Journal of Operational Risk
ISSN:
1744-6740 (print)
1755-2710 (online)
Editor-in-chief: Marcelo Cruz
Cyber risk definition and classification for financial risk management
Filippo Curti, Jeffrey Gerlach, Sophia Kazinnik, Michael Lee and Atanas Mihov
Need to know
- Cyber risk is a critical emerging risk to the financial industry that poses a significant threat to financial stability.
- The lack of proper data on cyber risk losses impedes efforts to effectively measure and manage this risk.
- The paper proposes a cyber risk definition and classification scheme for risk management purposes that financial institutions can use as a data collection template.
- The proposed scheme ensures that adopting institutions are utilizing common language, allowing for consistent data collection and sharing, and maps existing cybersecurity events into the scheme.
Abstract
Cyber risk is undeniably one of the most critical emerging risks to the financial industry. However, even though cyber risk is recognized as a significant threat to financial institutions and, more generally, to financial stability, the lack of proper data on cyber risk losses impedes efforts to effectively measure and manage this risk. This paper aims to address this gap by providing a cyber risk definition and classification scheme for risk management purposes, to be used as a data collection template for financial institutions. As such, the proposed scheme would ensure that the adopting institutions utilize common language and would allow consistent data collection and sharing.We provide a deeper dive into the reasoning behind the variables we propose to collect and demonstrate how some of the existing cyber security events map into our proposed scheme.
Introduction
1 Introduction
Cyber attacks are on the rise, becoming more widespread and sophisticated, and posing a significant threat to the financial system (see, for example, Eisenbach et al 2021). In fact, cyber attacks on traditional financial institutions and cryptocurrency exchanges alike are estimated to have resulted in the theft of billions of US dollars. The hacks of major financial firms, consumer credit reporting agencies, retailers and government agencies have compromised the personal information of hundreds of millions of individuals. Data breaches of third-party service providers put the intellectual property and confidential information of their serviced financial firms at major risk. Ransomware attacks have infected hundreds of thousands of computer systems globally.
A number of factors contribute to cyber risk at financial institutions, including: an increasing trend in globalization; the use and early adoption of quickly evolving technologies; significant dependencies and interconnections within both the financial system and information technology (IT) infrastructures; the growing sophistication of cyber criminals; and the intrinsic nature of financial institutions’ business and services.11 1 See Healey et al (2021) and Crosignani et al (2021) for a deeper dive into these factors. Awareness of the risks associated with cyber incidents has compelled supervisors and regulators across the world to take steps toward mitigating cyber risk at financial institutions, including enhancing resiliency capabilities and implementing plans for an effective response to, and recovery from, cyber attacks.
Unsurprisingly, empirical research on cyber risk and cyber risk losses is on the rise. A number of research papers look into the characteristics and impact of cyber risk incidents. For example, Aldasoro et al (2020) study the characteristics of cyber incidents. Makridis and Dean (2018), Bianchi and Tosun (2019) and Kamiya et al (2021) study the short- and long-term impacts of cyber-related events on company fundamentals. Hilary et al (2016) and Amir et al (2018) examine the disclosure of cyber-related events by firms.
However, the existing research on cyber risk is based on publicly available data. Such data only includes information that firms are willing to share or have no choice but to share. De Fontnouvelle et al (2006) argue that operational risk data based on publicly available information will likely suffer from sample-selection bias. Cyber risk data, by its very nature, is also subject to this critique. And so, based on the data we currently have, we cannot fully know the amount of losses the financial industry has suffered due to cyber risk events.
Currently, cyber risk losses cannot be properly viewed from a system-wide perspective by regulators and supervisors. This is impeding efforts to effectively measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats.
