. There was, however, little discussion about how the concept might be relevant elsewhere in the economy.[105] One reason for this is that concepts traditionally used to articulate systemic risk, such as cost of capital or asset volatility, are associated with finance. However, the characteristics of systemic risk in finance apply to a variety of scenarios. There is no reason these should necessarily be limited to financial markets. Such markets are necessarily interconnected because money is money; it is the representation of value, unit of account, and means of exchange across all firms and users. In an era of global digital networks and physical supply chains, however, finance may no longer be so exceptional. As a group of RAND researchers point out, the bailouts during the Global Financial Crisis included the major U.S. auto makers, even though they were not predominantly in the financial services sector, because of the ripple effects their failures would have had across interdependent supply chains.[106]

2. Systemic Risk Beyond Finance

The RAND researchers were among the first to attempt to model systemic importance outside of the financial services sector. A major challenge for such an effort is that there is no single metric, such as capital, to evaluate firms in nonfinancial markets.[107] The fact that Apple holds tens of billions of dollars of cash on its balance sheet does not make it a risky enterprise; to the contrary, it makes Apple more resilient. This is because Apple is, predominantly, not a vehicle for others’ capital; those funds represent its own profits from sales of goods and services.[108] Similarly, it is not as obvious what a systemic failure would mean outside finance, where the freezing up of liquidity can be measured using the same kinds of financial metrics.

To address these difficulties, the RAND team developed a novel dataset of the interconnections among firms in the broader economy based on a Securities and Exchange Commission (SEC) reporting requirement to disclose information about business segments and customers that represent more than 10% of consolidated sales or revenues.[109] This allowed them to construct a model of upstream and downstream dependencies. If a firm fails, the impacts will be felt by its suppliers and those it supplies. Failures of firms with more connections to other firms will have more systemic impacts. So will unexpected revenue shocks of such firms short of failure. The RAND study estimated the total economic loss of a 1% revenue shock to every firm based on this model. In this way, the RAND analysis models the equivalent of a bank run for cascading failures in other industries.

The firm that would generate the largest loss of a shock according to this model was not a bank. It was Amazon, at a $77 billion economic loss for just a 1% revenue shock.[110] Apple was sixth.[111] Even more interesting, when sorted in terms of the highest estimated losses per unit of revenue, the top firm was the internet domain name registrar GoDaddy.[112] The human-resources software firm Workday was also in the top twenty.[113] Neither would be remotely considered a Big Tech platform in the same category as Facebook, even though both are dominant in their particular market segment. A 1% shock to GoDaddy’s revenues would cause $4 billion in losses across the economy, the researchers projected, even though GoDaddy itself only generates $220 million in annual revenue.[114] This disproportionate importance of certain firms is consistent with the systemic risk model, where size is not everything.

The point of the RAND study was to demonstrate a methodology for investigating systemic risk in the broader economy and to suggest areas of concern.[115] The researchers did not attempt to identify comprehensively which firms posed systemic threats or why. The methodology of modeling firm-level interconnections and impacts of revenue shocks was expressly limited.[116] Nonetheless, it provides evidence for the intuition that financial services firms are not the only ones subject to contagion risk and that the sources of such risk may not only be the largest and most prominent firms. In finance, establishment of systemic risk as a major topic of public-policy concern stimulated academic research on how best to evaluate it. Greater attention to systemic risk in technology platforms, as we propose, should similarly help improve the tools available for the task.

As described earlier, the structure of the internet ecosystem as a collection of interconnected platforms, linked through APIs and utility-like infrastructure, creates conditions of dense interconnection.[117] Amazon sits at the nexus of a vast network of firms that create, market, and distribute virtually every product imaginable and an equally vast information network that tracks, analyzes, recommends, and finds those products. Moreover, because Amazon operates over the internet, it depends on largely privately controlled infrastructure to move data reliably across a distributed global data network with no central control point.[118] One piece of that infrastructure manages the domain names that allow users to find websites, millions of which were registered through GoDaddy.[119] There are other components of internet infrastructure whose importance is similarly obscure, such as content delivery networks like Akamai that facilitate streaming media and services such as Cloudflare that protect against paralyzing distributed denial-of-service attacks.[120]

We do not suggest that all such firms are systemically important. In Part II below, we describe the macroprudential regulatory framework developed in financial markets pursuant to Dodd-Frank and other responses to the Global Financial Crisis. Using that as a model, we develop a framework to evaluate whether a technology firm is systemically important. Our point here is that major technology firms (and some not even considered major) bear characteristics sufficiently similar to those that gave rise to systemic risk concerns in finance.

An important value of the systemic risk paradigm is its generality. It focuses not on the dangerous ways powerful firms may succeed, such as by manipulating markets or abusing their customers, but on the dangerous consequences of their failure. In contrast to most regulatory inquiries, which start from standards for problematic conduct and apply them to firms, this approach begins with standards for identifying firms, and only then looks at their conduct. Behavior that would be unobjectionable for most businesses can raise serious concerns for systemically important ones. Thus, even for existing policy considerations, such as cybersecurity breaches, the analysis may be quite different in the context of systemic importance.

In subpart I(D), we elaborate on the cybersecurity example and the danger of cloud service outages. However, these are far from the only scenarios in which systemic risk might come into play for technology platforms. Because systemically important firms are “too big to fail,” any major business disruption becomes an industry-wide or even economy-wide concern.

For example, ride-hailing services such as Lyft and Uber have become ubiquitous in cities. There is evidence that in addition to outcompeting private taxi services and reducing car purchases among some populations, these platforms significantly reduce usage and therefore undermine the financial sustainability of public transportation.[121] Yet Uber and Lyft, despite their massive adoption and large public market valuations, have never been remotely close to profitability, and show little sign of reaching that goal in the near future.[122] A market downturn in which investors lost confidence and additional capital was not available might drive them into insolvency. That would, in turn, not only have consequences for their investors, employees, and drivers, but could remove a major form of mobility from cities. While other transportation options would eventually return to fill the gaps, there might be significant economic disruption for an extended period. These knock-on costs would be much greater than the direct losses to those directly involved with the ride-hailing firms.

The ride-hailing scenario might be fanciful. It rests on several claims about the scale of these services, their displacement of alternate forms of transportation, the plausibility of their failure, and the attendant disruption. These are all subject to empirical investigation. We do not assert here that Uber and Lyft are systemically important. We observe that they plausibly might be, or might become so. And if they were, the attendant risks are not adequately addressed in any of the current public-policy discussions around these firms.

One reason for systemic risk regulation is that, by the time such risks become real, it is too late to do anything short of the heroic (and fantastically costly) kinds of interventions that were necessary to end the Global Financial Crisis. Such risks must be considered prospectively. Developing the empirical and institutional machinery we propose in this Article not only helps to respond to the harms of systemic risk in technology, it will help to prevent them.

Systemically important firms also have a complex relationship with regulation and other governmental policy initiatives. On the one hand, they tend to be dominant and aggressive actors who appropriately attract the most intensive regulatory engagement. Often rules expressly limit their applicability to larger firms, who have the compliance resources that smaller firms lack.[123] Regulators in Europe have imposed the strictest data protection and platform-liability rules on the Big Tech platforms. In response, these platforms have at times suggested they might be forced to withdraw from jurisdictions where the rules are too onerous.[124] To the extent the services they provide are of systemic importance, doing so would be extremely damaging.

It may well be that the threats by platforms to shut down operations are just negotiating ploys. In other cases, however, governments may deliberately attempt to oust firms. China, in particular, has already blocked the major U.S.-based social networking and search platforms and created restrictions that made it untenable for them to operate local subsidiaries.[125] This occurred before such firms reached their current level of importance in the West, and Chinese alternatives have developed to serve the local market. However, Apple still has a huge presence in China, both as a primary manufacturing location and as one of its biggest and most profitable markets.[126] If China took steps to cut off supply chains or market access for Apple, the impacts could be severe and not at all limited to China.

These scenarios illustrate how systemic importance raises different issues than the current regulatory debates involving Big Tech. The possibility that essential firms will fail may seem remote. However, by definition, such “black swan” events appear so up to the moment when they occur, with disastrous consequences.[127] The possibility that collateralized mortgage obligations and credit default swaps would tank the global economy for a period of years seemed remote to most observers prior to 2008 as well.

An important basis for systemic risk regulation is that the effort and expense involved in building robustness into the system before it is needed tends to be far smaller than the costs when it would have made a difference. Moreover, the possibility that a relatively small technology firm with disproportionate importance, such as GoDaddy, would fail, is considerably easier to envision than one of the Big Tech giants. A systemic risk orientation is the only way to ensure that the outsized risks that the collapse of such firms might unleash are appropriately considered.

3. Distinguishing Earlier Uses of the Term

We are not the only observers to use the term “systemically important” in the context of major digital platforms, though we apply it in the way that Congress and financial regulators would find most familiar. However, earlier users of the term have generally focused on importance rather than the systemic dimension. They employ it primarily as a proxy for “large and should be further regulated.”[128] Systemic risk is used anecdotally in prior work, rather than based on empirical factors. Prior researchers have therefore not developed the regulatory framework we introduce later in this Article.

For example, the New York Department of Financial Services (NYDFS) suggested in 2020 that a council of regulators “should evaluate the reach and impact of social media companies, as well as the society-wide consequences of social media platform[] misuse, to determine which companies they should designate as systemically important.”[129] This suggestion arose when it found that Twitter was not sufficiently protected against a hack, and high-profile accounts were seized for a cryptocurrency scam.[130] “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” NYDFS observed.[131] As accurate as this assessment might be, NYDFS had limited authority to address it as a state regulatory agency, and no action was taken based on its recommendation.

Twitter is certainly now significant to the flow of important forms of speech such as news and political commentary, and a major channel for spreading harmful or fraudulent material. That does not make it systemically important. As discussed earlier, there have been several proposals to create a digital platform agency which would regulate major tech platforms the way the FCC today regulates media and telecommunications utilities.[132] Such an agency would be analogous to the macroprudential regulators in financial services, which exercise oversight on firms’ policies and practices to achieve defined public-policy objectives.[133] However, that is different from the macroprudential orientation of true systemic risk regulation, which concentrates on dangers to the economy as whole.[134]

Similarly, the World Economic Forum issued a report in 2017 that addressed what it termed “systemically important techs.”[135] However, it used the phrase in a different sense. The report concentrated on the ways that finance and technology are increasingly intertwined. “Financial institutions increasingly resemble, and are dependent on, large tech firms to acquire critical infrastructure and differentiating technologies,” as Marc Hochstein explained in a review of the report.[136] In other words, the emphasis was on how tech is important to finance, not on how the systemic risk framework developed for financial services might be a model for tech. The proposal was more a thought bubble than a mandate—one of the authors of the report characterized the use of the term “systemically important” as “a play on words, intentionally so.”[137]

Financial institutions and technology firms are indeed becoming increasingly inseparable, which has led some policymakers to propose subjecting technology firms to financial oversight.[138] The idea is that as financial firms increasingly move their services into the cloud, they are at risk of tech sector disruption; regulators “fear a glitch at one cloud company could bring down key services across multiple banks and countries, leaving customers unable to make payments or access services, and undermine confidence in the financial system.”[139] We view these approaches as broad illustrations of the parallels between the two industries and the way the government engages with them. They provide support for considering technology firms more explicitly within the realm of financial regulation. Our aim is different: using the tools of financial regulation to develop a new way to think about technology regulation.

One reason to worry about simply having financial regulators oversee tech firms is that it might look like an impermissible overreach by regulators who have not been given these responsibilities. The Supreme Court has of late taken a skeptical view of expansive approaches to the regulatory frontiers of agencies. During the pandemic, it struck down an effort by the Occupational Safety and Health Administration to mandate vaccinations for employees of larger employers on the grounds that Congress had not clearly authorized this sort of public-health intervention.[140] It also reversed the Centers for Disease Control and Prevention’s effort to ban evictions on the theory that they could lead to a spread of the virus.[141] Even where permissible, agency mission creep should be treated skeptically as a policy matter. Are regulators used to dealing with banks and trading firms best situated to understand social media platforms and domain name registrars?

It is undoubtedly the case that technology firms are increasingly intertwined with the financial services ecosystem. And this creates under-appreciated risks. For example, in 2019, Capital One leaked customer data for 106 million people, including information about card balances, credit scores, and even in some cases Social Security numbers and linked bank account numbers.[142] It turned out that a former employee of Amazon Web Services—which supplied Capital One with cloud data services—had accessed the personal information.[143] She was charged with computer fraud and abuse;[144] but the incident also led two legislators to ask the Treasury Secretary to designate cloud providers, including Amazon, as systemically important “financial market utilities.”[145] Doing so would subject such utilities to additional regulation by a federal regulator, most typically the Federal Reserve (the Fed).[146] The Treasury declined this invitation, and Capital One later agreed to pay a $190 million settlement over the data breach.[147] This incident illustrates how, even when tech platforms’ roles in financial market risk are identified, there is no developed language for evaluating responses. That is one element of what we hope to provide by building out a framework for systemic risk regulation for tech.

Thus, while the term is in circulation, prior articles have not attempted to build out a model for understanding tech platforms as systemically important in the sense understood by financial regulation. Nor has there been a careful attempt to design a regulatory regime appropriate for the industry context. If anything, the way “systemically important” is thrown around casually outside of finance reinforces the importance of our project.

Before developing our regulatory framework, we next examine in more detail what systemic resilience for technology platforms means. In the previous subpart, we described a few hypothetical scenarios in which critical technology firms failed.[148] There, we deliberately selected unusual possibilities to emphasize the broad nature of systemic risks. To further reinforce the need for attention to systemically important technology firms, we offer here two more extensive case studies of more likely scenarios.

D. Case Studies

1. Cybersecurity Breaches

As discussed in section I(B)(2), cybersecurity breaches are a pervasive and growing threat. Data breach notifications or even the largest imaginable fines would not remotely address the harms of a major breach by an essential platform. Steps must be taken to reinforce the robustness of the data-protection environment overall, such that systemic breaches are both less common and less dangerous.

Data breaches illustrate how systemic risks of Big Tech go beyond the existing regulatory debates. Virtually all companies store the information of their customers digitally, including sensitive personal information like Social Security numbers and credit card numbers.[149] If it falls into the wrong hands, this information can lead to identity theft, unauthorized charges, and the invasion of personal privacy, with consequences including ransoms or worse. As the world becomes increasingly digitalized, data breaches also become more frequent, impose more risks, and cause more serious damages to society. Data-breach-notification requirements have been adopted in most states, GDPR, and all major proposals for federal privacy legislation.[150]

Data breaches are normally viewed as a privacy or data-protection issue, relevant to any firm that holds or processes personal information. Many of the most damaging breaches did not even involve “technology” firms. For example, the hotel giant Marriott suffered two major data breaches within sixteen months. The 2018 breach impacted more than 327 million Starwood guests (Starwood was purchased by Marriott).[151] And about 5.2 million members of the Marriott Bonvoy loyalty program had their personal information stolen in 2020.[152] The Choice Hotels chain, whose brands include Quality Inn and Cambria Hotels, also lost control of sensitive customer data in 2019.[153]

Such data breaches cause serious harms and have led to significant penalties. For example, Marriott was fined £18.4 million by the British Information Commission’s Office (ICO) because of its 2018 data breach.[154] After it was hacked in 2017, the credit bureau Equifax paid at least $575 million, and potentially up to $700 million, settling with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and fifty U.S. states and territories for its “failure to take reasonable steps to secure its network.”[155]

There are, by definition, spillover effects of data breaches, in that information harvested from one location can be used elsewhere. Stolen passwords may be used to access another site, or personal information may be used for identity theft. However, these risks are generally not systemic—they rely on a form of interconnection but are not contagious. Many firms may have the same vulnerabilities because they use the same software. A data breach at one firm, however, is not likely to produce a cascading effect elsewhere. Even the Equifax breach did not undermine the security of the other two major credit bureaus.[156] Tools such as data-breach-notification laws and enforcement actions by privacy or consumer-protection regulators are appropriate means to address most data-breach risks, even if not completely effective.

There may, however, be firms whose role in data protection does rise to the level of systemic risk. This could be either because of their size or their importance to data security. A 2014 data breach at Yahoo! impacted roughly half a billion user accounts, much more than even the notorious Equifax breach.[157] And Yahoo! was by then an also-ran in the digital platform wars.[158]

The GAFAM companies have, for the most part, avoided major data breaches, although they have been far from perfect when it comes to cybersecurity. If they did ever have a serious breach, however, the impact would be massive. These companies not only serve hundreds of millions or more customers; they provide, as noted earlier, the login functionality for many other sites online. And they are at the nexus of huge data-sharing networks with inconceivable amounts of personal information feeding their targeting and customization algorithms. A major data breach today by Facebook, Google, or Amazon would be catastrophic. It is to those companies’ credit that such an Armageddon has not occurred. They are highly motivated to prevent it and possess powerful tools for doing so. It must be recognized, however, that the degree of risk involved is orders of magnitude greater than the degree of risk for other private actors and even major government data repositories.

