IMF’s Lagarde: Estimating Cyber Risk for the Financial Sector

IMF Managing Director Christine Lagarde delivers remarks to the media during a press conference regarding the IMF’s loan for Argentina in the form of a Stand-By Arrangement on Wednesday, June 20 at IMF Headquarters in Washington, D.C. Ryan Rayburn/IMF Photo

This story is brought to you in association with the International Monetary Fund

Written by Christine Lagarde, IMF’s Managing Director

Average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year (photo: Eti Ammos/iStock by Getty Images)

Cyber risk has emerged as a significant threat to the financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.

A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the European Sting Milestones

Featured Stings

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Adjust UN force in Abyei to current realities, peacekeeping chief urges Security Council

Commission launches debate on a gradual transition to more efficient and democratic decision-making in EU tax policy

YO!Fest back in Strasbourg for the 2nd edition of the European Youth Event – 20-21 May 2016

UN chief praises Malaysia’s death penalty repeal as ‘major step forward’

Deutsche Bank slammed by the US-based trio of IMF, Fed and Moody’s

‘Score a goal’ for humanity, says Mohammed, celebrating winning link between sport and development

PM May fosters chauvinism, declares trade war on Europe

European Globalisation Adjustment Fund, who gets it and who pays the bill?

‘Path to peace’ on Korean Peninsula only possible through diplomacy and full denuclearization: US tells Security Council

Independent UN rights expert calls for compassion, not sanctions on Venezuela

G20 LIVE: G20 Leaders’ Communiqué Antalya Summit, 15-16 November 2015

German stock market is not affected by the Greek debt revolution while Athens is running out of time

Alarm over violent attacks on lawmakers, opposition in Malawi, ahead of elections

FROM THE FIELD: Persons with disabilities bike towards sustainability

‘Everyone must be on board’ for peace in Central African Republic: UN’s Lacroix

‘Health is a right, not a privilege’ says WHO chief on World Health Day

In Marrakech, UN chief urges world leaders to ‘breathe life’ into historic global migration pact

Is your business model fit for the Fourth Industrial Revolution?

Biggest London City Banks ready to move core European operations to Frankfurt or Dublin?

5 leadership lessons I learned from doing my own ‘undercover boss’

European Business Summit 2014: The role of youth entrepreneurship education in EU’s Strategy for Competitiveness

Russia and the West to partition Ukraine?

On Youth Education: “Just a normal day in the life of a medical student”

EU Parliament: A catastrophic crisis management by European leaders

The deforestation risks lurking in the banking sector

EU and India re-open talks over strategic partnership while prepare for a Free Trade Agreement

EU Visa Policy: Commission welcomes agreement to strengthen EU visa rules

The race for Driverless vehicles: where is the industry heading?

Trump’s trade wars: Aiming at long term gains for America

EU Emissions Trading System does not hurt firms’ profitability

What happens when the Eurogroup decides to help Greece

UN affirms ‘historic’ global compact to support world’s refugees

‘No steps taken’ so far to end Israel’s illegal settlement activity on Palestinian land – UN envoy

Can the US-Iran rapprochement change the world?

Office workers in these economies clock up the most extra hours

Towards a seamless internal EU market for industrial goods

Global Compact on Refugees: How is this different from the migrants’ pact and how will it help?

Medical Doctors in Industry 4.0: pure science fiction

3 lessons from India in creating equal access to vaccines

3 reasons why AI won’t replace human translators… yet

IMF: Sorry Greece, Ireland, Portugal we were wrong!

The DNA of the future retail CEO

General Assembly officially adopts roadmap for migrants to improve safety, ease suffering

EU members commit to build an integrated gas market and finally cut dependency on Russia

5 charts that explain big challenges facing Italy’s new government

Spending on health increase faster than rest of global economy, UN health agency says

Greece: The new government of Alexis Tsipras shows its colors

MEPs to vote on overhaul of road transport rules in July

The European Parliament hemicycle in Strasbourg (Copyright: European Union, 2017 / Source: EC - Audiovisual Service / Photo: Mauro Bottaro)

EU Parliament sends controversial copyright law reform back to discussion

Commission and ECB prepare new financial mega-tool in support of SMEs

Mali facing ‘alarming’ rise in rights violations, warns UN expert

Britain heading to national schism on exit from EU

A Sting Exclusive: “Sustainable development goals: what role for business?” Commissioner Mimica asks live from European Business Summit 2015

MWC 2016 LIVE: BlackBerry acquires Encription, talks Microsoft and health

Tuesday’s Daily Brief: UNESCO ready to help after Notre Dame fire, and updates on Libya, Nicaragua, and the Cyclone Idai response

Congolese expelled from Angola returning to ‘desperate situation’: UN refugee agency

Better housing means better health and well-being, stress new WHO guidelines

Planet’s Health is Our Health and the Reverse is True

More hiring freedom can reduce teacher shortages in disadvantaged areas

EU sets ambitious targets for the Warsaw climate conference

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s