SMA, cyber threats and Mifid
The week on Risk.net, June 23–29 2017
SMA alternative not a success
CYBER THREAT AND SMA hot topics at OpRisk conferences
MIFID DISCLOSURE fails to impress buy side
COMMENTARY: Keeping up with cyber
Our Operational Risk conferences in London and New York this month were once again dominated by discussion of cyber risk, still justifying its place as the top operational risk of 2017 (and for that matter 2016). Then, just as the New York conference finished, yet another malware outbreak hit the headlines. The WannaCry ransomware in May affected systems in more than 150 countries, costing billions for victims from Chinese universities to the UK National Health Service.
Hot on the heels of WannaCry comes a successor with disturbing similarities. The latest epidemic is so far centred in Ukraine, though it has spread to major companies abroad such as Maersk Shipping. It appears to be ransomware as well, one of a family of similar programs (including WannaCry and Petya, to which it bears a very close resemblance) based on a collection of exploits hoarded by the US National Security Agency and leaked by an anonymous hacker possibly related to the Russian government. Some experts point out, however, that the authors seem remarkably uninterested in actually collecting the $300 bitcoin ransom demanded from each victim, suggesting it may be a state-sponsored (and possibly Russian) cyberweapon masquerading as ransomware, and should probably in that case be called NotPetya.
I apologise for the complexity of that last sentence, but if your head started to buzz a bit while you were reading it you weren’t the only one. And this really is the core of the problem when it comes to cyber risk.
It’s not just that insurance is proving largely ineffective in the face of the massive and potentially business-ending losses a major cyber attack could cause (though it is). Or that the potential losses are set to rise still further once EU rules on data protection come into force. Or that banks (though overall doing well) are still being worryingly haphazard about installing the kind of patches that protect against attacks such as WannaCry and Petya/NotPetya. Or even that the target recovery time from a cyber attack, according to US regulators, is just two hours.
The real problem, from a risk management point of view, is that the cyber threat is evolving very rapidly. Past experience has only very limited value, either for defence planning or for risk modelling and underwriting, leaving risk managers struggling to deal with ever-increasing volumes of irrelevant information, and modellers without the kind of loss data they need to produce their estimates. Ransomware had virtually died out as a threat due to the difficulty of collecting the ransom payment without being tracked by law enforcement – the growth of bitcoin and other anonymous currencies has solved that problem and brought about an explosion in the ransomware industry, and even the emergence of “ransomware as a service”. The years to come will bring more radically different and unexpected cyber threats. Judging by the recent growth of high-profile incidents, this is a war the aggressors are winning.
STAT OF THE WEEK
A $1 billion interest rate swap with a remaining maturity of seven years would have a potential future exposure (PFE) of $15 million. Adopting the settled-to-market approach for the same swap would cut PFE to $5 million. One bank estimated it could deliver a 25% cut in capital.
QUOTE OF THE WEEK
“The CCAR focus is on saying you have to understand all your material risks. Absolutely you need to understand all of that, but you don’t want to forget about the risks that are currently deemed immaterial. Maybe that immaterial risk is tomorrow’s material risk, or maybe collectively some of your immaterial risks, if they have similar drivers, could become a material risk” – Mike Rachlin, BNY Mellon
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on 7 days in 60 seconds
Bank capital, margining and the return of FX
The week on Risk.net, December 12–18
Hedge fund losses, CLS and a capital floor
The week on Risk.net, December 5–11
Capital buffers, contingent hedges and USD Libor
The week on Risk.net, November 28–December 4
SA-CCR, SOFR lending and model approval
The week on Risk.net, November 21-27, 2020
Fallbacks, Libor and the cultural risks of lockdown
The week on Risk.net, November 14-20, 2020
Climate risk, fixing Libor and tough times for US G-Sibs
The week on Risk.net, November 7-13, 2020
FVA pain, ethical hedging and a degraded copy of Trace
The week on Risk.net, October 31–November 6, 2020
Basis traders, prime brokers and election risk
The week on Risk.net, October 24-30, 2020