The minimal criterion of success is an absence of failure. However, when it comes to information security breaches, it is safe to claim that this criterion is far from being met. A few prominent scandals in recent years demonstrate the scope and impact of such risks on the financial industry, influencing the regulators to begin taking action. For instance, as part of the effort to identify potential spill over effects of cyber risk, EIOPA has included a cyber security questionnaire in its Cyber Risk Assessment Package. This is a prominent move which could help raise awareness about cyber risk, but at this point the questionnaire has a primary purpose of data collection, rather than assessing companies’ cyber risk management capabilities. Gauging cyber risk is a challenging endeavour, marked by the sensitive character of the underlying data and a lack of established academic research within the field. However, Kidbrooke Advisory has formulated its take on the cyber risk assessment, which it has shared in a series of public Knowledge Base entries.
In September 7th, 2017 the executives of Equifax, one of the largest credit bureaus in the US, announced that sensitive personal information of 143 million customers had been exposed to cyber criminals during mid-May – end of July 2017. This breach also jeopardized the safety of 209,000 customers’ credit card data. The reputational and financial consequences for the firm operating in tough oligopolistic competition were grim – the news on the security breach led to an 18% drop in the companies’ stock price value and forced the CEO of the company to resign. The case of Equifax is not one of a kind, since as early as February 2015, Anthem, the second largest health insurer in the US, was exposed to personal information theft on up to 78,8 million customers. In addition, a similar cyber security breach has been experienced by JP Morgan Chase in July 2014, impacting 76 million households and 7 million small business.
The consequences of information security breaches scandals encouraged the industry regulators to address cyber risk. In particular, the EIOPA (The European Insurance and Occupational Pensions Authority), identifies cyber risk as one of the most important operational risks. The EIOPA conducts yearly stress tests aimed at assessing vulnerabilities of the European Insurance Sector to specific adverse scenarios, raising awareness about the potential threats and increasing transparency. In 2018, the regulator included a questionnaire aiming to collect the industry’s best practices in regard to cyber security into its stress test package. By conducting its assessments, the EIOPA aims to identify the potential spill over effects of such a risk. The regulator motivates the relevance of the new assessment by highlighting the growth in cyber-attacks and related incidents over the years. The advisory body goes on to point out that insurance companies can be affected twofold by risks of such kind, as they typically face cyber security risks directly and also indirectly, as they insure this kind of risk for their clients.
Despite the increasing recognition of and exposure to cyber security breaches, little has been done in the area of quantification of such risks. The EIOPA efforts are mainly aimed at data collection at this point, and although the cyber risk is present for any insurance business at this very moment, it will take a while until the regulators come up with a standardized set of cyber risk assessment best practices. Moreover, there are a few challenges complicating the assessment of cyber risks. To begin with, the cyber risk data is scarce, as firms typically do not disclose the incidents in order to avoid reputational damage. To make matters worse, the relationship between risk and control is non-linear: more risk management does not imply less threats. Moreover, the cross-border nature of cyber-crimes complicates the analysis and modelling of such risks. Finally, the widespread digitalization implies a growing number of computers and interactions between devices, expanding the digital representation of data and therefore its exposure to cyber-crime.
However, despite these challenges, we may already have a solution. During recent months Kidbrooke Advisory has been expanding its knowledge base by designing the methodology for assessment and quantification of cyber risks. In a series of articles, we overviewed several approaches to assess and measure cyber risk as a main driver of operational risk affecting financial institutions. The assessment of cyber losses is divided into two parts within the FAIR framework; frequency and intensity. Specifically, we focused on quantifying the intensity of possible future losses. In our next article of this series, we shall elaborate on cyber risk management.