2. Cloud Service Disruptions

One of the most important factors in the systemic risk of tech platforms is the rise of cloud computing. The shift from treating the servers that deliver content over the internet as specialized devices operated by individual companies to vast pools of computing capacity managed and provisioned as infrastructure is in many ways as important as the shift from private networks to the interconnected global internet.[159] Cloud computing makes it possible to deliver powerful services to users around the world, with capacity scaling up or down based on demand.[160] Few of the now commonplace online services that billions of people take advantage of today would be viable without the power of cloud infrastructure.[161] Yet the flip side of this power is the extent to which the entire internet ecosystem, and everything connected to it, now depends on data centers managed by a handful of firms. As the authors of the RAND study of systemic risk in the broader economy explain:

No firm epitomizes the shift in systemic risk more than Amazon and its increasingly widespread cloud computing service, Amazon Web Services (AWS), a point illustrated through the efforts of this report. Amazon’s centrality in traditional production networks was just emerging at the time of the 2008 crisis. Now, its centrality in digital networks underpinning diverse firms and even public institutions provides an example of the potential of systemic risk in the broad economy, an example that calls for further study on potential risks.[162]

As Forbes has observed, “Amazon Web Services is the dominant player in the cloud computing . . . world with a market share of 32% in Q3 in 2020. . . . This means that any outage at Amazon can have a cascading impact on large swathes of the internet.”[163] AWS experienced at least three outages in December 2021 alone, with attendant consequences for the businesses that rely on Amazon’s servers.[164] For example, in an outage that largely affected northern Virginia, failure of AWS brought down sites including Adobe Spark, the Capital Gazette, Coinbase, the Philadelphia Inquirer, the Washington Post, and Roku, among others.[165] The New York City Subway also blamed the outage for challenges communicating with riders about service disruptions.[166]

Nor are other countries immune from such problems. In September 2021, an AWS outage in Japan caused significant disruptions to “major online brokerages, a leading mobile phone carrier[,] and the country’s biggest airline.”[167] Flights were delayed as the ticketing and check-in system of ANA Holdings went down.[168] Brokerages like SBI Securities and Rakuten Securities also reported delays in their price data feeds.[169]

Nor is AWS the only cloud computing service to experience outages with rippling effects on its customers. In June 2021, several major sites in Australia stopped working for about an hour, and this outage was largely attributed to a glitch caused by service disruptions at Akamai, a U.S. service provider.[170] This outage affected Australian banks, Virgin Australia, and the Hong Kong Stock Exchange.[171] Some Australians “complained on social media of being stuck in supermarket checkouts with no way to pay for groceries or being stranded at gas stations and unable to pay for fuel.”[172]

Fastly, a cloud computing service that serves as an edge cloud platform, went down in early June 2021, and in so doing took down all sites that use the domain, thereby preventing people from booking COVID-19 tests and from filing annual tax returns with HM Revenue and Customs.[173] The outage impacted businesses as well, including Amazon, Boots, and eBay, which were estimated to have lost millions of pounds in revenue as a result of the outage.[174]

A Google Cloud outage in December 2020 brought down Gmail, Google Maps, YouTube, Google Docs, and Google Drive for about an hour, along with all services that rely on Google’s servers, including Pokémon Go and Discord.[175] Though the outage itself only lasted an hour, a large proportion of Gmail users dealt with continuing issues for about three hours after the outage.[176]

Cloud computing increasingly occupies a central place in our technology infrastructure, and its leading providers have dropped significantly during the past five years. The number of companies using infrastructure as a service (IaaS), a type of cloud computing service,[177] has surged.[178] The COVID-19 pandemic, which pushed virtually all countries to implement work-from-home policies, has accelerated these developments.[179]

Cloud computing is also capital-intensive and subject to significant economies of scale, leading to a concentrated market. The fifteen largest cloud service providers share more than 70% of the market.[180] In 2019, the Financial Stability Board, an international body of bank supervisors, had expressed its concerns about the concentration of risk in the space.[181]

The disruption caused by even minor AWS outages gives an indication of how important cloud platforms have become and how widely their failures are felt. However, these services are generally not subject to specialized economic regulation.[182] The terms of their interactions with customers are governed by contract, often including disclaimers that absolve the cloud providers from liability for technical failures.[183] There is reason to worry that private ordering will not fully address important risks, especially the systemic ones extending beyond individual firms.

II. The SIFI Model from Financial Regulation

Financial regulation is different from other kinds of regulation in purpose and in style, partly because it emphasizes resilience and worries about interconnectedness. After reforms in the wake of the last financial crisis, the systemically important financial institutions (SIFI) model has passed a test during the pandemic with flying colors, a test that suggests to us that it offers an effective approach to resilience regulation. The more general alternative, Administrative Procedure Act (APA)-style administrative law, was devised in reference to adversarial relationships between a regulated industry and the agency that regulates it.[184] The APA sets forth the rules of the road that agencies must use to make policy and affords industry and other interests a route to court if the agency fails to follow those rules.[185] With environmental protection, or workplace safety, the paradigm is distributive rather than integrative. Costs not borne by the public are passed on to regulated industry, meaning that administrative law undergirds a contest in which judges are referees adjudicating the rationality and scientific soundness, or at least the process of identifying the scientific soundness, of government decisions to impose costs on businesses.[186]

Financial regulation has adopted a different approach. It is collaborative, to some degree, because the provision of financial services is something like a public good. The private firms that extend credit and safeguard deposits are performing a service that the government wants to have performed, and so part of what the government does when it regulates finance is to encourage the development and reach of financial institutions.[187] One of the functions of the Federal Reserve, for example, is to provide information to financial institutions through its research arm. It also provides institutions who run out of money, but are not insolvent, with loans. And it has longstanding relationships with its “primary dealers,” who stand ready to sell or buy government securities from the Federal Reserve when it wants to expand or contract the money supply.[188]

When times turn bad, the financial system has proven itself to be highly susceptible to panics and collapse, which can impose more costs on the public than the firms themselves experience. The government accordingly has imposed rules on financial institutions designed to reduce the likelihood of collapse—rules that have been adjusted to now encompass the systemic-importance approach in place today. This aspect of financial regulation is not entirely collaborative—banks might prefer somewhat less resilience regulation—but it is not entirely adversarial, either. Investors, employees, and managers in financial firms worry about the risk of a collapse, either at their firm, or at an interconnected firm on which they rely (or even simply resemble), and take comfort from the government’s efforts to prevent a collapse.

Both regulators and the regulated, in other words, have an incentive to work together to create a system of financial regulation strong enough to weather shocks and healthy enough to encourage the public to make use of financial firms with confidence.[189]

Accordingly, financial regulation offers a different kind of regulatory paradigm than the paradigms wielded over the more traditional industries regulated by other administrative agencies, but shared by the administrative context of other areas of the state seeking to provide services through a public–private partnership.[190] It is an old paradigm, too, though it has evolved over the years. Financial markets were among the earliest to be subjected to direct government involvement, as exemplified by the First and Second Banks of the United States and the creation of the Office of the Comptroller of the Currency during the Civil War. The nineteenth-century successes and failures of government efforts to encourage and rationalize the provision of financial services then have informed the way financial regulation works today.[191]

The resiliency paradigm of finance has not yet been applied to the technology industry.[192] By contrast, the tech sector emphasizes the importance of innovation under a Schumpeterian paradigm in which that innovation is sometimes disruptive.[193] That innovation has costs, both to incumbent firms and to users, is taken as a necessary fact of life. We do not want to curb tech sector innovation but think that it could be paired with resilience regulation of the too-important-to-fail parts of the now elaborate ecosystem.

In the rest of this Part, we sketch out the fundamental principles of the systemic risk regulation paradigm. In the following Part, we apply that paradigm to areas of the tech industry that might most benefit from it.

A. Some Principles of Financial Regulation

Financial regulation is all about building sustainable institutions. At both the global and domestic level, regulation can be characterized as pursuing three different ends in order to do so: an analysis of credit risk, operational risk, and market discipline.

First, regulators carefully scrutinize the credit risk taken on by financial institutions; for this, daily supervision of the balance sheet is traditional.[194] Indeed, financial regulators for many years only looked to credit risk—the risk that a bank was making loans that were unlikely to be repaid in full, resulting in losses that could be visited on the people providing the financing to make those loans (classically, individual depositors).[195] Since then, global regulators have identified two other sources of concern and opportunity when it comes to pursuing financial stability: market discipline for financial institutions and operational risk as a worry that can be paired with credit risk.[196] The opportunities afforded by market discipline—the idea is that investors can help regulators identify risky practices by voting with their feet and exiting risky firms—means that there is a role for disclosure by banks that allow investors to make intelligent choices about which banks to support.[197] As for the perils posed by operational risk, the idea is that banks can run into trouble not only by making bad investments, but also by misapplying their internal controls and allowing a rogue trader to put them into positions that can threaten the soundness of the bank.[198] Financial regulators have encouraged banks to develop controls to mitigate this risk.

Systemic risk regulation is a relatively new addition to the financial regulatory regime. It is based on the recognition that safety and soundness requirements that are appropriate for most firms may not be sufficient for those that are systemically important. Therefore, the first distinguishing feature of this regulatory framework is designation. Regulators identify certain firms, whose failure would imperil the rest of the financial markets, as systemically important financial institutions (SIFIs).[199] These firms are subject to heightened regulatory obligations to ensure their resiliency. Designation, moreover, is not limited to banks—the market segment traditionally subject to the most stringent oversight—but can and has been extended to systemically important nonbanks like insurance companies. There is both a domestic and international component of the SIFI designation process, in that American regulators identify American institutions whose failure would threaten the American economy and then work with their foreign counterparts to identify firms whose failure would likely spread across borders.

The international designation process is essentially an adjudication on a transnational level, with detailed metrics and applications of those metrics to individual banks, resulting in the designation of thirty banks—eight of which are American—as systemically important and therefore subject to extra oversight.[200] The domestic process of designation has operated in parallel with the international version, with the Financial Stability Oversight Council designating those American banks identified as systemically significant.[201] Designation costs large financial institutions. It subjects them to extra capital requirements, and in the United States it means additional supervision by the Federal Reserve.[202] However, these costs are meant to be exceeded by the benefits the rest of us receive when banks do not fail.

Nor are these the only economic consequences posed by SIFI designation. Although designation carries clear regulatory costs, it also raises the possibility of the receipt of a regulatory benefit—an implicit acknowledgment that the government will rescue a systemically important firm that gets into trouble. This could encourage investors to be willing to finance the firms cheaply, as they know their money will be safe there. As we will see, it is unlikely that a technology firm would enjoy a similar benefit—there are no government bailouts that would save a firm that suffers a tech disaster—but it is an issue that regulators must keep in mind.

B. The Financial Stability Oversight Council

Domestically, the designation process is overseen by an organization of regulators chaired by the Secretary of the Treasury: the Financial Stability Oversight Council. The Global Financial Crisis came as a surprise to financial regulators and resulted in a reorganization of regulatory oversight in an effort to better coordinate it and to create a robust process for the identification and designation of systemically important firms. During the crisis, the collapse of the housing market and the threat to banks posed by complex derivatives proved to be risks that neither the banks nor the regulators had foreseen adequately; the post-crisis reform was partly an effort to make sure that these sorts of surprises did not happen again.[203]

The Council is charged with taking a broader view of risks to financial stability in the hopes that idiosyncratic but real threats to financial institutions can be identified as early as possible.

As a result, Congress reformed the process of financial regulation through the Dodd-Frank Wall Street Reform Act.[204] In addition to strengthening the capital requirements of banks in an effort to make them more resilient to a surprising shock like those presented during the crisis, the statute created the process of identifying the particularly important financial institutions whose instability might threaten the system.[205]

Comprised of representatives from various federal agencies, the Council should be understood as a regulator made up of regulators.[206] The Council is chaired by the Treasury Secretary and includes nine other federal financial regulators.[207] It also includes, in a nonvoting capacity, some non-federal regulators—a state banking regulator, a state insurance commissioner, and a state securities commissioner, as chosen by the state regulators in each issue area.[208] While this state–federal cooperative approach is relatively unique, the ability of states to affect decision-making on the council is limited. Only federal regulators, for example, get to vote on designations of systemic importance of nonbanks.[209]

Congress gave the Council eleven factors to apply to designations, with one including “any other risk-related factors that the Council deems appropriate,” affording it a great deal of flexibility in determining what matters in designation.[210] The Council, in turn, added content to that broad mandate by promulgating a regulation indicating that it would principally focus on size, substitutability, interconnectedness, leverage, liquidity, and existing regulatory scrutiny.[211]

The Council issued guidance dividing the six categories imposed by Dodd-Frank into two distinct groups.[212] The first group, including size, substitutability, and interconnectedness, was meant to “assess the potential impact of the nonbank financial company’s financial distress on the broader economy.”[213] The second group, including leverage, liquidity risk, and maturity mismatch, would tell the Council “the vulnerability of a nonbank financial company to financial distress.”[214]

Interconnectedness is meant to capture direct or indirect linkages between financial companies that could transmit consequences to a broad swath of firms if a company found itself in material financial distress.[215] Relevant to this inquiry was not just the number of links to other firms—though firms that found themselves central to huge networks were certainly liable to be found to be systemically interconnected—but also the importance of the firm to its counterparties.[216] For example, a firm with a number of concentrated principal contractual counterparties might suggest a dangerous degree of interconnection by a financial firm, especially if the interlinked firms were large or unique in some way. An example might be a custodian, a firm that held assets for other firms; if the custodian fell into material financial distress, the firms that depended on the custodian to provide them with the collateral they had left with it could be seriously affected.

Substitutability is meant to identify the alternatives to a firm that finds itself in distress and withdraws from a particular market.[217] For example, a company with a stable and large market share compared to its competitors might impose high switching costs upon its parties if it fell into distress. The idea would be that the firm would have a stable base of clients who depend on it and would find it difficult to switch to an alternative service provider. The stability of that client base would be an example of the lack of substitutes. A classic example of a non-substitutable firm might be a regulated natural monopoly, like an electric company. If the company went under, its customers would find it difficult to switch to an alternative provider.

Size was conventionally measured by the balance sheet of a financial firm.[218] Balance sheets of such firms account for the assets, liabilities, and equity of the firm, and its related businesses. The idea is straightforward enough. Regulators worry much more about Wells Fargo collapsing than they do a small hometown bank because the small hometown bank’s collapse would only have a local effect, whereas Wells Fargo’s collapse would have national consequences. For what it is worth, regulators are not only interested in the big firm but also its related parties to make sure that the firm was not pretending to be small by disguising itself within a holding company structure with a number of affiliates. FSOC declared that it would assess size with reference, even, to off-balance-sheet entities that, if distressed, might impel the firm to do an unrequired rescue.[219] If the rescue then drew the rescuing parents of the off-balance-sheet entity into distress, regulators promised to take steps to ameliorate that issue.[220]

Applying the metrics of size, substitutability, and interconnectedness was meant to give the Council a handle on the risks posed by the firm to the broader economy. The other three factors—leverage, liquidity risk, and maturity mismatch—were designed to help the Council assess the vulnerability of any particular firm.

Leverage is a somewhat uniquely financial term that is meant to capture a company’s exposure relative to the amount of its equity capital, which serves as a buffer to soak up losses. Under the capital rules applicable to banks, those institutions can be highly levered indeed. A leverage ratio of 3% is the minimum required by bank regulators across the world, although some countries require slightly more leverage.[221] The idea is straightforward enough. Consider two highly leveraged companies. If the first company buys one dollar of assets and finances the purchase by putting up two cents of its own money and borrowing $0.98 from somebody else, it has a leverage ratio of 2/100, or 2%. It will be insolvent if the asset it buys declines in value by more than two cents. Not only will the company have none of its money left, but its creditors will also face losses. If the second company engages in the same purchase, but puts up four cents of its own money, and borrows $0.96 from somebody else, it will remain solvent as long as its assets do not decline in value by more than four cents. The 4% leveraged company is less vulnerable to a decline in the value of its assets than is the 2% leveraged company.