As a first step toward addressing this, we provide a cyber risk definition and classification scheme for risk management purposes. As such, the scheme would ensure that the adopting institutions utilize common language and would allow consistent data collection and sharing, much like the Federal Reserve’s FR Y14-Q data collection.22 2 Data on cyber losses in the financial industry are not currently captured in a consistent and comprehensive way. The available data products are largely based on publicly available information. Vendors include CyberDB (URL: https://cyberdb.co/), the Operational Riskdata eXchange Association (ORX) (URL: https://managingrisktogether.orx.org/), Advisen (URL: https://advisenltd.com/) and Verisk (URL: https://verisk.com/).33 3 The Federal Reserve System or other regulatory agencies might be particularly well positioned to facilitate and coordinate data collection efforts due to their secure information technology and data warehouse infrastructures, commitment to information and data confidentiality, and nonprofit business orientation. Similarly to how data on operational risk is currently collected, loss data stemming from cyber risk could be additionally analyzed and used by the Federal Reserve or other regulatory agencies to provide horizontal perspectives on cyber risk management and mitigation for the benefit of participating financial institutions. This work can additionally support the application of modeling frameworks such as Factor Analysis of Information Risk (FAIR) to quantify and measure risk in the financial sector. The definition and classification scheme provided in this paper is intended to standardize, not necessarily replace, current bank practices. It is also important to note that, while our framework incorporates certain elements related to IT, our main focus is on the financial risk management aspects of cyber risk.
In this paper we view cyber risk as a subset of operational risk. Basel Committee on Banking Supervision (2006) defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Prior to the implementation of the supervisory data collection on operational losses, the management and quantification of operational risk had been impeded by a lack of internal or external data.
Today, data on operational risk losses is submitted by large financial institutions pursuant to the Wall Street Reform and Consumer Protection Act (Dodd–Frank Act), with data collection following the reporting requirements of the FR Y-14Q form. FR Y-14Q contains granular data on the various asset classes and pre-provision net revenue (PPNR) of bank holding companies (BHCs) for the reporting period. The Federal Reserve System collects this data for stress testing purposes under the Comprehensive Capital Analysis and Review (CCAR) program.
The adoption of the Basel Committee on Banking Supervision (BCBS) standards and subsequent implementation of FR Y-14Q has helped to enhance the consistency of data collection both within and between banking organizations. It made it possible for banks to compare their loss experience across business lines, and for supervisors to compare loss experience across banks. It also advanced the field of operational risk research, much of which has direct practical risk management and supervision policy implications.
Thanks to the implementation of supervisory data collection, we now have a much better understanding of the nature of operational risk, such as its determinants and consequences. For example, Curti et al (2016) outline a set of principles for using benchmarks in application to operational risk models. Abdymomunov and Mihov (2019) focus on the effects of board composition and risk management quality on operational risk. Abdymomunov et al (2020), Curti et al (2022a,b) and Frame et al (2020) study the effects on BHC operational losses of BHCs’ risk management quality, size, growth and workforce policies as well as the macroeconomic environment. Curti and Mihov (2018) specifically dissect fraud, a sub-component of operational risk, at large US banking organizations. In addition to documenting various determinants on BHC fraud losses and loss recoveries, Curti and Mihov (2018) study the effects of fraud on bank credit intermediation. Chernobai et al (2021) show that bank expansions into nonbanking activities result in more operational risk and argue this is due to increased bank complexity. Berger et al (2022) study the US systemic risk implications of operational losses at large BHCs. Finally, Frame et al (2022) focus on operational loss recoveries and document their procyclical nature.
We argue that, much like those of operational risk, cyber risk data sets based on publicly available information are likely to omit substantial losses, leading to sample-selection bias. We thus construct our data collection scheme with this in mind and follow the same principles as the existing FR Y-14Q data collection, which is in turn based on the Basel II requirements.
2 Cyber risk definition and classification
The aim of this paper is to formalize a cyber risk definition and classification scheme to support the work of regulatory agencies and private sector participants, and to facilitate cyber risk management in the financial sector. A cyber risk definition and classification scheme could be useful to support work in the following areas.
