IMF’s Lagarde: Estimating Cyber Risk for the Financial Sector

IMF Managing Director Christine Lagarde delivers remarks to the media during a press conference regarding the IMF’s loan for Argentina in the form of a Stand-By Arrangement on Wednesday, June 20 at IMF Headquarters in Washington, D.C. Ryan Rayburn/IMF Photo

This story is brought to you in association with the International Monetary Fund

Written by Christine Lagarde, IMF’s Managing Director

Average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year (photo: Eti Ammos/iStock by Getty Images)

Cyber risk has emerged as a significant threat to the financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.

A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector. Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Parliament and Council agree drastic cuts to plastic pollution of environment

OECD Secretary-General statement on Europe Day

3 steps to strengthen Europe’s competitiveness in the digital age

DR Congo elections: ‘historic opportunity’ for ‘peaceful transfer of power’ says Security Council

At COP24, countries agree concrete way forward to bring the Paris climate deal to life

Will the outcome of the UK referendum “calm” the financial markets?

Yemen: ‘No justification for this carnage,’ says UNICEF chief, as children in need now outnumber population of Switzerland

Protectionism doesn’t stand a chance in the age of connectivity

Who is to profit from the quasi announced ECB rate cut?

EU and China to do more in common if the global scene gets worse

“Be aware where you put your I Agree signature on and something else”; now Facebook by default opts you in an unseen private data bazar

The three biggest challenges for India’s future

India is investing more money in solar power than coal for first time

Could Rwanda become Africa’s healthcare leader?

Coronavirus fears may have driven over 300,000 UK smokers to quit

Is Eurozone heading towards a long stagnation?

Measles claims more than twice as many lives than Ebola in DR Congo

Violence in North and West Africa increasingly targeting civilian and border areas – OECD/SWAC

Who really cares for the environment?

Emotional control and introspectivity in times of pandemic

What Keynes can teach us about government debt today

Rule of law in Poland and Hungary has worsened

Failing to agree climate action would ‘not only be immoral’ but ‘suicidal’, UN chief tells COP24

Young and unemployed the perfect victims of ‘vultures’

China is a renewable energy champion. But it’s time for a new approach

Stepped-up efforts needed to combat pneumonia; save nearly nine million children’s lives

FROM THE FIELD: Saving the tree kangaroos of Papua New Guinea

For Africa, ‘winds of hope are blowing ever stronger,’ Guterres declares at conference on development

Advancing multilateralism goes ‘hand-in-hand’ with work of the UN

What does reimagining our energy system look like?

Fact-checking Day: Fighting the virus of disinformation on Covid-19

EU Budget: A Reform Support Programme and an Investment Stabilisation Function to strengthen Europe’s Economic and Monetary Union

India’s 1.3 billion residents start 21-day lockdown – Today’s coronavirus updates

Amazon on fire: the interference in global health

Why we need a blockchain bill of rights

A Monday to watch the final act of a Greek tragedy; will there be catharsis or more fear?

5 principles for effective cybersecurity leadership in a post-COVID world

Meet Cipta: the comic book hero using her powers to tackle bullying in schools

MWC 2016 LIVE: BT chief aims to be at UK 5G forefront

We need impartial LGBT+ news to advance human rights

Brussels waits for the Germans to arrive

ACP-EU : Agreement on climate change, migration and post-Cotonou

Supply chains have been upended. Here’s how to make them more resilient

China’s Ambassador to the EU Zhang Ming wishes to Brussels a Happy 2019 Year of the Pig

Europe’s dirty air kills 400,000 people every year

The future of energy is being shaped in Asia

Does the Erasmus program really contribute to the construction of a solid EU identity?

A new global platform to unleash entrepreneurs on the world’s toughest problems

Asian and Pacific economies: decreases in tax revenue highlight need to broaden tax bases

EU-U.S. Privacy Shield: Second review shows improvements but a permanent Ombudsperson should be nominated by 28 February 2019

Fleeing Venezuela: MEPs to probe humanitarian conditions in Colombia and Brazil

5 reasons why biodiversity matters – to human health, the economy and your wellbeing

Sovereign wealth funds could increase equality in a post-COVID world

The European Sting @ European Business Summit 2014 – the preview

Why is Grexit again in the news? Who is to pay for Eurozone’s banking problems?

Syria: UN food relief agency ‘doing everything we can’ to reach Idlib civilians

European Citizens’ Initiative: Commission registers ‘Mandatory food labelling Non-Vegetarian / Vegetarian / Vegan’ initiative’

New phenomena in the EU labour market

FROM THE FIELD: Photos highlight agony of West African civil wars

New EU rules and guidance for a fairer online economy

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s