Monetary Authority of Singapore states there’s an analytical approach to assess and monitor cyber risk to the financial sector
Cyber risk is an emerging source of systemic risk in the financial sector, and possibly a macro-critical risk too. It’s therefore important to integrate it into financial sector surveillance.
According to a paper by the Monetary Authority of Singapore there’s an analytical approach to assess and monitor cyber risk to the financial sector, including various approaches to stress testing.
Limited data availability is a key challenge to assessing and monitoring cyber risk.10 Few datasets are publicly available, given the confidentiality of cybersecurity incidents.
The novelty of cyber risk means that existing datasets provide short time series for analysis. Except where regulations require it, financial institutions are reluctant to disclose cybersecurity incidents, given potential regulatory or legal sanctions.
Reporting is not standardised currently, so financial institutions’ estimates of direct losses may not be comparable. Indirect losses, including reputational effects, are difficult to quantify and can take time to materialise.
Data may also become obsolete quickly, given the rapid pace of change in the information technology (IT) sector.
Simple analytical techniques and data sources for policymakers to assess and monitor cyber risk in the financial sector as part of their regular surveillance operations. It draws on the experience of Singapore given its significant commitment to building capabilities in this area.
Despite the above challenges, we find that some data and methods are readily available to analyse cyber risk. Key indicators can be collected and tracked, event studies can be conducted, survey estimates can be requested, statistical models estimated in other contexts can be applied in data-poor environments, and quantitative results can be presented in a standardised format.
Cyber events can be broadly categorised into three types, based on the harm that they inflict: theft, disruption, and damage.
Theft-related cyberattacks extracts items that are valuable to the perpetrator, such as funds, monies, customer credentials, intellectual property, or market-valuable information. Disruption-related cyberattacks can disrupt business functionality or degrade the availability of transactions or communications.
Websites or servers, and internet-based businesses are examples of business functionalities that can be disrupted. Finally, a cyberattack can also affect data integrity, or damage system hardware or software or other equipment.
Successful cyberattacks can cause financial institutions to experience various microprudential risks, namely solvency, liquidity, market, operational, legal, and/or reputational risks. When an individual bank incurs significant monetary.
Losses or loses access to the payments system in which interbank transactions take place due to a cyberattack, its capital buffers can be drawn down and it could face possible technical defaults from inability to receive and make payments.
A bank can experience a deposit run and a liquidity shortage if a cyberattack undermines customers’ and counterparties’ confidence in the institution.
A cyberattack on critical financial market infrastructure, or corruption of time-sensitive market data can potentially cause financial institutions to suffer market losses due to adverse market movements or erroneous trading decisions.
Lastly, legal, and reputational risks associated with successful cyberattacks could also lead to a further erosion of confidence and create knock-on impacts on a financial institution’s solvency and liquidity positions. These cyber events could also accentuate the existing vulnerabilities in the banking system.
The microprudential implications of cyber events for insurers differ slightly from that of banks. Other than risks posed by direct cyberattacks on themselves, insurers are exposed to underwriting losses arising from the provision of affirmative or non-affirmative (silent) cyber insurance coverage for clients.
While affirmative cyber insurance explicitly cover losses arising from cyberattack events, non-affirmative (silent) cyber coverage refers to insurance policies that provide implicit, unintended coverage. For example, a cyberattack can cause the malfunction of cooling systems that can result in hardware overheating, thus leading to a fire that can be claimed under a fire insurance policy—these policies provide non-affirmative (silent) cyber insurance coverage.
Claims arising from these exposures, if significant, can impair the solvency and liquidity positions of insurance companies.
Beyond posing microprudential risks for individual entities, cyber events can also propagate these risks through the entire financial system and cause systemic risks through three broad transmission channels, namely risk concentration, risk contagion, and erosion of confidence:
- Risk concentration: a cyberattack on a key financial market infrastructure, thirdparty service provider, or a systemically important financial institution could mean a loss of services that cannot be easily and promptly substituted.
- Risk contagion: a cyberattack on a financial institution could lead to difficulties that spill over to other financial institutions, given the highly interconnected nature of the financial system.
- Erosion of confidence: a widespread attack could trigger an erosion of confidence across several financial institutions or the financial system.
The financial-cyber network map is a recent idea that has yet to be applied in practice. When such data become available, specialised contagion risk models may need to be developed to analyse such data. For example, contagion could be modelled over a two-layer network, where one layer represents the financial links, and the other layer represents the ICT links. Similarly, concentration analysis for outsourcing arrangements has been described here. In applications, such analysis needs to distinguish between concentration risk, and the desirable concentration that arises when many financial institutions use the same reputable third-party providers.
Cyber risk poses a growing threat to financial stability, and public agencies will need to do more to better understand and assess its financial stability implications. This paper helps in this task by presenting data sources and methods for analysing cyber risk.
These include key indicators that can be collected and tracked through time, event studies, value-at-risk, custom surveys, structured presentation via a cyber-RAM and financial-cyber network maps. These analytical approaches are illustrated with applications to Singapore, and the appendix provides examples of templates for data collection.
Even in the absence of cyber event data, this paper argues that models estimated in other contexts can be applied regularly in a given jurisdiction. The quantitative results of the Singapore analyses, and descriptions of the public and private sector cybersecurity initiatives there, should provide a reference for surveillance work.