IMF’s Lagarde: Estimating Cyber Risk for the Financial Sector

IMF Managing Director Christine Lagarde delivers remarks to the media during a press conference regarding the IMF’s loan for Argentina in the form of a Stand-By Arrangement on Wednesday, June 20 at IMF Headquarters in Washington, D.C. Ryan Rayburn/IMF Photo

This story is brought to you in association with the International Monetary Fund

Written by Christine Lagarde, IMF’s Managing Director

Average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year (photo: Eti Ammos/iStock by Getty Images)

Cyber risk has emerged as a significant threat to the financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.

A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

A Sting Exclusive: “Regional Policy: a fully-fledged investment policy”, Commissioner Cretu reveals live from European Business Summit 2015

G20 starts to tackle inequality

This UK footballer just won free school meals for kids in the summer holidays

UN chief hopeful for Libya, after Quartet meeting in Tunis

Lithuania finds the ways to maintain its energy security

Climate change could be making forests shorter – this is how

Why carbon capture could be the game-changer the world needs

Covid-19 crisis shows supply chains need to embrace new technologies

Greece @ MWC14: Greek-born mobile champions at MWC 2014

Can we crack the hydrogen puzzle this time around?

The von der Leyen Commission: for a Union that strives for more

Is our brave new world about to burst?

More women in Latin America are working, but gender gap persists, new UN figures show

What the car industry has done to help fight climate change – and what it needs to do next

Only a few months away from the single European patent space

How the gender commuting gap could be harming women’s careers

Simple Technology Saving Lives: Remote Auscultation

How technology is driving a fourth wave of environmentalism

Why we need to solve our quantum security challenges

State aid: Commission approves Danish public financing of Fehmarn Belt fixed rail-road link

Home or office? Survey shows opinions about work after COVID-19

How AI is serving up aces at Wimbledon – and what the technology means for the future of sport

A lack of affordable homes is forcing young Britons to live with their parents

The benefits of a cashless society

Mergers: Commission refers acquisition of newly created joint venture by Telefónica and Liberty Global to the UK competition authority

In Tunisia, budding entrepreneurs can take a year off their job

This South Korean city once had the biggest coronavirus outbreak outside of China. Now it’s reported zero new cases

8 top stories from the week in Davos 2020

This is how much data we’re using on our phones

Palliative care and health coverage: informing is also universalizing

Mental Health in times of a pandemic: what can each individual do to lessen the burden?

MEPs call for new EU strategy to promote democracy in Russia

Russia is ready for its Phase 3 evaluation once it fulfills high-priority recommendation

Budget MEPs approve €104.2 m in EU aid to Greece, Spain, France and Portugal

What has COVID-19 taught us about decarbonized electricity grids?

The technologies – and thoughtful collaborations – that can build resilience in the food system after COVID-19

Foreign Affairs Council (Trade) of 22/05/2018: EU relations with key trading partners

Geopolitics and investment in emerging markets after COVID-19

Globally, youth are the largest poverty-stricken group, says new UN report

The UN’s unyielding effort to tackle sexual abuse and exploitation: our quarterly update

UN condemns Syrian ‘war on children’ as up to 30 reportedly killed in clashes

Road use charges: reforms aim to improve fairness and environmental protection

The EU’s Response to COVID-19

Nearly a third of the globe is now on Facebook – chart of the day

October’s EU strong digital mix: From Safe Harbour to Net Neutrality, Roaming and Snowden

Afghanistan: Civilian casualties caused by IEDs has reached ‘extreme levels’, UN warns

What is the biggest benefit technology will have on ageing and longevity?

After the George Floyd protests, what next for racial justice in the US?

How businesses can help solve society’s workforce problems

European Union: From financial consolidation to deeper political division

Why gin made from peas helps the environment

‘Severe’ new US asylum restrictions will put vulnerable families at risk, UN refugee agency says

MEPs demand safe and clean travel

European Semester 2018 Spring Package: Commission issues recommendations for Member States to achieve sustainable, inclusive and long-term growth

Q&A on extraordinary remote participation procedure

Earthquake: Monte Dei Paschi Di Siena

Big tech cannot crack down on online hate alone. We need to fund the smaller players

Governments and non-state actors need to take urgent action to meet Paris Agreement goals

Security Council should ‘nurture’ Colombian consensus against return to violence, top UN official urges

Palliative care and Universal Health Coverage: how to advocate for the inclusion of palliative care in UHC

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: