In a recent LinkedIn post, Christine Lagarde, Managing Director of the International Monetary Fund, calls cyber risk not just a top risk but “a significant threat to the financial system” and cites a new IMF study that cyber attacks could already cost banks close to nine percent of net income globally or around $100 billion on average a year.
The study’s distribution of results also suggests that, in the worst five percent of cases, average annual potential losses could reach as high as half of banks’ net income, putting the financial sector at risk. “A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system,” Lagarde writes.
Nick Sanna is President and Secretary of the FAIR Institute
Roadblocks in assessing cybersecurity risk
Though financial regulators are increasingly focused on cyber risk, there’s a roadblock, in Lagarde's view:
“Quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.”
The study is the IMF’s proposal for a quantitative cyber risk analytics model for the financial industry as a whole. But the IMF's attempt at cyber risk modeling and quantification, while leveraging well-established simulation algorithms from the operational risk world (such as Monte Carlo) to calculate cyber value-at-risk, suffers from serious limitations related to the actual risk model, the data inputs and the data sources used:
- The risk model used by the IMF allows for conducting risk analyses only at the highest level of abstraction in terms of likelihood and impact. There does not appear to be any consideration of the factors that make up likelihood and impact, which are needed when measuring the effectiveness of cybersecurity initiatives or cost-benefit analyses.
- The data inputs are in the form of single, average values, that do not account for the variance and the quality of the data. This forces users to come up with precise values that do not accurately represent reality.
- The study also appears to leverage unreliable data sources such as the number of news reports on cyber (gasp!) and averages from organizations such as Ponemon that have proven not to scale when conducting large risk analyses. Using such numbers in some cases leads to calculations in which the risk exceeds an organizations' total financial value...
The emergence of proven cyber risk quantification models
Recent advances in terms of tooling and new estimation techniques already address several of the limitations listed above. Accurate (versus precise) representations of risk can be produced even when data might be limited or of poor quality. Some of the most sophisticated software solutions such as RiskLens, incorporate those advances and allow users to not only quantify risk in single scenarios, but to also aggregate them in order to provide enterprise-level or sector-level views of risk. Such tools enable cost-benefit analysis and assessing the effectiveness and adequacy of cybersecurity initiatives in reducing risk.
What governments can do
What is most important in our view, is Lagarde's explicit invitation to financial institutions and governments to continue improve (cyber) risk assessments. The implications are profound:
- Financial institutions need to move from a mere technical compliance approach to a risk-based approach to cybersecurity, if they want to uncover the top risks that they are facing and prioritize risk mitigation initiatives that will make them more resilient
- Governments should use regulations to incentivize financial services firms to report not only on recent breaches, but also their top material risks - in economic terms -, to support data sharing programs, and promote proven standard risk models such as FAIR.
“There is much scope to improve risk assessments,” Lagarde writes “Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector."
We at the FAIR Institute believe that governments alone will not be able to succeed on this front, without partnerships with the private sector. Some of this collaboration is already happening, as illustrated by the work of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a member-driven, non-profit organization with nearly 7,000 members across 39 countries today that helps financial services firms share timely, relevant and actionable physical and cyber security threat and incident information. FS-ISAC's goal is to help assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector's ability to provide services critical to the orderly functioning of the global economy.
"Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks," Lagarde states.
In the US, the revised guidance on cybersecurity disclosures by the Securities and Exchange Commission (which has similar reporting requirements of breaches and of material cyber risks as GDPR) and New York State Department of Financial Services Cybersecurity Regulation are moves in the direction that Lagarde suggests.
How the FAIR Institute can help
The FAIR Institute's members are leading the way, as many of them have pioneered cyber risk quantification in the banking and finance sector by applying FAIR, the only international standard for quantifying cyber risk. The mission of the FAIR Institute is to provide education on the FAIR standard, to develop and share best risk assessment practices.
Representatives of the world's largest banks have been sharing their experiences with peer institutions and government organizations, as they seek to help improve the resiliency of the finance sector. The FAIR Institute also collaborates with governments as they develop and publish guides on how to conduct quantitative risk assessments.
FAIR Institute membership recently hit 3,000 and universities that teach FAIR as part of their risk management courses will grow from 15 to 30 in the new 2018/9 academic year.