In a recent LinkedIn post, Christine Lagarde, Managing Director of the International Monetary Fund, calls cyber risk not just a top risk but “a significant threat to the financial system” and cites a new IMF study that cyber attacks could already cost banks close to nine percent of net income globally or around $100 billion on average a year.
Nick Sanna is President and Secretary of the FAIR Institute
Though financial regulators are increasingly focused on cyber risk, there’s a roadblock, in Lagarde's view:
“Quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.”
The study is the IMF’s proposal for a quantitative cyber risk analytics model for the financial industry as a whole. But the IMF's attempt at cyber risk modeling and quantification, while leveraging well-established simulation algorithms from the operational risk world (such as Monte Carlo) to calculate cyber value-at-risk, suffers from serious limitations related to the actual risk model, the data inputs and the data sources used:
Fortunately, proven cyber value-at-risk models exist with the FAIR standard leading the way in terms of market adoption, including by some of the world's largest financial services institutions.
Recent advances in terms of tooling and new estimation techniques already address several of the limitations listed above. Accurate (versus precise) representations of risk can be produced even when data might be limited or of poor quality. Some of the most sophisticated software solutions such as RiskLens, incorporate those advances and allow users to not only quantify risk in single scenarios, but to also aggregate them in order to provide enterprise-level or sector-level views of risk. Such tools enable cost-benefit analysis and assessing the effectiveness and adequacy of cybersecurity initiatives in reducing risk.
What is most important in our view, is Lagarde's explicit invitation to financial institutions and governments to continue improve (cyber) risk assessments. The implications are profound:
“There is much scope to improve risk assessments,” Lagarde writes “Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector."
We at the FAIR Institute believe that governments alone will not be able to succeed on this front, without partnerships with the private sector. Some of this collaboration is already happening, as illustrated by the work of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a member-driven, non-profit organization with nearly 7,000 members across 39 countries today that helps financial services firms share timely, relevant and actionable physical and cyber security threat and incident information. FS-ISAC's goal is to help assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector's ability to provide services critical to the orderly functioning of the global economy.
"Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks," Lagarde states.
In the US, the revised guidance on cybersecurity disclosures by the Securities and Exchange Commission (which has similar reporting requirements of breaches and of material cyber risks as GDPR) and New York State Department of Financial Services Cybersecurity Regulation are moves in the direction that Lagarde suggests.
The FAIR Institute's members are leading the way, as many of them have pioneered cyber risk quantification in the banking and finance sector by applying FAIR, the only international standard for quantifying cyber risk. The mission of the FAIR Institute is to provide education on the FAIR standard, to develop and share best risk assessment practices.
Representatives of the world's largest banks have been sharing their experiences with peer institutions and government organizations, as they seek to help improve the resiliency of the finance sector. The FAIR Institute also collaborates with governments as they develop and publish guides on how to conduct quantitative risk assessments.
FAIR Institute membership recently hit 3,000 and universities that teach FAIR as part of their risk management courses will grow from 15 to 30 in the new 2018/9 academic year.