Liquidity risk refers to the risk that a company may not have sufficient funding to satisfy its short-term needs. An example might be seen in the mortgage bank at the center of It’s a Wonderful Life.[222] After many of its depositors came in person to the bank seeking their deposits back immediately, George Bailey found it difficult to satisfy them all with the money he had on hand, as much of the money they deposited with the bank was tied up in houses that could not be turned easily into money. The bank owned plenty of assets but could not easily exchange those assets for the cash it needed to meet the demand for withdrawals.

Maturity mismatch refers to the difference between the maturities of the firm’s assets and its liabilities.[223] The term is related to liquidity risk, in that it also would be implicated if a company relied on short-term financing to fund long-term positions, like, say, depositors who can ask for their money back at any time funding home mortgages that will not be paid off for thirty years. Companies with a high degree of maturity mismatch are at risk of insolvency if that short-term financing disappears, which might force them to sell the mortgages, at fire-sale prices, in a desperate effort to raise ready cash.

In the course of designating four nonbanks as systemically important, the six factors were applied through a three-step process.[224] The first inquiry was quantitative and oriented on size. Nonbank financial companies with more than $50 billion in assets passed this stage and accordingly knew that they might be subject to designation.[225] In the next stage, the Council would assess the riskiness of particular institutions that pass the quantitative threshold on its own, without informing the financial company of this process, making it an inquisitorial, rather than adversarial round in designation.[226] Finally, if the first two stages of the process were met, the Council would invite the institution proposed for designation to present evidence to the Council designed to persuade it not to designate, a process that could involve lengthy hearings and the production of a great deal of evidence.[227] For example, when faced with designation, MetLife, a large insurance company, submitted over 21,000 pages of materials to the Council in an effort to stop the process at stage three.[228] (It did not work—the Council, by a vote of 9–1, with the federal insurance expert dissenting, ultimately designated MetLife as systemically important.)[229]

As for how to choose which financial firms to regulate, the Council took a three-part approach. It applied basic quantitative criteria to banks—big banks were designated as systemically significant and directed to submit to additional regulation by the Fed and to hold additional capital.[230] Financial market utilities—the exchanges and trade processing institutions that undergirded the markets—were also subjected to regulation.[231] These “systems that provide the essential infrastructure for transferring, clearing, and settling payments, securities, and other financial transactions among financial institutions or between financial institutions and the system,”[232] as the Fed put it, would have enhanced supervision by the Fed, the SEC, or the Commodity Futures Trading Commission.[233]

But the Council was particularly interested in making sure that there were no nonbanks who posed risks like banks did but were not regulated as carefully as banks were. The Council retained the authority to impose federal regulation upon a determination that the nonbank financial company was in “material financial distress” that “could pose a threat to the financial stability of the United States.”[234] The Council defined that distress to include companies “in imminent danger of insolvency or defaulting on [their] financial obligations.”[235]

C. The New Model Faces a New Test

There are reasons to believe that this new approach is working. The COVID-19 pandemic offered an intense shock to the economy. Yet, it did not seriously threaten the financial sector, which not only survived the shock but helped the government provide aid to businesses adversely affected by it through a series of emergency lending programs.[236] Similarly, small businesses eligible for the Paycheck Protection Program were also meant to receive funds from the banks with which they had a relationship.[237] Banks, and above all the systemically important banks designated by FSOC, thus not only proved to be resilient enough to withstand a major shock but also assisted the government in providing aid to the rest of the economy, consistent with the partnership model that characterizes financial regulation.[238] As a result, the performance of the banking system was deemed to be good—and deemed to have been helped by the regulatory enhancements put in place by Dodd-Frank. As the Minneapolis Fed put it: “In the COVID-19 crisis, banks were the pillars on which the economic rescue stood, rather than beneficiaries of government handouts.[239]

Large bipartisan majorities in Congress passed legislation authorizing the Fed and Treasury to work through banks to respond to the COVID-19 crisis.[240] Banks designated as systemically important not only survived the crisis but also played important roles in the recovery, suggesting that designation had created resiliency without overly interfering with performance.

The systemic risk paradigm, in other words, proved to be a resilient and successful one in its first serious test and offered a springboard to the government to provide economic assistance to the rest of the country.

Accordingly, those who wonder whether technology legislation on the part of Congress is unlikely—after all, legislation is difficult in the best of circumstances, and technology is controversial—may want to take heart in both the bipartisan nature of the systemic risk legislation in finance and in its performance during the pandemic.

III. Applying the Model

The SIFI designation and FSOC’s structure should be used as a framework for systemically important technology firms. We are not proposing that they meet the specific SIFI designation criteria of FSOC. While some Big Tech platforms have significant and growing financial services operations, they do not yet compare as pure financial players to the big banks and other institutions that FSOC oversees. The relevant metrics for evaluating importance and systemic risk will not be the same outside of the financial context. Rather, we propose taking the financial services regime as a model and adapting it to the distinctive aspects of the technology context. As discussed in Part I, both very large and very important technology firms appear to be reaching a point where their failure would produce cascading effects that could disrupt the global economy. Traditional regulatory tools are not appropriate for these risks. We therefore examine what a systemic-importance regime for tech could look like.

We emphasize that this is an initial outline. Much work will need to be done to turn it into a concrete regulatory regime. By starting the analytical process, we hope to encourage other scholars, policymakers, and market participants to debate what components should be included in the designation regime, how they should be evaluated, and how best to construct an analogue of the FSOC.

A. Who: Systemically Important Network Institutions (SINIs)

We propose that a new regulatory category be established through federal legislation, analogous to the creation of the SIFI designation established in Dodd-Frank. We label it Systemically Important Network Institutions (SINIs) to capture the fact that these are not just firms in the technology sector; they are intimately involved with the internet and related forms of connectivity. Of course, designation is not the only way to regulate the tech sector—it is not even the only way that the government could ensure the resiliency of tech firms.[241] But we think that identifying the particular institutions that form the backbone of the tech sector is a useful exercise and a productive way of thinking about big risks while identifying a limited number of designees required to take on new regulatory burdens. In what follows, we apply FSOC’s entity-focused blueprint to technology.

1. Criteria for Designation

The FSOC’s factors of size, interconnectedness, and substitutability might usefully be applied to the technology ecosystem. Important platforms—such as the cloud service providers whose outages have been so disruptive in the past, albeit, thankfully, not very sustained—could be scrutinized to see how they link up with the rest of the technology sector.[242] In fact, in a 2018 speech, Karen Petrou, Managing Partner of Federal Financial Analytics, argued that “looked at as if they were big banks, [technology] platform companies are systemically-important by the criteria now used to designate global systemically-important banks (GSIBs).”[243]

Large tech platforms naturally interface with lots of other actors, but there is more to interconnectedness than just size. Is a platform too interconnected? Regulators could apply network mapping techniques to make this determination. There are well-established tools for evaluating power relationships in network models, which are widely applied in management and other fields.[244] Connection points among technology and other firms can be modeled in this way and used to determine which firms occupy positions of strong centrality. The team of RAND economists have already done so for one dimension—the relationships among firms, suppliers, and downstream customers.[245] There is no reason to think that, given the ability to obtain information from suspected interconnectors, the regulators could not do an even better job of teasing out which firms are the keystones to the technology ecosystem and therefore should be required to be more resilient.

In fact, this sort of interconnectedness inquiry could proceed along the lines that financial regulators use for SIFIs. Regulators could establish a simple threshold for interconnectedness, such as a dollar value of client firms or perhaps a number of users, request information from those firms for second-stage inquiry, and at a third stage invite the firms in to explain how they are or are not dangerously fundamental to the workings of the ecosystem.

Nor need designation be something that these foundational firms should fear, because they will likely be able to pass on any extra regulatory compliance costs designed to enhance resiliency to their clients.

A similar sort of inquiry can be imagined over size and substitutability. Size could be established through gross revenues and substitutability by the ready availability of competitors along the lines of an antitrust inquiry. For substitutability, regulators could ask how quickly and easily clients of SINIs could switch from one firm to another. Here, the idea is that systemic importance does not come merely from popularity but from the existence—or lack thereof—of alternatives. If Google Maps went down, consumers could quickly switch to another maps program—or at least the debate would be whether this would be so. On the other hand, if backbone platforms like cloud services were hacked or went out of business suddenly, it might be difficult for firms relying on the cloud servers to move seamlessly to another cloud service platform. Eventually, the capacity of the cloud server ecosystem could become too cramped if a provider of about a third or so of cloud services stopped being able to perform its function.

The systemic risk inquiry might have some surprising outcomes. One could imagine a regulatory conclusion that Google, the largest technology firm in the world and the one on which the most consumers rely, would not be systemically important because of the ease with which replacement services could be stood up or switched over to. On the other hand, internet providers of back-office technology might prove to be especially interconnected and accordingly in need of extra attention to their resilience.

All of this requires a dynamic system where, as with financial regulation, designations can change as the market develops. Empowering regulators to make, and obligating them to revisit, systemically important designations would have this effect. Moreover, overseas regulators are aware of the importance of thinking broadly about systemically risky businesses. The European Union promulgated a directive in 2016 providing that digital infrastructure businesses “identified . . . as operators of essential services . . . will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services, and online marketplaces, will have to comply with the security and notification requirements under the new Directive.”[246] The implementation of this European Network and Information Systems (NIS) directive might provide further insights for development of the SINI structure.[247]

2. Which Entities Might Be Declared a SINI?

Who might be subject to a systemic-importance designation? The starting point for consideration would be the Big Tech platforms such as the GAFAM giants. However, as we have discussed, size is only one factor in the inquiry. Systemic importance is not just an alternate route to restrain Big Tech to address concerns such as content moderation, privacy violations, and antitrust.[248] While imperfect, tools exist to address those issues. As the RAND study found, sometimes the most densely interconnected firms are not the biggest in terms of revenues.[249] The same is likely true for substitutability. Firms may dominate an important infrastructure niche and be so deeply embedded in processes through APIs that they are quite difficult to replace, even though they are relatively small.

Another important dimension is that the major tech platforms are not unitary. Amazon, for example, is a business-to-consumer e-commerce platform as well as a business-to-business cloud services provider.[250] These two businesses are symbiotic, and Amazon has significant market power in both.[251] However, Amazon’s AWS cloud business, which powers many different kinds of other firms, might be considered more systemically important than its e-commerce business. Apple sells devices such as the iPhone but also operates services such as its App Store platform and iCloud. And for firms such as Google and Meta, which are essentially conglomerates offering distinct yet interconnected products and services, the systemic-importance inquiry will need to assess whether to measure the whole or the parts.

For illustrative purposes, we offer a map of technology firms that might be determined as systemically important. We emphasize that this screen is preliminary; any analysis would need to evaluate size, interconnection, and substitutability empirically. As with the description of possible failure scenarios for systemically important technology firms,[252] our goal is to stimulate thinking about where the greatest risks lie. One of the great benefits of a SINI framework is that it would encourage consideration of vulnerabilities that would otherwise be ignored because the firms involved are not the behemoths already under scrutiny.

a. Cloud Infrastructure

As already described, cloud infrastructure is a major area in which a small number of firms support a huge share of online activity. The cloud market is also highly concentrated. AWS, Microsoft Azure, and Google are 60% of the global market.[253] Because their business is to support services delivered by others, cloud infrastructure providers are necessarily highly interconnected with other firms. Whether there is sufficient substitutability would be an important question for a SINI designation inquiry.

b. Communications Infrastructure

The communications industry is subject to comprehensive regulation through the Federal Communications Commission and other agencies because of the combination of its societal importance and its tendency toward natural monopolies due to cost characteristics and network effects. While the sectoral communications regulatory regime is different in many ways from the horizontal systemic-importance inquiry we propose, it is similar in imposing obligations above and beyond generic ones such as consumer protection and antitrust. In the internet era, the question is whether firms that are traditionally regulated service providers, such as telephone and cable television companies, should nonetheless be subject to requirements based on their systemic importance. Internet service providers have significant power, which has led to efforts to impose network-neutrality requirements.[254] However, because they are providers of the physical wiring or wireless connections between end-users and the internet, their scope is necessarily geographically limited. A Verizon outage will not impact Comcast customers, even in the same city, nor will it likely affect Verizon users in other cities.

The communications services that generate systemic risks will operate at the application layer of the network, or at the software-infrastructure layer. The biggest segment in the former category involves multi-party video communications. Zoom in particular rose to prominence just before and during the COVID-19 pandemic as the primary method that many millions of individuals and thousands of organizations used to communicate.[255] Even after businesses and educational institutions have returned to in-person activities, remote or hybrid interaction remains a permanent feature for many meetings and classes. Zoom, as well as the business-focused video communications platforms provided by Microsoft and Google, would appropriately be considered for a systemically important designation.

c. Network Infrastructure

The software infrastructure of networks would be the next area to seek systemically important providers. As already described, the RAND study found that GoDaddy, a relatively obscure provider of domain name registration services, was one of the most deeply interconnected firms in the U.S. economy.[256] This is no doubt because it provides an essential element of connectivity for so many businesses. Content delivery networks such as Akamai and Cloudflare, which maintain network performance and overcome denial-of-service attacks, are in a similar position.[257] None of these firms are massive by traditional metrics. Size is one of the factors for designation we adopt from the financial services model, so that might be enough to defeat a SINI classification. However, these firms touch many more users than the ones they serve directly.

d. Application Infrastructure

Moving higher up in the network stack, there are also a set of software infrastructure providers for the applications and services provided over the internet, as opposed to for the baseline connectivity. Shopify, for example, is the dominant provider of e-commerce storefront capabilities to all but the largest businesses.[258] Twilio powers the majority of communications-oriented services, such as click-to-call functionality or text messaging, initiated through internet-based services.[259] Stripe and Square power all sorts of online payment activity; they are the glue behind the scenes that link traditional financial services systems such as credit card networks with internet activity.[260] As with the network software infrastructure, these providers are relatively small, and there is significant concentration in each market segment.

e. Enterprise IT SAAS

Finally, there are internet-connected software as a service (SAAS) providers that could be systemically important because of their essential functionality for other businesses. The human resources software leader Workday, for example, shows up in the RAND study of most-interconnected firms.[261] Salesforce, the dominant customer relationship management platform, and the enterprise resource planning provider SAP, might also be essential to so many firms that their failure would rise to the level of systemic risk. These firms provide important infrastructure for traditional businesses the way the prior two categories power online services.

f. What’s Not on the List

This list does not include many of the companies one might initially expect, such as Facebook and Twitter. One aspect of the GAFAM tech giants is that their end customers are primarily consumers. Facebook casts a long shadow because of its influence over social interaction, news, and political discourse. In terms of economic importance, however, a Facebook outage might not have the same devastating consequences as an outage of a large bank. Losing access to updates from your friends and family is not the same as losing access to your money. And Twitter, despite its political and media footprint, is used by less than a quarter of U.S. adults.[262] Again, a fuller designation analysis would need to be done to assess empirically whether the standard was met.

B. Where: The TechSOC

We propose that a council of relevant federal regulators be brought together to identify and supervise Systemically Important Network Institutions, or SINIs. By analogy to FSOC, this would be designated the Technology Stability Oversight Council, or TechSOC.

The TechSOC would be comprised of the heads of relevant federal entities:

  • Federal Communications Commission is the primary federal regulator of the telecommunications and media sectors.[263] Despite its technical expertise, the FCC does not directly oversee digital platforms today because its statutory jurisdiction is limited outside of telecommunications providers, broadcasters, cable companies, and satellite communications firms.[264] However, the FCC adopted network-neutrality rules in 2015 by classifying the internet as a telecommunications service (although the decision was reversed in 2018 under the Trump Administration).[265] It also has relevant experience as the agency that oversees network reliability for telecommunications networks.[266]
  • Federal Trade Commission, through its authority to police unfair and deceptive trade practices, is the de facto federal privacy regulator, and has also investigated firms for insufficient security practices.[267] It is also involved in antitrust oversight, including for technology firms.[268]
  • Cyber and Infrastructure Security Agency (CISA) in the Department of Homeland Security is the national coordinator for critical infrastructure security and resilience.[269]
  • The Federal Reserve would serve as the connection point between the TechSOC and FSOC, lending its experience in regulation of systemically important financial institutions. In recent years, the Fed has also developed relevant expertise in cybersecurity and dangers of technology-related market disruptions.[270]
  • National Telecommunications and Information Administration (NTIA) in the Department of Commerce is the Executive Branch coordinator for internet and communications policy.[271]
  • The National Institute of Standards and Technology (NIST) is a non-regulatory entity but might be included as a liaison because of its role in developing federal technology standards, including for cybersecurity.[272]
  • If a new digital platform agency is created, it would also be included in the TechSOC.

This collection of tech regulators could usefully draw lessons from the experience of financial regulators in identifying vulnerabilities in an increasingly interconnected system. The TechSOC structure would also force information sharing and other forms of informal coordination among agencies that otherwise have only a piece of the relevant information.

