Estimating cyber risk for the financial sector
Feature Highlight
A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system.
Cyber risk has emerged as a significant threat to the financial system. An IMF staff modelling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.
Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.
Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.
Financial sector’s vulnerability
The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.
Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector – including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modelling cyber risk.
A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.
Estimating potential losses
The modelling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.
We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.
Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario – in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion – losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.
The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.
Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.
The way forward
There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches – such as considered under the EU’s General Data Protection Regulation – should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.
Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.
In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.
Christine Lagarde is Managing Director, International Monetary Fund. Source: IMF Blog.
Article published in the Finance and Technology series of Financial Nigeria magazine, July 2018 edition. Series sponsored by Simplex Business Solutions Limited.
Other Features
-
Quality higher education in Nigeria needs a comeback
With N278.1 billion allocation in 2018, the per capita budgetary spend on Nigerian federal university students last ...
-
The top 5 gig-economy habits that will leave you broke
We’ve seen plenty of freelancers fall into financial ruin because they didn’t avoid these five common ...
-
Lucy Newman’s stewardship at FITC
FITC has since the tenure of Lucy Newman, extended the 2007 change in corporate identity to full rebranding and ...
-
Harnessing the digital revolution for sustainable development
The digitalization of finance is essential to improving lives in the Global South and achieving eight of the 17 UN ...
-
The long-term implications of France's 'yellow vest' protests
A plan to reform the pensions system in 2019 will open the door to new street protests, while a plan to amend the ...
-
Reviving civil disobedience
Nonviolent but confrontational forms of civil disobedience have a strong track record of success in exposing ...
-
Is cancelling Brexit now inevitable?
As matters stand today, a new British referendum on leaving the European Union would produce a clear majority for ...
-
Global sustainable debt market grows by 26 percent to $247 billion
While green bonds made up the largest part of the sustainable finance market in 2018, attention is now shifting to a ...
-
Is Trump duping Putin?
Russian President Vladimir Putin seems to think that he has been using his strategically incompetent American ...
Most Popular News
- Islamic finance forum to showcase new takaful and insurtech innovations
- MTN, Orange and Vodacom competing to acquire Ethiopian national telco
- Nigeria’s GDP grows by 2.38 per cent in Q4 2018
- Digitalization is key to enhance nutrition and food safety – FAO
- Dubai port operator sues China over control of Djibouti seaports
- Huawei plans to launch cloud data services in Africa