The International Monetary Fund (IMF) has introduced a new cyber risk model and loss estimation system to assess the potential impact of cyber-attacks on the world’s financial institutions.
The findings highlight a number of remaining hurdles that must be cleared to ensure an adequate level of security within the sector.
By leveraging techniques from actuarial science and operational risk measurement the framework estimates aggregate losses from cyber-attacks and examines factors such as attack-frequency, countries most at risk and banks’ existing security measures.
Recent attacks analysed by the model include the Bank of Russia hack in 2016, in which $22 million was stolen from various accounts, and the theft of proprietary software codes worth $9.5 Million from the Federal Reserve Bank of New York in 2012.
Such analysis was greatly obstructed by a scarcity of complete data, according to Lagarde. Available public and commercial data sets exist but they are incomplete, have different coverage and use different definitions of cyber-attacks.
It’s understood that more detailed, consistent and complete data collection by governments on the frequency and impact of attacks would help assess risk for the financial sector.
Scenario analysis could develop a more comprehensive assessment process of an attack’s spread and help design more robust responses by private institutions and governments.
Managing Director of IMF Christine Lagarde, stated, “Our results should be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9% of banks’ net income globally, or around $100 billion.”
“In a severe scenario – in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion – losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.”
Such estimated losses dwarf the relatively small cyber market which, despite recent growth, saw just $3 billion of premiums in 2017.
Coverage remains limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects, says Lagarde.
Further work is needed to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery.
Additionally, further capital is needed in many parts of the world to fully monitor and regulate potential risks.
“In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning,” said Lagarde.
“The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.”