FSOC has a chair in the Treasury Secretary, but our ideal council would not be run by a political appointee close to the President and could, potentially, include both Democratic and Republican representatives from the independent agencies in an effort to move the council out of the realm of politics. Many other administrative aspects of the TechSOC would need to be determined in any enabling legislation. Our purpose here is to establish generally the need for something along these lines, recognizing the need for further analysis to generate a fully formed proposal.

The creation of a TechSOC is, in our view, superior to some alternatives. We have a FSOC dedicated to matters of systemic risk, including, at least in theory, systemic risk that arises outside of the financial system, but it would be an inexpert regulator of technology. The TechSOC could adopt the approach of FSOC, while deploying the expertise of its members to identify systemic risk in tech. Rather than a council of technology-interested agencies, we could create a new super agency to regulate tech risk, but the council model reduces the risk of jurisdictional conflict between a new agency and its counterparts with other responsibilities in the technology sector. The council model, moreover, appears to have done well during the COVID-19 crisis, as we have observed, and so in some ways has won the right to be replicated.[273]

C. What: Consequences for SINIs

This regulatory body would be conducting a different sort of inquiry than do other regulators: one informed by, if different than, the role that FSOC plays in assuring financial stability.

Both financial regulators and our technology oversight council would be looking for systemic risks posed by individual firms. In practice, this means a search for highly nonlocal effects of local disruptions. In the financial system, the analogy is often drawn to contagion. One firm suffers from, say, a bank run, and the effects are not only felt by it but by its counterparties, by firms that resemble it, and by firms that depend on those firms in turn.[274] The robust interconnectedness of the financial system, while a source of efficient capital allocation in normal times, makes it susceptible to panics and crises in bad times.

Portions of the technology ecosystem have the potential to exhibit a similar kind of dynamic[275] and therefore would benefit from a similar kind of regulatory inquiry. The question would be whether local difficulties in this ecosystem would also have highly nonlocal effects.

We expect that the TechSOC would want to conduct studies looking for this kind of potential problem. The council might also look for choke points in the ecosystem—places where interconnectedness narrows and is concentrated. The search for such choke points is not only a matter for financial regulation. Health and safety regulators look for choke points in supply chains as good places to worry about alternatives and conversely, in some cases, focus their limited bandwidth.[276] Food regulators might therefore do inspections at ports rather than by trying to surveil every farm that produces consumable exports. In finance, the FSOC has facilitated the move of derivatives trading to exchanges and away from bespoke dealmaking by banks.[277] The idea is that the public observability offered by the exchanges will give regulators and others interested in the stability of the derivatives markets a window into sudden market moves. At the same time, the FSOC has designated these exchanges as systemically important and accordingly subject to extra regulatory requirements, particularly requirements to hold capital.

On the other hand, technology regulators might view portions of the technology ecosystem that provide for interoperability as places where the choke-point risk has been addressed, substitutes have been welcomed, and because of the presence of alternatives, the concern about highly nonlocal effects of local collapses has become less salient.

The TechSOC would also look to finance-like factors in assessing the possibility of systemic risk.[278] Once it has identified particular firms—and perhaps certain widespread practices, if appropriate—as systemically important, it could then require those firms to engage in a particular suite of activities.

The most notable of these activities would likely be a new form of the stress test.[279] American regulators require large financial institutions to conduct stress tests on the basis of a regularly changed version of hypothetical adverse scenarios—one year it might be a shock to the housing market, another year, an adverse climate scenario.[280] Those institutions are also obligated to develop their own periodic stress tests simulating liquidity shocks.[281] Mehrsa Baradaran has called this “regulation by hypothetical,”[282] as the stress tests (and living wills, for that matter)—metaphors from medicine, as Robert Weber has observed[283]—to change bank conduct.[284] Stress tests, which Dodd-Frank required of banks and regulators, meant that the most systemically important banks had to, as the Fed put it, prove “their ability to withstand an extremely adverse hypothetical economic scenario.”[285]

Stress tests for technology firms offer a similar kind of opportunity. Regulators could obligate systemically important technology outfits to perform an annual or semiannual emergency drill, requiring them to subject their programs to unlikely and adverse scenarios to provide both the firms and the government with some comfort that technology companies that passed the test would be capable of doing well in difficult times.

A second promising requirement for systemically important technology firms would be the creation of the living will. In finance, large banks and nonbank companies designated as systemic are required to file annual resolution plans, which are commonly known as the living will.[286] In such a plan, an institution needs to provide detailed information about its structure and operations and explain how it plans to carry out a rapid and orderly resolution under the U.S. Bankruptcy Code without seeking extraordinary government support should a disastrous failure happen.[287] The Federal Deposit Insurance Corporation and the Fed jointly review the credibility and feasibility of the living will and provide written notice of deficiencies to institutions that fail to meet the agencies’ review standard.[288] If those institutions fail to appropriately revise and resubmit their plans, they may be subject to “more stringent capital, leverage, or liquidity requirements,” encounter “restrictions on its growth, activities, or operations,” or even be dismantled through “forced divestitures of its assets.”[289]

This creation of the Dodd-Frank Act is meant to concentrate the mind of the regulated business, prevent the financial conglomerates from being too big to fail, and make the inevitable collapse of these big institutions less destructive.[290] By providing a roadmap as to what would happen upon a disastrous collapse of operations, they serve as a memento mori to the firm[291] and a regulatory-required opportunity to engage in crisis planning and emergency preparedness. Additionally, as then-member of the Federal Reserve Board of Governors Dan Tarullo explained, “the information requirements of living wills and the need to measure and manage risks at the legal entity level can help create the right incentives for firms to simplify their structures,”[292] which in turn would also strengthen their stability.

Finally, systemically risky finance firms are obligated to hold extra capital against their assets, so that there is a cushion of equity that can be deployed to soak up losses before those losses can be visited on other providers of capital to the firm.[293] The largest worry is that depositors might find their deposits impaired in a crisis. The analogy in technology would be an emergency, “rainy day” fund. Technology firms in distress would have the ability to draw on financial resources to address the crisis quickly; this deployment of emergency financing could bring in hackers to address the consequences of a hack, programmers to bolster the firm in the event of a disastrous programming bug, and so on.

Financial regulators charge the extra regulation required of systemically important firms to the Fed. It is less obvious who precisely on or around TechSOC could serve a similar role in technology oversight. A good systemic risk regulator would include not just lawyers, but technologists and programmers, to say nothing of economists and computer scientists. Our current regulatory environment does not feature such an agency with such a broad remit and multifarious talents among its staff. It could be that a task force of agencies would be the appropriate applicators of the stress testing and reviewers of the living wills, not to mention promoters of other markers of resiliency.[294] Technology policy experts muse about the creation of a new agency responsible for oversight of the sector; and if Congress were to create such an agency, it would belong on the Oversight Council, and perhaps serve as the conduit of the extra regulations on systemically important businesses.[295]


We mean our approach to be something of a thought experiment, but care must be taken in the implementation of a systemic risk framework. We think that tech platforms and backbones could, if they collapsed, have some cascading effects. But it is certainly the case that the contagion of a financial panic—where good firms get pulled in after bad ones and bad news can lead to fire sales, which can look like more bad news, requiring more selling into panics—is a unique problem rooted in the unique fragility and interconnectedness of the financial sector. Not every paradigmatic financial regulatory scheme has an obvious cognate in tech regulation; the capital requirements that banks have, designed to insulate a bank against a fall in asset values, does not have a clear analog in cyber infrastructure, though there may be merit in rainy-day-fund requirements for some systemically important technology firms.

There is a pressing need for new insights in technology regulation. Even as the sector becomes more important, efforts to address its dangers are stymied in partisan fights and fixated on a narrow list of issues. A systemic risk regulation structure would provide a way for policymakers to ensure, hand-in-hand with technology firms themselves, that firms are resilient and that the system is a strong one. For tech platforms that have become too big to fail, we can no longer afford to focus energy only on their bigness. We must take steps to prevent the catastrophic fallout of their failure.

