IMF’s Lagarde: Estimating Cyber Risk for the Financial Sector

IMF Managing Director Christine Lagarde delivers remarks to the media during a press conference regarding the IMF’s loan for Argentina in the form of a Stand-By Arrangement on Wednesday, June 20 at IMF Headquarters in Washington, D.C. Ryan Rayburn/IMF Photo

This story is brought to you in association with the International Monetary Fund

Written by Christine Lagarde, IMF’s Managing Director

Average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year (photo: Eti Ammos/iStock by Getty Images)

Cyber risk has emerged as a significant threat to the financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.

A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the European Sting Milestones

Featured Stings

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

How to get young people in Europe to swipe right on voting

EU Commission: Growth first then fiscal consolidation

Brexit effect: Public opinion survey shows that EU is more appreciated than ever

Forty-two countries adopt new OECD Principles on Artificial Intelligence

Innovation can transform the way we solve the world’s water challenges

Israel @ MWC14: Israel The Start App Nation

Globalization 4.0 must build a better world for working people

Take medical use of cannabis seriously, say MEPs

Facebook wins EU approval for WhatsApp acquisition; just a sign of the times

What lessons to draw from the destruction of Syria

The Fourth Industrial Revolution must not leave farming behind

WEF Davos 2016 LIVE: “We need more Schengen but reinforce control!”, France’s Minister of Economy Emmanuel Macron emphasises from Davos

Can the EU last long if it cuts Cyprus out?

5 ways blockchain can transform the world of impact investing

Seize the opportunities of digital technology to improve well-being but also address the risks

Breaking news on European Youth Employment: European Youth Forum Guide tackles poor quality internships!

Turkey caught in a vicious Syrian circle bringing terror and war at home

The Parliament rejects cultivating the wrong seeds of the Commission

EU free-trade agreements with Canada and US: imagine the fallout if put to national referendums

Half of all mental illness begins by the age of 14

Gender Equality as a platform to improve Medicine

Hydrogen isn’t the fuel of the future. It’s already here

Prosecution of Paraguay judges over peasant ‘massacre’ ruling could undermine rule of law: UN expert

EU migrant crisis: Germany, France and UK to show the way. Will the rest of the EU follow?

Eurozone: Even good statistics mean deeper recession

These patients are sharing their data to improve healthcare standards

In Washington D.C., Guterres signs pact with World Bank, meets US President Trump

Why today’s leaders need to know about the power of narratives

Tuesday’s Daily Brief: hate speech, dementia, Libya and Yemen, human rights in Brazil and Lebanon

Health conditions for citizens of Yemen’s key port city ‘remain critical’ says UN agency

Cancer research put at risk by General Data Protection Regulation? The possible dangers of a data privacy EU mania

Latin America is a mass-transit powerhouse. But it needs fine-tuning

Clean energy will do to gas what gas has done to coal

The ITU Telecom World on 14-17 November in Bangkok, Thailand

Migration: Better travel safe than sorry

Margrethe Vestager, EU Commissioner in charge of competition policy, during a recent press conference in Brussels / Berlaymont. (Copyright: EU, 2018 / Source: EC - Audiovisual Service / Photo: Jennifer Jacquemart)

EU opens investigation into Qatar Petroleum over potentially restrictive gas contracts

Why exchange programs are essential for the medical students of the 21st century

DRC ‘calm but tense’ as country awaits presidential election result

Trump’s trade wars: Aiming at long term gains for America

Refugee crisis update: EU fails to relocate immigrants from Greece and Italy

A Valentine’s Special: we can never overdose on love

Brexit update: Leave campaign leads race but undecided voters will determine the outcome of the EU referendum

Western Balkans: European Parliament takes stock of 2018 progress

The miserables and the untouchables of the economic crisis

UN chief urges India and Pakistan to dial down tensions in wake of Kashmir attack

Climate change and its adverse impacts on health

“ASEM: Global Partners for Global Challenges”, a Sting Exclusive by China’s Ambassador to the EU

FROM THE FIELD: Rohingya babies conceived out of ‘incomprehensible brutality’

Egypt is building one of the world’s largest solar parks

The EU Parliament sidesteps the real issues about banks, while the US target the Eurozone lenders

The unpleasant truth of plastic straws

Social Committee slams the 28 EU leaders for false promises

UN chief condemns suspected Boko Haram attacks targeting Eid al-Fitr celebrations in Nigeria

The historic accomplishment of a seamless EU patent and intellectual property space

The Syrian knot cannot be cut without devastating consequences

Who is culpable in the EU for Ukraine’s defection to Russia?

Civilians ‘must never be a target,’ says UN in Afghanistan, amid troubling number of casualties during Ramadan

Can the US-Iran rapprochement change the world?

UN chief calls for Security Council to work with Myanmar to end ‘horrendous suffering’ of Rohingya refugees

Energy Union: EU invests a further €800 million in priority energy infrastructure

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s