  1. . For assessments, see, for example, Adam J. Levitin, In Defense of Bailouts, 99 Geo. L.J. 435, 438 (2011), stating, “Recognition of the problems with the federal response to the financial crisis made addressing the systemic risks posed by systemically important—or ‘too-big-to-fail’ (TBTF)—firms a centerpiece of the financial regulatory reform agenda,” and Lisa Schultz Bressman & Robert B. Thompson, The Future of Agency Independence, 63 Vand. L. Rev. 599, 626 (2010), noting that “the Fed—like almost every other bank regulator and political official—failed to foresee the systemic risk that developed in the financial crisis.”
  2. . See infra section I(B)(2) for a discussion. Rory Van Loo has also worried about the narrow nature of technology debates in a somewhat different way. Rory Van Loo, Digital Market Perfection, 117 Mich. L. Rev. 815, 845 (2019) (suggesting that an underappreciated “broader set of costs and risks, many of which require a more macro-level perspective, could result from how AIs transform the structure of markets and businesses”).
  3. .Alan S. Blinder, After the Music Stopped: The Financial Crisis, the Response, and the Work Ahead 57 (2014) (“The rationale for financial regulation is often summarized under the trade jargon banner of ensuring the safe and sound operation of banks and other financial institutions.”). See Enrique Armijo, Reasonableness as Censorship: Section 230 Reform, Content Moderation, and the First Amendment, 73 Fla. L. Rev. 1199, 1210–11 (2021) (discussing placing financial regulation in the context of other administrative regimes, especially technology regulation, and noting that the government utilizes reasonableness-based standards in financial regulation, as it does in other contexts such as traffic safety and antitrust).
  4. . Daniel Schwarcz & David Zaring, Regulation by Threat: Dodd-Frank and the Nonbank Problem, 84 U. Chi. L. Rev. 1813, 1815 (2017) (noting that the government responded to the crisis by “creating the Financial Stability Oversight Council (FSOC, or the ‘council’)—a panel of the nation’s most prominent financial regulators with the power to designate particular financial firms as systemically significant”).
  5. . Van Loo suggested that this paradigm could be applied to robo-advisors and other consumer-facing fintechs, though we think an even broader application of the paradigm makes sense. See Van Loo, supra note 2, at 881 (stating that as certain consumer finance fintech “firms become more like financial institutions in terms of their economic-stability implications, financial regulation may offer a blueprint for reform”).
  6. . See infra notes 210–223 and accompanying text.
  7. . FSOC also has the power to regulate activities by any firm that threaten systemic stability, though it has not yet identified activities for designation. Marc Labonte, Cong. Rsch. Serv., R45052, Financial Stability Oversight Council (FSOC): Structure and Activities 2–5 (2018). We are open to activities-based regulation by a systemic technology regulator, though identifying relevant unsafe-for-anyone activities would be challenging.
  8. . Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010) (codified at 12 U.S.C. § 5301).
  9. . The 100 Largest Companies in the World by Market Capitalization in 2021, Statista, []. One of the other two is Tesla, itself more of a technology firm than a car manufacturer. Id. The other is the oil company Saudi Aramco. Id.Meta took a substantial tumble after it missed earnings targets early in 2022 but still had a market capitalization over $400 billion as of June 2022. Caitlin Ostroff & Caitlin McCabe, Facebook Parent Meta’s Stock Plunges, Loses More Than $200 Billion in Value, Wall St. J. (Feb. 3, 2022, 5:25 PM), []; Meta Platforms, Inc. (META) Valuation Measures & Financial Statistics, Yahoo! Fin.,‌quote/‌META/key-statistics/ [] (showing that Meta’s market cap in June 2022 was roughly $435 billion). Alibaba and Tencent also took major hits around the same time due to regulatory enforcement by the Chinese government and macroeconomic concerns. Zen Soo, Alibaba and Tencent Stocks Plunge After Latest Fines, AP News (July 11, 2022), https://‌ [].
  10. . Andrew Bary, Big 5 Tech Stocks Now Account for 23% of the S&P 500, Barron’s (July 26, 2021, 11:22 AM), [https://‌].
  11. . Fortune 500, Fortune (2021), [].
  12. . Press Release, Facebook, Facebook Reports First Quarter 2021 Results (Apr. 28, 2021), [].
  13. . April Glaser, Amazon Now Employs Almost 1 Million People in The U.S.—Or 1 in Every 169 Workers, NBC News (July 30, 2021, 4:23 PM), [].
  14. . Daisuke Wakabayashi, Alphabet’s Profit More Than Doubled Last Quarter as Google’s Advertising Business Rebounded, N.Y. Times (Apr. 27, 2021),‌04/‌27/technology/alphabet-google-earnings.html [].
  15. . See, e.g., Karen Weise, Microsoft Reports Strongest Quarterly Growth in Years, as Profit Also Rises, N.Y. Times (Apr. 27, 2021),‌27/‌technology/‌microsoft-earnings-azure-xbox.html [] (reporting that Microsoft was going to cross the $2 trillion mark in market value as quarterly profits increased to $15.5 billion).
  16. . Search Engine Market Share Worldwide: Jan 2009–Aug. 2022, Statcounter, https://gs.‌ [https://‌perma.‌cc/‌KX3R-WNM3].
  17. . See Social Media Fact Sheet, Pew Rsch. Ctr. (Apr. 7, 2021), http://www.‌pewinternet.‌org/‌fact-sheet/social-media/ [] (finding Facebook to be the most commonly used social media platform among adults, with 69% reporting some use of it); Chris Fox, Google Shuts Failed Social Network Google+, BBC News (Apr. 2, 2019),‌com/‌news/technology-47771927 [] (discussing the close of Google+ after a data breach).
  18. . See, e.g., Marc Jarsulic, Using Antitrust Law to Address the Market Power of Platform Monopolies 2, 11 (2020) (asserting that the behavior of GAFAM companies looks anticompetitive under formal antitrust standards but recognizing that it is not guaranteed that a formal investigation would lead to an enforcement action after confidential company information is reviewed).
  19. . While ranked high in the world’s most-used social platforms ranking, neither Snapchat nor TikTok’s global active user figures are of the same order of magnitude compared to companies owned by Meta and Google, which occupy the top four seats. Dave Chaffey, Global Social Media Statistics Research Summary 2022, Smart Insights (Aug. 22, 2022), https://www.smartinsights.‌com/social-media-marketing/social-media-strategy/new-global-social-media-research/ [https://‌].
  20. . See Chris Alcantara, Kevin Schaul, Gerrit De Vynck & Reed Albergotti, How Big Tech Got So Big: Hundreds of Acquisitions, Wash. Post (Apr. 21, 2021),‌technology/interactive/2021/amazon-apple-facebook-google-acquisitions/ [‌R9WU-VA72] (stating that Big Tech companies make “acquisitions in new sectors to add revenue streams and outflank competitors”).
  21. . For a discussion of the comparisons that can be made between Silicon Valley and the great historical monopolies, see History’s Biggest Firms, Economist (July 5, 2018), https://www.‌ [], observing that “Amazon’s profits are projected to be twice as big relative to world GDP as the East India Company’s in 1813.”
  22. . See Martin Kenney & John Zysman, The Rise of the Platform Economy, Issues Sci. & Tech., Spring 2016, at 61, 61 (arguing that an emerging digital platform economy “opens the way for radical changes in how we work, socialize, create value in the economy, and compete for the resulting profits”).
  23. . Howard A. Shelanski, Information, Innovation, and Competition Policy for the Internet, 161 U. Pa. L. Rev. 1663, 1677 (2013). As Howard Shelanski has put it, “Another central feature of a platform is that it interacts with more than one set of customers. [As] [m]ultisided markets, . . . [p]latforms . . . act as intermediaries between different sets of consumers that might need to reach each other but cannot do so as efficiently without the platform.” Id.
  24. . See Shoshana Zuboff, You Are the Object of a Secret Extraction Operation, N.Y. Times (Nov. 12, 2021), [https://‌] (discussing the “colossal asymmetry” between tech companies and users in the amount of information available to each).
  25. . Kevin Lee & Shubho Sengupta, Introducing the AI Research SuperClusterMeta’s Cutting-Edge AI Supercomputer for AI Research, Meta AI (Jan. 24, 2022), https://ai.‌facebook.‌com/blog/ai-rsc [].
  26. . See, e.g., Sari Mazzurco, Democratizing Platform Privacy, 31 Fordham Intell. Prop. Media & Ent. L.J. 792, 802 (2021) (“[W]here platforms share consumers’ personal information with third parties, such as service providers, data brokers, and advertisers, consumers are left unaware of the parties who obtain their information and lack any direct relationship with them, thereby precluding any semblance of ‘control.’”); see also Fed. Trade Comm’n, Data Brokers: A Call for Transparency and Accountability 26–27 (2014),‌system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf [] (describing the main types of “online marketing products” provided by data brokers).
  27. . See Sig Ueland, 10 Geolocation Apps for Business, Prac. Ecommerce (May 13, 2011), [https://‌] (describing how Google Maps and other location services can be used by other firms).
  28. . See Jordan Novet, Uber Paid Google $58 Million Over Three Years for Map Services, CNBC (Apr. 11, 2019, 5:08 PM), [] (“Uber relies heavily on Google mapping technology.”); Andrew J. Hawkins, Lyft Says It Will Use Google Maps as Its Default Navigation Tool for Drivers, The Verge (Oct. 12, 2017, 4:49 PM), https://‌www.‌theverge.‌com/2017/10/12/16465414/lyft-google-maps-waze-navigation-app-drivers [‌GF6D-MJ89] (“This isn’t the first time that Lyft has leaned heavily on Google’s superior navigation services . . . . Uber has been using Google Maps since March . . . .”); Lyft (LYFT) Q2 2022 Earnings Call Transcript, Motley Fool (Aug. 4, 2022, 11:00 PM), https://www.‌ [https://‌] (stating in an earnings call that Lyft is “roll[ing] out Lyft Maps, our in-house mapping technology that is based on open-source software”); Ines Viskic, Enhancing the Quality of Uber’s Maps with Metrics Computation, Uber: Uber Blog (July 12, 2018), [] (describing Uber’s process of taking “map data from a variety of third-party map providers” and its “iterative process of analyzing map data, identifying map defects, and fixing them”).
  29. . Press Release, Apple, Apple Announces App Store Small Business Program (Nov. 18, 2020), [].
  30. . Joe Rossignol, Apple’s Services Achieve All-Time Quarterly Revenue Record, MacRumors (Oct. 28, 2021, 2:02 PM), []. This number alone would put it in the Fortune 50 of largest companies by revenue. See Fortune 500, supra note 11 (ranking American companies by revenue).
  31. . See Ben Popken, Google Sells the Future, Powered By Your Personal Data, NBC News (May 10, 2018, 3:30 AM), [] (“Google has seven products that each have at least 1 billion active monthly users . . . .”).
  32. . Facebook changed its corporate name in 2021 to Meta, reflecting its ambitions for the sphere of virtual and augmented reality known as the metaverse. Introducing Meta: A Social Technology Company, Meta (Oct. 28, 2021), []. We continue to use Facebook here, as it is the familiar name of the company’s primary service offering, just as we refer to Google rather than the Alphabet holding company.
  33. . Carl Öhman & Nikita Aggarwal, What if Facebook Goes Down? Ethical and Legal Considerations for the Demise of Big Tech, Internet Pol’y Rev., Aug. 2020, at 1, 1.
  34. . Our Approach to Search, Google,‌mission/ [].
  35. . See Americans Check Their Phones 96 Times a Day, Asurion (Nov. 21, 2019), [https://‌] (finding that Americans check their phones ninety-six times per day).
  36. . As Margaret Dillaway has put it, “By 2019, [Amazon’s] share of the U.S. e-commerce market was more than double the market share of its next nine competitors combined. As a giant online marketplace, Amazon has fulfilled its goal of transforming into the paradigmatic internet shopping bazaar . . . .” Margaret E. Dillaway, The New “Web-Stream” of Commerce: Amazon and the Necessity of Strict Products Liability for Online Marketplaces, 74 Vand. L. Rev. 187, 197 (2021).
  37. . Most Popular Social Networks Worldwide as of January 2022, Ranked by Number of Monthly Active Users, Statista (Jan. 2022), []; Twitter Inc, CNBC (Sept. 30, 2022), []; Meta Platforms Inc, CNBC (Sept. 30, 2022), [‌ZUJ3-K6G8]; see Michelle Goldberg, The Scary Power of the Companies That Finally Shut Trump Up, N.Y. Times (Jan. 11, 2021), [] (arguing that by banning Trump, Twitter has demonstrated a power that exceeds that of many nation-states). Billionaire Elon Musk’s efforts to join Twitter’s board, and then to acquire the company, attracted tremendous interest due to the company’s powerful position. See Brian Fung, Why Elon Musk Buying Twitter Is Such a Big Deal, CNN (Apr. 26, 2022, 2:01 PM), [] (suggesting that the stakes of Musk’s possible takeover felt so big because of Twitter’s “agenda-setting power”).
  38. . See Kashmir Hill, I Tried to Live Without the Tech Giants. It Was Impossible, N.Y. Times (July 31, 2020), [] (finding that living without using Apple, Facebook, Google, or Amazon was not possible).
  39. . Id.
  40. .Daniel Solove, The Digital Person 1 (2004); see also Edward C. Baig, How Facebook Can Have Your Data Even if You’re Not on Facebook, USA Today (Apr. 16, 2018, 8:31 AM), [] (discussing Facebook’s ability to gather limited information on internet users who are not Facebook users).
  41. . See Dave Smith, Most People Use Facebook or Google to Log into Other Sites and Services, Insider (Jan. 20, 2015), [] (showing that Facebook and Google are the most popular social logins used by people to access other sites and services).
  42. . Zoom Video Commc’ns, Inc., Annual Report (Form 10-K) (Mar. 18, 2021).
  43. . Leslie Picker & Ari Levy, Videoconferencing Company Zoom Prices IPO at $36 Per Share, Indicates 63% Spike on First Trade, CNBC, https://www.‌cnbc.‌com/‌2019/04/17/zoom-prices-ipo-at-36-per-share-source.html [] (Apr. 18, 2019, 11:13 AM).
  44. . See Natalie Sherman, Zoom Sees Sales Boom Amid Pandemic, BBC News (June 2, 2020), [] (“Use of the firm’s software jumped 30-fold in April, as the coronavirus pandemic forced millions to work, learn and socialise remotely.”).
  45. . Zoom vs Google Meet vs Microsoft Teams, Digit. Info. World (Apr. 14, 2021, 11:00 PM), [] (“Zoom owns 49% of the global market share, and has seen the most substantial year-on-year growth of all the platforms.”).
  46. . For an analysis of how these developments might require legal changes, see Nicholas Hallock, Distributing the Corporation’s Brain: Principal Place of Business Without Physical Presence, U. Chi. L. Rev. Online, Feb. 2021, at *1, *1, noting, “During the COVID-19 pandemic, many businesses transitioned to remote work for some or all of their employees, relying on videoconference platforms like Zoom . . . .”
  47. . See Larry Dignan, Top Cloud Providers, ZDNet (Dec. 22, 2021), https://www.zdnet.‌com/‌article/the-top-cloud-providers-of-2021-aws-microsoft-azure-google-cloud-hybrid-saas/ [https://‌] (describing services of the top cloud providers).
  48. . See Jordan Novet, Apple Will Boost Its Spending on Data Centers by $10 Billion over the Next 5 Years, CNBC (Jan. 17, 2018, 7:45 PM), [] (describing Apple’s plans in expanding its data centers); Apple Inc., Apple Platform Security 5, 128–29 (2022), [‌P9R6-QWW3] (describing iCloud storage).
  49. . See Kevin Werbach, The Network Utility, 60 Duke L.J. 1761, 1815, 1821 (2011) (explaining that cloud computing is highly centralized and efficient, and leverages economies of scale).
  50. . Facebook used to describe itself as a “social utility” but stopped, perhaps recognizing that utilities are traditionally subject to heavy economic regulation. Danah Boyd, Facebook Is a Utility; Utilities Get Regulated, Apophenia (May 15, 2010),‌archives/‌2010/05/15/facebook-is-a-utility-utilities-get-regulated.html [].
  51. . For a stylized review of this evolution, see Daniel A. Hanley, A Topology of Multisided Digital Platforms, 19 Conn. Pub. Int. L.J. 271, 282 (2020), stating, “When a market tips to a dominant provider, subsequent entrants can be inhibited or outright prevented from gaining a necessary, significant, and meaningful market presence and user base, obstructing them from becoming a viable long-term competitor.”
  52. . For a discussion, see Jonathan L. Zittrain, The Generative Internet, 119 Harv. L. Rev. 1974, 2020 (2006), describing “a development variously known as application streaming, web services, and Web 2.0.” See also Tim O’Reilly, What Is Web 2.0, O’Reilly (Sept. 30, 2005), [] (elaborating on the Web 2.0 concept).
  53. . See Sage Isabella Cammers-Goodwin, “Tech:” The Curse and the Cure: Why and How Silicon Valley Should Support Economic Security, 9 U.C. Irvine L. Rev. 1063, 1090, 1113 (2019) (describing the wealth and notoriety of “visionary” founders and entrepreneurs like Steve Jobs, Elon Musk, Bill Gates, and Jeff Bezos, as well as the garage in which Larry Page and Sergey Brin started Google).
  54. . See Alice M. Rivlin & Robert E. Litan, The Economy and the Internet: What Lies Ahead?, Brookings (Dec. 1, 2001), [] (predicting the potential economic benefits of the internet revolution, including lower prices for consumers).
  55. . See Read the Framework, A Framework for Global Electronic Commerce, The White House (July 1, 1997), [] (asserting as foundational principles that “[t]he private sector should lead,” and “[g]overnments should avoid undue restrictions on electronic commerce”).
  56. . Internet Tax Freedom Act, S. 442, 105th Cong. (1998).
  57. . Communications Decency Act of 1996, Pub. L. No. 104-104, § 509, 110 Stat. 133, 137–39 (1996) (codified at 47 U.S.C. § 230).
  58. . Hong Shen, China’s Tech Giants: Baidu, Alibaba, Tencent, Panorama: Insights into Asian & Eur. Affs., Feb. 2019, at 35, 42 (describing Baidu, Alibaba, and Tencent as the “most powerful companies providing web applications in China” and comparing them to American tech giants while also noting Didi as a powerful “newly emerged” Chinese tech company).
  59. . See Siva Vaidhyanathan, The Googlization of Everything: (and Why We Should Worry) 2 (2011) (explaining that the author coined the phrase “Googlization of ‘everything’” to describe the phenomenon that Google affects “us,” the world, and knowledge).
  60. . See, e.g., Tim Wu, The Curse of Bigness: Antitrust in the New Gilded Age 138–39 (2018) (framing the Neo-Brandeisian antitrust agenda as aiming to place checks on monopolies and limit the private concentration of economic power in order to “give humans a fighting chance against corporations”); Lina M. Khan, Amazon’s Antitrust Paradox, 126 Yale L.J. 710, 783 n.376, 785 (2017) (noting that European antitrust authorities investigated the Facebook/WhatsApp merger and that the European Union has charged Google with violating antitrust laws).
  61. .Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power 301 (2019).
  62. . The mission statement may be found at About Google, Google, [].
  63. . See, e.g., Khan, supra note 60, at 716 (studying the “anticompetitive aspects” of Amazon’s conduct and structure).
  64. . See, e.g., Zuboff, supra note 61, at 9 (discussing the growth of Big Tech companies and surveillance capitalism); Franklin Foer, World Without Mind: The Existential Threat of Big Tech 3, 5 (2017) (arguing that large tech companies are destroying individuality and diversity of thought); Rana Foroohar, Don’t Be Evil 23 (2021) (describing large tech companies’ harms to startups, workers, and the economy); Josh Hawley, The Tyranny of Big Tech 5–8 (2021) (accusing Big Tech of manipulation).
  65. .E.g., The Social Dilemma (Exposure Labs, Agent Pictures & The Space Program 2020).
  66. . See Jack Nicas, Daisuke Wakabayashi, Karen Weise & Mike Isaac, A Handbook to Today’s Tech Hearing, N.Y. Times, [] (Jan. 26, 2021) (“Jeff Bezos of Amazon, Tim Cook of Apple, Mark Zuckerberg of Facebook and Sundar Pichai of Google are set to testify before Congress on Wednesday to make their case about why their companies actually are not that powerful.”); Elizabeth Schulze, If You Want to Know What a US Tech Crackdown May Look Like, Check Out What Europe Did, CNBC (June 7, 2019, 2:01 AM),‌2019/‌06/‌07/‌how-google-facebook-amazon-and-apple-faced-eu-tech-antitrust-rules.html [https://‌‌K6P3-FHL3] (“The European Commission, the executive arm of the European Union, has imposed a combined $9.5 billion in antitrust fines against Google since 2017, and its boss hints Amazon and Apple might be next in line.”).
  67. . See Alicia Diaz and Maria Curi, Congress’s Big Tech Crackdown Quickens with Rare Show of Unity, Bloomberg (June 8, 2022, 1:30 PM), [https://‌‌AT66-43CQ] (“A bipartisan group of lawmakers defended a bill to rein in big technology companies . . . .”).
  68. . See, e.g., Press Release, Congresswoman Anna G. Eshoo, Eshoo Calls on Social Media Companies to Quickly Remove Wildfire Disinformation (Sept. 15, 2020),‌media/press-releases/eshoo-calls-social-media-companies-quickly-remove-wildfire-disinformation [] (discussing Representative Anna G. Eshoo’s call to Twitter, YouTube, and Facebook to address the proliferation of disinformation about the West Coast wildfires on their platforms).
  69. . See Dylan Byers, Facebook Estimates 126 Million People Were Served Content from Russia-Linked Pages, CNN (Oct. 31, 2017, 9:25 AM),‌2017/10/30/‌media/‌russia-facebook-126-million-users/index.html [] (reporting that 126 million Facebook users may have been exposed to content from the Russian government-linked Internet Research Agency).
  70. . See Tal Axelrod, Trump Mulls Forming Panel to Investigate Anticonservative Bias on Social Media: Report, The Hill (May 23, 2020, 10:19 AM),‌499288-trump-mulls-forming-panel-to-investigate-anticonservative-bias-on-social [https://perma.‌cc/G248-LWLC] (“President Trump is considering creating a panel to oversee complaints of bias against conservatives by social media platforms in a move that would likely spark pushback from tech companies.”).
  71. . See id. (emphasizing allegations that social media companies suppress conservative voices and mentioning concern about left-wing bias in the tech world).
  72. . See 47 U.S.C. § 230(c) (providing immunity from civil liability for providers that remove or restrict content deemed “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable” from their website).
  73. . See Harry P. McDonald, Speech and Distrust: Rethinking the Content Approach to Protecting the Freedom of Expression, 81 Notre Dame L. Rev. 1347, 1355–62 (2006) (reviewing the history of content regulation).
  74. . See Cecilia Kang, Lawmakers, Taking Aim at Big Tech, Push Sweeping Overhaul of Antitrust, N.Y. Times, [] (June 29, 2021) (acknowledging aggressive bills introduced to address antitrust issues among tech giants).
  75. . See Wu, supra note 60, at 31 (quoting Senator Sherman’s assertion that entrusting the concerted powers of wealth, opportunity, and inequality of condition to a single man is inconsistent with the United States’ form of government).
  76. . See Lina M. Khan, The Separation of Platforms and Commerce, 119 Colum. L. Rev. 973, 983 (2019) (“[A] neo-Brandeisian movement is refocusing attention on the structural underpinnings of the competitive process, critiquing the current welfare-based approach for both betraying the founding values of antitrust and failing on its own terms.”).
  77. . See Agnieszka McPeak, Platform Immunity Redefined, 62 Wm. & Mary L. Rev. 1557, 1579 (2021) (“Several reform proposals loom, largely arising out of a perceived political bias against conservatives by large platforms.”); see also Timothy B. Lee, Republicans and Democrats Increasingly Agree: Big Tech Is Too Powerful, Ars Technica (Apr. 24, 2021, 1:00 PM), [] (describing the common perspective on tech platform power among progressives and conservatives).
  78. . See Mike Isaac & Kellen Browning, Fact-Checked on Facebook and Twitter, Conservatives Switch Their Apps, N.Y. Times,‌technology/‌parler-rumble-newsmax.html [] (Nov. 18, 2020) (explaining the conservative migration from Facebook and Twitter to other social media platforms that do not “singl[e] out conservative voices”).
  79. . Tom Romanoff, The American Innovation and Choice Online Act: What It Does and What It Means, Bipartisan Pol’y Ctr. (Jan. 20, 2022), [].
  80. . See generally Khan, supra note 76 (advocating a return to structural separation as a remedy for antitrust concerns).
  81. . See Press Release, U.S. Dep’t. Just., Visa and Plaid Abandon Merger After Antitrust Division’s Suit to Block (Jan. 12, 2021), [] (discussing how Visa and Plaid abandoned the merger in response to the Department of Justice’s civil antitrust lawsuit).
  82. . Steven L. Schwarcz, Derivatives and Collateral: Balancing Remedies and Systemic Risk, 2015 U. Ill. L. Rev. 699, 708 (2015) (stating “[i]ncreased market concentration, [] increases systemic risk”); Kristin N. Johnson, Things Fall Apart: Regulating the Credit Default Swap Commons, 82 U. Colo. L. Rev. 167, 214 (2011) (reflecting on “the systemic risk related to market concentration” in banking).
  83. . See Zuboff, supra note 61, at 300 (quoting a former Facebook manager’s statement that “[t]he fundamental purpose of most people at Facebook working on data is to influence and alter people’s moods and behavior” in order to encourage users to “click on more ads”).
  84. . See Ben Wolford, What Is GDPR, The EU’s New Data Protection Law?, GDPR.EU, [] (describing how the GDPR’s “far-reaching” requirements apply to all organizations that “target or collect data related to people in the EU”).
  85. . E.g., California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100–.199.95 (West 2018); cf. Prospects of a Federal Data Privacy Law – with Cameron Kerry, Am. Consumer Inst. for Citizen Rsch., at 1:00–2:00 (June 29, 2021),‌2021/06/prospects-of-a-federal-data-privacy-law-with-cameron-kerry/ [] (lamenting lack of legislative momentum for federal privacy legislation). Other states—including Hawaii, Massachusetts, New Jersey, Pennsylvania, and Rhode Island—have proposed bills similar to the California Consumer Privacy Act. George P. Slefo, Bracing for Sweeping New Data Privacy Law, Ad Age (Oct. 14, 2019), [].
  86. . Rebecca Kern, Bipartisan Draft Bill Breaks Stalemate on Federal Data Privacy Negotiations, Politico (June 3, 2022, 5:46 PM),‌03/‌bipartisan-draft-bill-breaks-stalemate-on-federal-privacy-bill-negotiations-00037092 [https://‌].
  87. . See infra section I(D)(1).
  88. . See generally Urs Gasser, Regulating Search Engines: Taking Stock and Looking Ahead, 8 Yale J.L. & Tech. 201 (2006) (discussing the history and antecedents of search-engine rules, one example of regulation of internet technologies).
  89. . See Werbach, supra note 49, at 1788 (connecting internet regulation to the history of public-utility regulation). Recently, some have suggested that contemporary tech platforms should also be classified as common carriers. See, e.g., Biden v. Knight First Amend. Inst. at Columbia Univ., 141 S. Ct. 1220, 1226 (2021) (Thomas, J., concurring) (suggesting that Section 230 is outdated and that tech platforms might instead be regulable as common carriers); Ryan T. Anderson & Adam J. MacLeod, Clarence Thomas Is Right About Big Tech, Nat’l Rev. (Apr. 19, 2021, 6:30 AM), [https://perma.‌cc/TKT5-B6JF] (commending Justice Thomas’s analysis in Knight First Amendment Institute).
  90. . See 1 Bruce Wyman, The Special Law Governing Public Service Corporations and All Others Engaged in Public Employment 30–33, 136 (1911) (stating that the general principles of public-service law, which apply to the pervasive public service of common carriers, are that “all must be served, adequate facilities must be provided, reasonable rates must be charged, and no discriminations must be made”).
  91. . See Charles K. Burdick, The Origin of the Peculiar Duties of Public Service Companies, 11 Colum. L. Rev. 514, 514 (1911) (noting that Wyman’s theory is that certain industries naturally tend toward monopoly and therefore these industries require public regulation).
  92. . See Joseph D. Kearney & Thomas W. Merrill, The Great Transformation of Regulated Industries Law, 98 Colum. L. Rev. 1323, 1325–26 (1998) (describing the “new paradigm” of regulation in certain industries whereby the regulation seeks to promote “competition among . . . providers [to] enhance consumer welfare”).
  93. . See Tim Wu, Network Neutrality, Broadband Discrimination, 2 J. on Telecomm. & High Tech. L. 141, 141–42 (2003) (arguing for network-neutrality rules to address discrimination by broadband network operators).
  94. . See Kevin Werbach, Only Connect, 22 Berkeley Tech. L.J. 1233, 1235–36, 1238 (2007) (summarizing the network-neutrality debate).
  95. . See Kevin Werbach, The Federal Computer Commission, 84 N.C. L. Rev. 1, 3–4 (2005) (describing the role of the FCC in overseeing technology developments such as the internet); Adam Candeub, Bargaining for Free Speech: Common Carriage, Network Neutrality, and Section 230, 22 Yale J.L. & Tech. 391, 396–97 (2020) (arguing that both common carriage and Section 230 represent a similar form of “regulatory deal”).
  96. . See generally Oren Bracha & Frank Pasquale, Federal Search Commission? Access, Fairness, and Accountability in the Law of Search, 93 Cornell L. Rev. 1149 (2008) (arguing that search engines warrant some regulation); David McCabe, One Idea for Regulating Google and Facebook’s Control over Content, Axios (Aug. 18, 2017), [] (discussing a proposal for “layer-neutral” network neutrality).
  97. . See generally Tom Wheeler, Phil Verveer & Gene Kimmelman, New Digital Realities; New Oversight Solutions in the U.S.: The Case for a Digital Platform Agency and a New Approach to Regulatory Oversight (2020) (arguing that a digital platform agency should be created); Harold Feld, The Case for the Digital Platform Act (2019) (same); Karen Kornbluh & Ellen P. Goodman, Bringing Truth to the Internet, Democracy, Summer 2019, [https://‌] (arguing for the creation of a Digital Democracy Agency); see Neil Chilson, Does Big Tech Need Its Own Regulator?, in Glob. Antitrust Inst., The Global Antitrust Institute Report on the Digital Economy 727, 727–28 (2020),‌wp-content/uploads/2020/11/The-Global-Antitrust-Institute-Report-on-the-Digital-Economy_‌Final.pdf [] (arguing against the creation of any agency to regulate Big Tech); Rory Van Loo, Rise of the Digital Regulator, 66 Duke L.J. 1267, 1328 (2017) (proposing “a technology meta-agency that provides oversight, rulemaking, and technical updates for” addressing harms to competition and consumers).
  98. . For example, the Consumer Financial Protection Bureau (CFPB) was established to address new consumer-protection challenges in contemporary financial markets. See Leonard J. Kennedy, Patricia A. McCoy & Ethan Bernstein, The Consumer Financial Protection Bureau: Financial Regulation for the Twenty-First Century, 97 Cornell L. Rev. 1141, 1145–46 (2012) (detailing that the CFPB was created to address issues highlighted in the 2008 financial crisis and to prevent future financial crises).
  99. . See Pawel Smaga, The Concept of Systemic Risk 2 (2014), http://eprints.lse.‌ac.‌uk/‌61214/1/sp-5.pdf [] (“There is no consensus regarding the concept of financial stability and systemic risk.”); George G. Kaufman & Kenneth E. Scott, What Is Systemic Risk, and Do Bank Regulators Retard or Contribute to It?, 7 Indep. Rev. 371, 372 (2003) (“The precise meaning of systemic risk is ambiguous; it means different things to different people.”).
  100. . See Steven L. Schwarcz, Systemic Risk, 97 Geo. L.J. 193, 204 (2008) (proposing a definition of systemic risk as “an economic shock . . . resulting in increases in the cost of capital or decreases in its availability”).
  101. . See generally Charles W. Calomiris & Joseph R. Mason, Contagion and Bank Failures During the Great Depression: The June 1932 Chicago Banking Panic, 87 Am. Econ. Rev. 863, 863 (1997) (examining the contagion effect in the context of the 1932 Chicago bank run); Elmus Wicker, The Banking Panics of the Great Depression (1996) (chronicling the banking panics of the Great Depression). As Van Loo put it, “Bank runs in the Great Depression illustrate the danger of contagion, a consistent theme in major financial crises.” Van Loo, supra note 2, at 859.
  102. . See Steven M. Davidoff & David Zaring, Regulation by Deal: The Government’s Response to the Financial Crisis, 61 Admin. L. Rev. 463, 491–94, 504–05 (2009) (describing how the failure of these large institutions led to system-wide panic); id. at 494 (“In the wake of the Lehman bankruptcy and Merrill’s agreement to be acquired by Bank of America, the investment-banking model was shaky at best.”).
  103. . Smaga, supra note 99, at 13.
  104. . John C. Coffee, Jr., The Political Economy of Dodd-Frank: Why Financial Reform Tends to Be Frustrated and Systemic Risk Perpetuated, 97 Cornell L. Rev. 1019, 1050–51 (2012) (discussing the “TBTF problem”).
  105. . See Jonathan William Welburn, Aaron Strong, Florentine Eloundou Nekoul, Justin Grana, Krystyna Marcinek, Osonde A. Osoba, Nirabh Koirala & Claude Messan Setodji, Rand Corp., Systemic Risk in the Broad Economy: Interfirm Networks and Shocks in the U.S. Economy iii (2020),‌research_reports/RR4100/RR4185/RAND_RR4185.pdf [] (“[D]iscussions of systemic risk outside the financial sector have been limited.”).
  106. . Id. at 1–2.
  107. . Below, we describe the factors used to evaluate systemic importance in the current financial regulatory structure and then apply them to technology providers. See infra Part III. Here, we are referencing the general assessment of risk salience for particular firms.
  108. . See Jack Nicas, Apple Becomes First Company to Hit $3 Trillion Market Value, N.Y. Times (Jan. 3, 2022), [] (“Apple’s immense sales and wide profit margins have provided it with a stockpile of cash . . . Apple reported $190 billion in cash and investments.”).
  109. . The analysis ultimately examined over 20,000 connections across nearly 6,000 firms. Welburn et al., supra note 105, at 11, 13.
  110. . Id. at 31–32.
  111. . Id. at 32.
  112. . Id. at 33.
  113. . Id.
  114. . Id.
  115. . See id. at iii (“[W]e address this gap and examine systemic risk in the broad economy.”).
  116. . See id. at 9–10 (noting that the “true network of all supplier-customer linkages . . . is unknown”).
  117. . See supra note 23 and accompanying text.
  118. . Cf. Mark A. Lemley & Lawrence Lessig, The End of End-to-End: Preserving the Architecture of the Internet in the Broadband Era, 48 UCLA L. Rev. 925, 933 (2001) (arguing that “the history of the Internet compellingly demonstrates the wisdom of letting a myriad of possible improvers work free of the constraints of a central authority, public or private”).
  119. . See GoDaddy, [] (“GoDaddy is the world’s largest domain registrar, and 21+ million customers trust us with 84+ million domains.”).
  120. . See Erik Nygren, Ramesh K. Sitaraman & Jennifer Sun, The Akamai Network: A Platform for High-Performance Internet Applications, Operating Sys. Rev., July 2010, at 2, 2 (explaining that the Akamai platform delivers “15–20% of all Web traffic worldwide and provides a broad range of commercial services beyond content delivery”); So What Is Cloudflare?, Cloudflare, [] (introducing the security services of Cloudflare—“one of the world’s largest networks”).
  121. . See generally Torin Monahan & Caroline G. Lamb, Transit’s Downward Spiral: Assessing the Social-Justice Implications of Ride-Hailing Platforms and Covid-19 for Public Transportation in the US, Cities, Jan. 2022, at 1 (explaining the relationship between the rise of ride-hailing platforms and a downward spiral in demand for public transit); see also Yash Babar & Gordon Burtch, Examining the Heterogenous Impact of Ride-Hailing Services on Public Transit Use, 31 Info. Sys. Rsch. 820, 820–21 (2020) (estimating that Uber and other ride-hailing platforms lead to a decrease in use of public bus transit); Michael Graehler, Jr., Richard Alexander Mucci & Gregory D. Earhardt, Understanding the Recent Transit Ridership in Major US Cities: Service Cuts or Emerging Modes (Nov. 14, 2018),‌2019/03/‌05/document_daily_01.pdf [] (unpublished manuscript) (detailing research showing that ride-hailing platforms lead to year-over-year decreases in ridership on both public buses and railways).
  122. . Theresa Poletti, Opinion: Uber and Lyft Are Staging a Ridiculous Race for Fake Profits, MarketWatch (Aug. 6, 2021, 8:14 AM), []; Yves Smith, Hubert Horan: Can Uber Ever Deliver? Part Twenty-Eight: Uber Still Unprofitable, But Reduces Losses by Squeezing Drivers and Restaurants, Naked Capitalism (Nov. 8, 2021), [https://‌].
  123. . A plunge in Facebook’s stock price in February 2022 brought it near the threshold in proposed digital platform legislation that would exempt it from greater regulation. See Issie Lapowsky, Meta’s Free Fall Reveals a Big Issue with Congress’ Antitrust Bill, Protocol (Feb. 3, 2022), [] (describing that Meta’s swift market decline brought it close to falling under the $550 billion market cap needed to come under the legislation’s antitrust enforcement).
  124. . Alex Hern, Facebook Says It May Quit Europe over Ban on Sharing Data with US, The Guardian (Sept. 22, 2020), []; James Clayton, Google Threatens to Withdraw Search Engine from Australia, BBC News (Jan. 22, 2021), []; Sam Shead, Meta Says It May Shut Down Facebook and Instagram in Europe over Data-Sharing Dispute, CNBC (Feb. 7, 2022, 9:34 AM), [].
  125. . Li Yuan, A Generation Grows Up in China Without Google, Facebook, or Twitter, N.Y. Times (Aug. 6, 2018), [].
  126. . Micah Singleton, China Is Becoming Apple’s Most Important Market, The Verge (Oct. 27, 2015), [].
  127. .See generally Nassim Nicolas Taleb, The Black Swan (2007) (discussing the low probability and extreme impact of “black swan” events).
  128. . See, e.g., Caleb N. Griffin, Systemically Important Platforms, 107 Cornell L. Rev. 445, 447, 449 (2022) (asserting that Big Tech must be regulated in a new way to address addictive design practices). This article addresses an entirely different issue from the one we consider here: how user-experience design practices of Big Tech platforms are manipulative. While this is an important question, it does not relate to systemic risk as the term is understood in the financial literature.
  129. . Twitter Investigation Report, N.Y. State Dep’t of Fin. Servs. (Oct. 14, 2020), [].
  130. . Eric Newcomer, New York Calls for Social Media Oversight After Twitter Hack, Yahoo! Fin. (Oct. 14, 2020), []
  131. . Id.
  132. . See supra note 97 and accompanying text.
  133. . See Oversight of the Financial Stability Oversight Council: Hearing Before the Subcomm. On Oversight & Investigations of the H. Comm. On Fin. Servs., 112th Cong. (2011) (statement by J. Nellie Liang, Director, Office of Financial Stability Policy and Research), https://www.‌ [] (noting that the FSOC has conducted studies “on the macroeconomic effects of risk retention, and on the economic effects of systemic risk regulation”).
  134. . See Kadija Yilla & Nellie Lang, What Are Macroprudential Tools?, Brookings (Feb. 11, 2020), [] (describing macroprudential policies as aimed at ensuring stable economic growth by preventing certain disruptions).
  135. . R. Jesse McWaters & Rob Galaski, Beyond Fintech: A Pragmatic Assessment of Disruptive Potential in Financial Services, World Econ. F. (Aug. 22, 2017), https://www3.‌‌Financial_Services.pdf [].
  136. . Marc Hochstein, Why Davos Tags Tech Giants as ‘Systemically Important’, Am. Banker (Aug. 22, 2017, 3:21 PM) (quoting McWaters & Galaski, supra note 135, at 14), https://www.‌ [].
  137. . Id.
  138. . Iain Withers & Huw Jones, For Bank Regulators, Tech Giants Are Now Too Big to Fail, Reuters (Aug. 20, 2021, 2:55 PM), [].
  139. . Id.
  140. . Nat’l Fed’n of Indep. Bus. v. Dep’t of Lab., Occupational Safety & Health Admin., 142 S. Ct. 661, 662–63, 665 (2022) (per curiam) (granting a preliminary stay on the basis that it was likely that “OSHA’s mandate exceeds its statutory authority and is otherwise unlawful”).
  141. . Ala. Ass’n of Realtors v. Dep’t of Health & Hum. Servs., 141 S. Ct. 2485, 2486, 2488 (2021) (per curiam) (“[T]he CDC has imposed a nationwide moratorium on evictions in reliance on a decades-old statute that authorizes it to implement measures like fumigation and pest extermination. It strains credulity to believe that this statute grants the CDC the sweeping authority that it asserts.”).
  142. . Capital One Data Breach: Arrest After Details of 106m People Stolen, BBC News (July 30, 2019), [].
  143. . David Fratto & Lee Reiners, A New Source of Systemic Risk: Cloud Service Providers, FinReg Blog (Aug. 8, 2019), [].
  144. . Capital One Data Breach, supra note 142.
  145. . Letter from Katie Porter and Nydia M. Velázquez to The Honorable Steven T. Mnuchin, Sec’y of the U.S. Dep’t. of the Treasury 1 (Aug. 22, 2019),‌sites/‌ [].
  146. . In some cases, if the utilities are associated with the capital markets, the Securities and Exchange Commission (SEC) will take the lead as regulator. See Designated Financial Market Utilities, Bd. Governors Fed. Rsrv. Sys.,‌designated_fmu_about.htm [] (showing both the Federal Reserve and the SEC have been the supervisory agency of Designated Financial Market Utilities).
  147. . Dan Ennis, Morgan Stanley, Capital One’s Old Errors Cause New Headaches, Banking Dive (Jan. 4, 2022), [].
  148. . See supra subpart I(B).
  149. . See Protecting Personal Information: A Guide for Business, Fed. Trade Comm’n. (Oct. 2016), [] (“Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.”).
  150. . For an overview of the data breach laws, see Kristen E. Eichensehr, Public-Private Cybersecurity, 95 Texas L. Rev. 467, 532 (2017).
  151. . Catalin Cimpanu, Marriott Reveals Data Breach Affecting 500 Million Hotel Guests, ZDNet (Nov. 30, 2018), [].
  152. . Brian Barrett, Hack Brief: Marriott Got Hacked. Yes, Again, Wired (Mar. 30, 2020), [].
  153. . Craig S. Smith, How the Cloud Has Opened New Doors for Hackers, Wash. Post (Mar. 2, 2020), [https://‌].
  154. . ICO Fines Marriott International Inc. £18.4million for Failing to Keep Customers’ Personal Data Secure, Info. Comm’n’s Off. (October 30, 2020), https://‌ico.‌ [https://perma‌.cc/6JH2-X8SY].
  155. . Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, Fed. Trade Comm’n (July 22, 2019), [https://perma.‌cc/K83D-MTU6].
  156. . Adam Shell, Here’s Why Equifax and Other Credit Agencies Will Survive the Data Breach, USA Today (Sept. 14, 2017, 6:00 AM),‌2017/09/‌14/‌heres-why-equifax-and-other-credit-agencies-survive-breach-black-eye-but-not-fatal-blow-firm-industr/661314001/ [] (noting that the credit bureaus provide useful services, and have “moat[s],” including a willingness by businesses to check all three bureaus before deciding on the creditworthiness of a borrower).
  157. . Alyssa Newcomb, Yahoo Says ‘State-Sponsored Actor’ Hacked 500M Accounts, NBC News (Sept. 22, 2016, 10:33 AM), [].
  158. . See Walter Frick, The Decline of Yahoo in Its Own Words, Harv. Bus. Rev. (June 2, 2016), [] (describing how Yahoo! had fallen behind in the digital platform competition in the 2010s).
  159. . See What Is Cloud Computing?: A Beginner’s Guide, Microsoft,‌com/en-us/overview/what-is-cloud-computing/#benefits [] (“Cloud computing is a big shift from the traditional way businesses think about IT resources.”); Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica & Matei Zaharia, A View of Cloud Computing, 53 Commc’ns ACM, Apr. 2010, at 50, 50 (“Cloud computing, the long-held dream of computing as a utility, has the potential to transform a large part of the IT industry, making software even more attractive as a service and shaping the way IT hardware is designed and purchased.”); Tharam Dillon, Chen Wu & Elizabeth Chang, Cloud Computing: Issues and Challenges, 24 IEEE Int’l Conf. on Advanced Info. Networking & Application 27, 27 (2010) (“Many believe that Cloud will reshape the entire ICT industry as a revolution.”).
  160. . See Sean Marston, Zhi Li, Subhajyoti Bandyopadhyay, Juheng Zhang & Anand Ghalsasi, Cloud Computing—The Business Perspective, 51 Decision Support Sys. 176, 178 (2011) (“In fact, the goal of cloud computing is to scale resources up or down dynamically through software APIs depending on client load with minimal service provider interaction.”).
  161. . See Why Is Cloud Computing Important?, Open Cirrus (Sept. 14, 2018), [] (“Cloud computing . . . enables us to run software programs without installing them on our computers . . . store and access our multimedia content . . . develop and test programs without necessarily having servers and so on.”).
  162. . Welburn et al., supra note 105, at xi.
  163. . Siladitya Ray, Amazon Web Services Outage Takes Down Major Sites Including Roku, Flickr, Forbes (Nov. 25, 2020, 1:24 PM),‌amazon-web-services-outage-takes-down-major-sites-including-roku-flickr/ [‌6QSC-WJ72].
  164. . See Aaron Gregg & Drew Harwell, Amazon Web Services’ Third Outage in a Month Exposes a Weak Point in the Internet’s Backbone, Wash. Post (Dec. 22, 2021, 11:02 AM), [] (detailing the disruptive impact of three AWS outages on work chatrooms, digital retail stores, Ring doorbells, and Roomba vacuums).
  165. . Sabina Weston, Major AWS Outage Knocks a Host of Services Offline, IT Pro (Dec. 7, 2021), [].
  166. . NYCT Subway (@NYCTSubway), Twitter (Nov. 25, 2020, 10:56 AM), [] (“We are currently unable to remove the A line service alert from our website and app because of the widespread Amazon AWS outage. A trains are no longer running local in Brooklyn. We will continue to post updates here as we have them.”).
  167. . Japan Investigating Amazon Cloud Disruptions to Brokers, Airline, Reuters (Sept. 2, 2021, 8:02 AM), [].
  168. . Id.
  169. . Id.
  170. . Mike Ives & Yan Zhuang, An Internet Outage Affects Company Websites in Australia and Beyond, N.Y. Times (June 17, 2021), [].
  171. . Id.
  172. . Id.
  173. . Rob Davies, Internet Outage: Which Websites and Services Were Hit by Fastly Issue, The Guardian (June 8, 2021, 1:38 PM),‌jun/08/‌internet-outage-which-websites-and-services-were-hit-by-fastly-issue [].
  174. . Id.
  175. . Siladitya Ray, Major Google Services Including Gmail, YouTube Are Working Again After Global Outage, Forbes (Dec. 14, 2020, 7:22 AM),‌siladityaray/‌2020/12/14/major-google-services-including-gmail-youtube-experience-global-outage/ [https://‌].
  176. . Joe Walsh, Gmail Users Struggle with Glitches a Day After Google Suffered Major Global Outage, Forbes (Dec. 15, 2020, 6:59 PM),‌15/‌gmail-users-struggle-with-glitches-a-day-after-google-suffered-major-global-outage/ [https://‌].
  177. . What Is IaaS?, Microsoft, [].
  178. . See Flexera 2021 State of the Cloud Report, Flexera 9, 10, 37 (2021), https://‌resources.‌ [‌Z85T-9K7U] (explaining that, with rapid increases in cloud usage, companies are more frequently and directly interacting with IaaS rather than outsourcing to software asset management teams).
  179. . See id. at 27 (summarizing survey results showing that organizations are using cloud services more than expected in order to meet higher demand for online usage).
  180. . Gian Calvesbert, Cloud Service Failure: 3 Things to Know, Verisk (Jan. 23, 2018), [https://‌].
  181. . See FinTech and Market Structure in Financial Services: Market Developments and Potential Financial Stability Implications, Fin. Stability Bd. 23 (Feb. 14, 2019), https://www.fsb.‌org/wp-content/uploads/P140219.pdf [] (noting that regulatory bodies consider concentration risk when promulgating guidelines for the cloud service market).
  182. . Most of the legal and regulatory debates over cloud computing concern whether law enforcement officials can gain access to private information stored in the cloud. See Clarifying Lawful Overseas Use of Data (CLOUD) Act, Pub. L. No. 115-141, 132 Stat. 1213 (2018) (codified in sections 2713, 2701 prec., 2703, 2511(2), 2520(d)(3), 2701(b)(8), 2702(c)(5), 2702(c)(6), 2707(e), 3121(a), 3124(d), 3124(e), 2523, 2510 prec., 2520 note of 18 U.S.C.) (amending the process for obtaining information stored in the cloud from foreign entities); Jennifer Daskal, Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0, 71 Stan. L. Rev. Online 9, 11 (2018) (highlighting a critical feature of the CLOUD Act governing the disclosure of foreign data to United States government officials).
  183. . See generally Sam De Silva, Cloud Computing Contracts, in The LegalTech Book: The Legal Technology Handbook for Investors, Entrepreneurs and FinTech Visionaries 93 (Sophia Adams Bhatti, Susanne Chishti, Akber Datoo & Drago Indjic eds., 2020) (discussing common terms in cloud computing contracts).
  184. . See Note, Rethinking Regulation: Negotiation as an Alternative to Traditional Rulemaking, 94 Harv. L. Rev. 1871, 1873 (1981) (explaining that the APA procedures “assume[] parties will participate in rulemaking through the characteristically adversarial techniques of formal argument and proof” and ascribing subsequent expansions of this adversarial model by courts as guided by “[a] vision of rulemaking as an adversary process”). As one congressman put it, the APA was necessary because “[s]lowing-down procedure [through the adversarial system] is exactly what is needed when procedure which means the life or death of industry, or the financial ruin of individuals, is in the hands of an arbitrary, tyrannical, and bitterly prejudiced agency.” 86 Cong. Rec. 4501, 4535 (1940) (statement of Rep. Michener).
  185. . Roni A. Elias, The Legislative History of the Administrative Procedure Act, 27 Fordham Env’t. L Rev. 207, 207, 221 (2016).
  186. . See Wayne B. Gray, Environmental Regulations and Business Decisions, IZA World Lab. 1 (Sept. 2015), [] (“Environmental regulations raise production costs at regulated firms . . . .”); see also Richard J. Pierce, Jr., The Appropriate Role of Costs in Environmental Regulation, 54 Admin. L. Rev. 1237, 1238 (2002) (discussing courts’ role in deciding the issue of cost when reviewing EPA’s regulatory decisions).
  187. . For a discussion, see David Zaring, Banks, Corporatism, and Collaboration in the Administrative State 3 (April 8, 2022) (unpublished manuscript) (on file with author).
  188. . See Primary Dealers, Fed. Rsrv. Bank N.Y.,‌markets/‌primarydealers.html [] (“Primary dealers are trading counterparties of the New York Fed in its implementation of monetary policy.”).
  189. . See Adam J. Levitin, The Politics of Financial Regulation and the Regulation of Financial Politics: A Review Essay, 127 Harv. L. Rev. 1991, 1995, 2068 (2014) (emphasizing the role of politics in financial system reform).
  190. . See Zaring, supra note 187, at 50 (“But in areas where industry and government have mutual interests—an integrative context—regulatory constraints are less important than the partnership between business and government.”). Defense contracting, for example, also occupies this differing regulatory paradigm because defense contractors and the government share an interest in a well-provisioned defense just as financial regulators and the government do in a stable banking system. Id. at 50–51.
  191. . The earliest federal forays into banking were to create a “Bank of the United States” designed to serve government purposes. “Although the Second Bank of the United States was not a central bank in the modern sense, there was a major public element in its operations.” Kenneth E. Scott, The Dual Banking System: A Model of Competition in Regulation, 30 Stan. L. Rev. 1, 15 (1977). The other big nineteenth-century effort—the creation of a national charter option for banks in the National Banking Act of 1864—promoted, as the Supreme Court put it, “instruments designed to be used to aid the government in the administration of an important branch of the public service.” Farmers’ and Mechs.’ Nat’l Bank v. Dearing, 91 U.S. 29, 33 (1875).
  192. . See Valerie C. Brannon, Cong. Rsch. Serv., LSB10309, Regulating Big Tech: Legal Implications 1–2 (2019) (suggesting the current regulations of major American technology companies are insufficient and lack well-established institutions).
  193. . Schumpeter famously described the “perennial gale of creative destruction.” Joseph Schumpeter, Capitalism, Socialism and Democracy 83–84 (1942). More recently, the management scholar Clayton Christiansen developed a theory of disruptive innovation, under which the most significant innovations undermine established firms who focus on the needs of their existing customers. See generally Clayton M. Christensen, The Innovator’s Dilemma: When New Technologies Cause Great Firms to Fail (1997) (proposing a theory of disruptive innovation).
  194. . See Safety & Soundness Supervision, Fed. Rsrv. Bank St. Louis, https://www.‌ [https://‌] (“A key responsibility of the Federal Reserve banks is to regulate and supervise banking operations within their respective districts. . . . They review the bank’s overall balance sheet and the practices it has in place to monitor, identify and control risks.”); see, e.g., Bd. of Governors of the Fed. Rsrv. Sys., Supervision and Regulation Report 27 (2021) (highlighting credit risk as a “[s]upervisory [p]riorit[y]”).
  195. . Basel Comm. on Banking Supervision, A New Capital Adequacy Framework 10 (1999) (“When the [Basel] Accord was first established, it was primarily concerned with minimum capital standards to cover credit risk.”).
  196. . See Timothy D. Lane, Market Discipline, 40 IMF Staff Papers 53, 54 (1993) (“Market discipline is a force whose effectiveness . . . plays a pervasive role in financial policy.”); see also Fiona C. Maclachlan, Market Discipline in Bank Regulation: Panacea or Paradox?, 6 Indep. Rev. 227, 227 (2001) (“Central bankers speak of three pillars supporting the achievement of their objectives: regulation, supervision, and market discipline.”); see generally Suren Pakhchanyan, Operational Risk Management in Financial Institutions: A Literature Review, Int’l J. Fin. Stud. (2016), [] (summarizing the current discussions around operational risk management in financial institutions).
  197. . “The idea that market discipline might be used to supplement regulatory oversight of financial institutions has been a long-standing policy both in the United States and abroad.” Robert P. Bartlett, III, Making Banks Transparent, 65 Vand. L. Rev. 293, 297 (2012) (discussing the opportunities afforded by market discipline and suggesting how the disclosure regime for banks might be improved to help support it).
  198. .See Kimberly D. Kawiec, The Return of the Rogue, 51 Ariz. L. Rev. 127, 134 (2009) (defining operational risk as including “rogue traders, brokers, and other employees”).
  199. . For a discussion, see Luca Enriques, Alessandro Romano & Thom Wetzer, Network-Sensitive Financial Regulation, 45 J. Corp. L. 351, 368 (2020). Banks can be designated as systemically important banks (SIBs), and insurers as systemically important insurers (SIIs). For an example of this usage, see Graham S. Steele, Confronting the “Climate Lehman Moment”: The Case for Macroprudential Climate Regulation, 30 Cornell J.L. & Pub. Pol’y 109, 123 n.63 (2020). We will use the SIFI shorthand for all systemically important financial firms.
  200. . For the FSB’s approach and most recent list of designees, see Global Systemically Important Financial Institutions (G-SIFIs), Fin. Stability Bd.,‌global-systemically-important-financial-institutions-g-sifis/ [] (Nov. 23, 2021).
  201. . In fact, “the parallel processes of SIFI designation by international organizations like the Financial Stability Board (FSB) provide an underappreciated check on FSOC’s exercise of its power.” Daniel Schwarcz & David Zaring, Regulation by Threat: Dodd-Frank and the Nonbank Problem, 84 U. Chi. L. Rev. 1813, 1822 (2017).
  202. . See Colleen Baker, The Federal Reserve as Last Resort, 46 U. Mich. J.L. Reform 69, 107–08 (2012) (noting that designation comes with “additional supervision and regulation”).
  203. . See, e.g., Paul Krugman, How Did Economists Get It So Wrong?, N.Y. Times Mag., Sept. 6, 2009, at 36, 36–37 (noting that more important than the economists’ failure to predict the financial crisis was “the profession’s blindness to the very possibility of catastrophic failures in the market economy”).
  204. . Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010).
  205. . See id. at 1435–36, 1807 (directing Federal banking agencies to “establish minimum leverage capital requirements” and “minimum risk-based capital requirements” for insured depository institutions, depository institution holding companies, and nonbank financial companies and identifying the various factors the Council must consider in making its designation of systemic importance).
  206. . About FSOC, U.S. Dep’t. Treasury, [].
  207. . See id. (“It is a collaborative body chaired by the Secretary of the Treasury that brings together the expertise of the federal financial regulators, an independent insurance expert appointed by the President, and state regulators.”). Of these nine, eight are “real” regulators, and one is a voting member with insurance expertise. Id.
  208. . Press Release, North American Securities Administrators Association, State Regulators Announce Representatives for the Financial Stability Oversight Council (Sept. 23, 2010), [].
  209. . Two federal bodies, the Federal Insurance Office, and the Office of Financial Research, are also represented on the council by their directors, but also do not vote on designations.
  210. . Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 113(a)(2)(K), 124 Stat. 1376, 1398 (2010) (codified at 12 U.S.C. § 5323(a)(2)(K)).
  211. . Authority to Require Supervision and Regulation of Certain Nonbank Financial Companies, 77 Fed. Reg. 21651, 21658 (Apr. 11, 2012) (codified at 12 C.F.R. § 1310 (2021)).
  212. . Id.
  213. . Id.
  214. . Id.
  215. . Janet L. Yellen, Vice Chair, Bd. of Governors of the Fed. Rsrv. Sys., Interconnectedness and Systemic Risk: Lessons from the Financial Crisis and Policy Implications (Jan. 4, 2013), [‌-ZESX].
  216. . Id.
  217. . Bank Systemic Risk Monitor, Off. Fin. Rsch., [].
  218. . See Jan Schildbach, Large or Small? How to Measure Bank Size, Deutsche Bank Rsch 3 (Apr. 25, 2017),‌PROD0000000000443314/Large_or_small%3F_How_to_measure_bank_size.pdf? [https://perma.‌cc/73K2-B2W3] (“When considering the size and importance of banks and the banking system, current academic research and official-sector documents often focus on balance sheet totals.”).
  219. . 12 C.F.R. § 1310.11(a)(2) (2021).
  220. . See id. (noting as a consideration the distressed company “and its subsidiaries”).
  221. . As Adam Levitin has explained it, “Under the Basel III Capital Accords, a heightened set of capital requirements that will go into effect in the United States in 2014, banks will be required to have a leverage ratio of equity to assets of 3%, among other capital requirements.” Levitin, supra note 189, at 2029.
  222. .It’s a Wonderful Life (Liberty Films 1946).
  223. . See Charles Goodhart, What Is Maturity Mismatch, and Why Is It a Problem?, World Econ. F. (Sept. 11, 2015), [] (noting that the high degree of maturity mismatch in banking is due to an expansion in mortgage lending).
  224. . Heath Tarbert & Sylvia Mayer, Systemically Important in Three Easy Steps? FSOC Approves Final Rule for Nonbank SIFI Designations, Weil Restructuring (Apr. 5, 2012), [].
  225. . See id. (stating that a nonbank financial company will move to stage two if it meets consolidated assets threshold of $50 billion).
  226. . See id. (discussing how the council will assess the “risk profile and characteristics” of the company and will notify the company only after completion of the stage two analysis).
  227. . See id. (noting that the company “will be allowed to submit written materials contesting the FSOC’s consideration of the . . . company for a proposed determination”).
  228. . MetLife, Inc. v. Fin. Stability Oversight Council, 177 F. Supp. 3d 219, 228–29 (D.D.C. 2016).
  229. . Id. at 229.
  230. . Report to Congress on Implementation of Enhanced Prudential Standards – January 2018, Bd. Governors Fed. Rsrv. Sys., [‌7EF8-PXP9] (Mar. 8, 2018).
  231. . See Financial Market Utilities, Bd. Governors Fed. Rsrv. Sys. (Mar. 9, 2017), [https://‌] (noting that financial market utilities “provide the essential infrastructure for transferring, clearing, and settling . . . transactions among financial institutions” and that FMUs are subject to Regulation HH).
  232. . Id.
  233. . See Designated Financial Market Utilities, Bd. Governors Fed. Rsrv. Sys. (Jan. 29, 2015), [https://‌] (listing systemically important FMUs and their supervising federal agencies).
  234. . Financial Stability Oversight Council Guidance for Nonbank Financial Company Determinations, 12 C.F.R. pt. 1310 app. A (2021).
  235. . Id.
  236. . See, e.g., Main Street New Loan Facility, Bd. Governors Fed. Rsrv. Sys. (Apr. 30, 2020), [] (exemplifying the emergency lending programs available).
  237. . John Reosti, Kevin Wack, Allissa Kline & Paul Davis, Emergency Loan Program Plagued by Chaos on Eve of Launch, Am. Banker (Apr. 2, 2020),‌emergency-loan-program-plagued-by-chaos-on-eve-of-launch []. For an early account of where the PPP loans went, one that did not look particularly suspicious, see Haoyang Liu & Desi Volker, Where Have the Paycheck Protection Loans Gone So Far?, Fed. Rsrv. Bank N.Y.: Liberty St. Econ. Blog (May 6, 2020), https://libertystreeteconomics.‌ [https://‌].
  238. . See supra subpart II(A).
  239. . Ron J. Feldman & Jason Schmidt, Government Fiscal Support Protected Banks from Huge Losses During the COVID-19 Crisis, Fed. Rsrv. Bank Minneapolis, https://www.‌ [].
  240. . Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat. 281 (2020) (codified at 15 U.S.C. § 9001).
  241. . One could imagine a TechSOC rule that would mandate that all tech firms take measures to deter hackers from disrupting their activities, for example.
  242. . See supra section I(D)(2).
  243. . Karen Shaw Petrou, Data and the Bank: Financial Resilience in a Digital Age, Remarks at the Duke in DC Financial Regulation Forum (Mar. 27, 2018),‌press_center/speeches/Karen%20Petrou%20Remarks%20Prepared%20for%20Duke%20in%20DC%20Financial%20Regulation%20Forum.pdf [].
  244. . See generally Noel M. Tichy, Michael L. Tushman & Charles Fombrun, Social Network Analysis for Organizations, 4 Acad. Mgmt. Rev. 507 (1979) (discussing network models in the organizational context); Albert-László Barabási, Linked: The New Science of Networks (2002) (demonstrating the applicability of network models in a variety of contexts).
  245. . See supra section I(C)(2).
  246. . NIS Directive, Eur. Comm’n (June 7, 2022),‌en/‌policies/nis-directive [].
  247. . See Dimitra Markopoulou, Vagelis Papakonstantinou & Paul de Hert, The New EU Cybersecurity Framework: The NIS Directive, ENISA’s Role and the General Data Protection Regulation, Comput. L. & Sec. Rev., Nov. 2019, at 1, 2 (discussing affected parties and their obligations under the directive).
  248. . See supra Part I.
  249. . See Welburn et al., supra note 105, at 31–34 (noting, for example, that despite GoDaddy’s relatively low revenue, a shock to the company would likely have a disproportionate effect).
  250. . Amazon does many other things as well, including operating a massive shipping business and a major streaming video distributor. See What We Do, Amazon, https://www.aboutamazon.‌com/what-we-do [] (describing the various Amazon businesses).
  251. . In addition to this distinction, Amazon also has power as a channel for selling and fulfillment for third-party product providers, who compete against Amazon’s own brands. The Federal Trade Commission has recently shifted its focus to such monopsony power as a way to address the limitations of the consumer-welfare standard for antitrust enforcement. See Christopher Mims, How the FTC Is Reshaping the Antitrust Argument Against Tech Giants, Wall St. J. (Jan. 29, 2022), [] (describing the FTC’s recent focus on monopsony as a theory of antitrust regulation against giant technology companies).
  252. . See supra Part I.
  253. . Felix Richter, Amazon Leads $200-Billion Cloud Market, Statista (Aug. 2, 2022), [].
  254. . See Wu, supra note 93, at 142 (arguing that the network-neutrality requirements are the proper way to address broadband discrimination). The debate over network neutrality in the United States has been long and contentious. See generally Volker Stocker, Georgis Smaragdakis & William Lehr, The State of Network Neutrality Regulation, ACM SIGCOMM Comput. Comm’ns Rev., Jan. 2020, at 45 (providing a historical overview of the network-neutrality debate in the United States and the EU).
  255. . See supra text accompanying notes 42–45.
  256. . See Welburn et al., supra note 105, at 37 (discussing the Dyn cyberattack).
  257. . Cloudflare, which protects sites against ubiquitous denial-of-service attacks, has become a particularly essential piece of internet network infrastructure. A Cloudflare outage in June 2022 rendered a number of major online services inaccessible. Jon Porter, A Cloudflare Outage Broke Large Swathes of the Internet, The Verge (June 21, 2022, 3:34 AM), https://www.‌theverge.‌com/‌2022/6/21/23176519/cloudflare-outage-june-2022-discord-shopify-fitbit-peleton [‌KM2B-UDKX].
  258. . See eCommerce Distribution in the United States, BuiltWith (Sept. 18, 2022), [] (showing that Shopify has a 29% market share for websites using e-commerce platforms).
  259. . Glenn Weinstein, What Is Twilio? An Introduction to the Leading Customer Engagement Platform, Twilio (Nov. 29, 2021), []; Lionel Sujay Vailshery, Communications Platform as a Service (CPaaS) Market Share by Vendor Worldwide in 2nd Quarter 2021, Statista (Feb. 25, 2022), [https://‌].
  260. . Leeron Hoory & Cassie Bottorff, Square vs. Stripe (2023 Comparison), Forbes (Dec. 31, 2022), [‌E9YM-L28C].
  261. . See Welburn et al., supra note 105, at 33 (finding Workday among those firms with the highest estimated losses per unit revenue rate).
  262. . Meltem Odabaş, 10 Facts About Americans and Twitter, Pew Rsch. Ctr. (May 5, 2022), [https://‌].
  263. . About the FCC, Fed. Commc’ns Comm’n, [].
  264. . See 47 U.S.C. § 151 (granting authority to the FCC only “with respect to interstate and foreign commerce in wire and radio communication”).
  265. . Keith Collins, Net Neutrality Has Officially Been Repealed. Here’s How That Could Affect You, N.Y. Times (June 11, 2018), [].
  266. . Network Reliability Resources, Fed. Commc’ns Comm’n, [].
  267. . See Data Security, Fed. Trade Comm’n, [] (listing cases involving data security which the FTC has litigated).
  268. . See, e.g., Press Release, Fed. Trade Comm’n, FTC Sues Facebook for Illegal Monopolization (Dec. 9, 2020), [] (announcing an antitrust suit by the FTC over Facebook’s alleged efforts to monopolize social networking).
  269. . As that agency has explained its regulatory mission, “CISA works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future.” About CISA, Cybersecurity & Infrastructure Sec. Agency,‌about-cisa [].
  270. . For observations by one Fed official on this score, see Sarah Dahlgren, Executive Vice President, Fed. Rsrv. Bank of N.Y., Remarks at the OpRisk North America Annual Conference: The Importance of Addressing Cybersecurity Risks in the Financial Sector (Mar. 24, 2015), []. The Fed’s interest in the area has grown but has longstanding roots. As Peter Conti-Brown and David Wishnick have put it:By the 1970s, the Fed not only had teams of technologists at the individual Reserve Banks but also had a specialized team dedicated to long-range telecommunications planning, which developed an early example of a packet-switched network as part of the Division of Data Services. Along with these investments in advanced infrastructure came investments in security and redundancy to prevent costly system outages. Today, the Fed is a large employer of cybersecurity personnel—witness the over one hundred analysts who comprise the National Incident Response Team, dedicated to responding to the highest-impact threats to the Federal Reserve System and the broader financial sector, especially those incidents that involve attempts to penetrate Fed computers.Peter Conti-Brown & David A. Wishnick, Technocratic Pragmatism, Bureaucratic Expertise, and the Federal Reserve, 130 Yale L.J. 636, 676–77 (2021) (footnotes omitted).
  271. . About NTIA, Nat’l Telecomms. & Info. Admin., [] (stating that the NTIA “is the Executive Branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues”).
  272. . See 15 U.S.C. § 272(a) (creating NIST as a laboratory). Congress created NIST within the U.S. Department of Commerce. Id. The statutory mission of NIST is to “provid[e] the measurements . . . which underpin United States commerce, technological progress, improved product reliability and manufacturing processes, and public safety; [and] . . . to assist private sector initiatives to capitalize on advanced technology.” Id. § 271(b). Congress also authorized NIST to “develop standards . . . to advance the effective use of computers and related systems . . . [and] undertake such other activities similar to those specified in this subsection as the [NIST] Director determines appropriate.” Id. § 272(c).
  273. . See supra subpart II(C).
  274. . See Volker Brühl, How to Define a Systemically Important Financial Institution—A New Perspective, 52 Intereconomics 107, 107 (2017) (describing systematically important financial institutions as institutions whose “distress or disorderly failure would cause significant disruption to the financial system and economic activity due to their size, complexity and systemic interconnectedness”).
  275. . See Iain Withers & Huw Jones, For Bank Regulators, Tech Giants Are Now Too Big to Fail, Reuters (Aug. 20, 2021), [] (describing the interconnectedness of big tech companies: “a glitch at one cloud company could bring down key services across multiple banks and countries”).
  276. . See, e.g., Henry Farrell & Abraham L. Newman, Choke Points, Harv. Bus. Rev. (Jan.–Feb. 2020), [] (“Complex supply chains can be dependent on a handful of components, like the chips Qualcomm makes for devices with the Android operating system.”).
  277. . See Levitin, supra note 189, at 2040 (“[M]ost derivatives must now trade through regulated boards of trade (exchanges) or swap execution facilities and must clear via clearinghouses instead of trading over the counter.”).
  278. . See supra Part II.
  279. . Rory Van Loo noted that some tech firms might be appropriate subjects for stress testing in a different context. Rory Van Loo, Stress Testing Governance, 75 Vand. L. Rev. 553, 610 (2022) (“Some tech companies, such as Google and Facebook, may have become so central to society, for everything from information access to elections, that it is worth thinking of how stress tests might be integrated into their governance.”).
  280. . See generally Bd. Governors Fed. Rsrv. Sys., Dodd-Frank Act Stress Test 2021: Supervisory Stress Test Results (2021) (stating and analyzing the results of stress test conducted in 2021).
  281. . For an overview of this system as enacted shortly after the crisis, see Daniel K. Tarullo, Governor, Fed. Rsrv. Bd., Address at the Federal Reserve Bank of Chicago Annual Risk Conference: Developing Tools for Dynamic Capital Supervision at 2–3 (Apr. 10, 2012), [].
  282. . Mehrsa Baradaran, Regulation by Hypothetical, 67 Vanderbilt L. Rev. 1247, 1283 (2014) (describing stress tests as a prominent instance of regulation by hypothetical).
  283. . See Robert Weber, A Theory for Deliberation-Oriented Stress Testing Regulation, 98 Minn. L. Rev. 2236, 2238 (2014) (noting that “the mention of a stress test likely prompts thoughts of a visit to the cardiologist); see also Baradaran, supra note 282, at 1283 (“The term ‘stress test’ is borrowed from the engineering and medical world.”).
  284. . See Baradaran, supra note 282, at 1283–88 (discussing the adoption of stress tests by financial firms).
  285. . Press Release, Fed. Rsrv. Bd., Federal Reserve Releases Summary Results of Bank Stress Tests (Mar. 7, 2013),‌pressreleases/‌bcreg20130307a.htm [].
  286. . Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010) (codified at 12 U.S.C. § 5301).
  287. . Id. § 165(d).
  288. . Id.
  289. .Michael S. Barr, Howell E. Jackson & Margaret E. Tahyar, Financial Regulation: Law and Policy 997 (2d ed. 2018).
  290. . Id. at 998.
  291. . As Steven Schwarcz has observed, “Living wills or other resolution plans that effectively require firms to contemplate their own mortality can provide additional reminders, not unlike the ancient Roman tradition of memento mori, in which a slave would repeatedly remind the general in a victory parade of his mortal limitations.” Steven L. Schwarcz, Regulating Complacency: Human Limitations and Legal Efficacy, 93 Notre Dame L. Rev. 1073, 1102 (2018).
  292. . Daniel K. Tarullo, Governor, Fed. Rsrv. Bd., Address at Institute of International Bankers Conference on Cross-Border Insolvency Issues: Supervising and Resolving Large Financial Institutions (Nov. 10, 2009),‌tarullo20091110a.htm [].
  293. . See Joseph G. Haubrich & James B. Thomson, Capital Requirements for Financial Firms, Econ. Comment., Nov. 2012, at 1, 1 (stating the purpose of setting capital requirements for financial firms, especially systemically risky finance firms).
  294. . See Nicholas W. Turner, The Financial Action Task Force: International Regulatory Convergence Through Soft Law, 59 N.Y. L. Sch. L. REV. 547, 548 (2014) (stating that the Financial Action Task Force has achieved tremendous success and is quite effective in promoting regulation of the global financial system).
  295. . See Tom Wheeler, A Focused Federal Agency Is Necessary to Oversee Big Tech, Brookings (Feb. 10, 2021), [] (suggesting establishing a new regulatory agency to oversee the tech sector as “[o]versight of the dominant digital platforms’ broad effects on society is not possible within the existing federal regulatory structure”).