2.1 Cross-sector shared recognition and identification of relevant cyber risks
A common definition and classification would foster a common understanding of cyber risks and their underlying triggers. In addition, a common set of definitions and shared understanding across the financial sector, including among authorities and private participants, could further facilitate information sharing and appropriate cooperation in cyber risk management.
2.2 Data collection and information sharing
A definition and classification scheme that supports a common understanding across the financial sector can help advance the data collection and information sharing that is critical to enhancing the collective knowledge of cyber risk by offering a coherent framework for creating and managing data and enabling the systematic and compatible aggregation of information.
2.3 Assessment and monitoring of financial stability risks
As regulatory and supervisory agencies assess and monitor financial stability risks associated with cyber incidents, this work could be supported by a common definition and classification of cyber risks. For instance, as part of their assessment of vulnerabilities in the US financial system, regulatory and supervisory agencies consider the potential for operational risks (including cyber risks) to result in shocks that could be transmitted across the financial system.
2.4 Regulatory guidance related to cyber risk management
A common cyber risk classification could enhance the work of regulatory and supervisory agencies in providing guidance related to cyber security and cyber resilience, including identifying effective practices and/or emerging threats. For example, utilizing common language could help foster effective regulatory approaches while reducing the risk of duplicative or potentially conflicting regulatory and supervisory requirements.
3 Cyber risk definition
Definitions related to cyber risk exist in different contexts. In this paper, we treat cyber risk as a form of operational risk. Specifically, we define cyber risk as the risk of loss resulting from digital incidents caused by internal, external or third parties, including theft, compromised integrity and/or damage to information and/or technology assets, internal and external fraud and business disruption. Notably, this definition is largely consistent with known concurrent private sector efforts to define cyber risk. For example, the ORX’s Cyber and Information Security Risk initiative defines cyber risk as the risk of loss (both financial and nonfinancial) arising from digital events caused by external or internal actors or third parties (see Carrivick et al 2020).44 4 Additional information is available from the Operational Riskdata eXchange Association. URL: https://managingrisktogether.orx.org/research/cyber-and-information-security-risk-definitions.
To expand our definition of cyber risk further, we build upon the definition derived from the Financial Stability Board’s Cyber Lexicon.55 5 The FSB published the Cyber Lexicon in 2018, as a limited scope lexicon that comprises approximately 50 core terms related to cyber security and cyber resilience in the financial sector (Financial Stability Board 2018). The goal of this initiative was to develop and propose common definitions of a core set of terms relevant to financial sector participants in both the public and private sectors. This widely used list of terms that are relevant to cyber risk in the financial sector has its roots in the NIST definition framework (National Institute of Standards and Technology 2013). The Cyber Lexicon was specifically created to address financial sector cyber resilience and is consistent with most current industry practices.
In this paper, we define a cyber event as an observable occurrence in an information system that
- (a)
jeopardizes the cyber security of the information system or the information the system processes, stores or transmits; or
- (b)
violates the security policies, security procedures or acceptable use policies of the information system, whether or not the cyber event is a result of malicious activity.66 6 A cyber event is, by its very nature, a detectable occurrence that breaks through at least two layers of internal controls.
We then define a cyber incident as a cyber event that has resulted in a financial loss.
In essence, both of these definitions build upon the cyber incident definition proposed in the FSB’s Cyber Lexicon.77 7 We do not use the FSB’s cyber event definition, as it would capture too wide an event set. The FSB’s definition of a cyber event is “any observable occurrence in an information system”. Cyber events sometimes provide an indication that a cyber incident is occurring (adapted from the NIST definition of an “event” (Kissel 2013)). However, we assume our cyber event to be based on the FSB’s cyber incident definition and create an additional partition by introducing the financial loss clause to our cyber incident. This is done to refine the mechanism of capturing only the most relevant occurrences related to cyber risk, in terms of both cost and impact.
A single cyber incident may have multiple loss impacts. For example, a single cyber attack might be associated with the disruption of services at the attacked institution, a data breach and the theft of customer funds.88 8 In this instance, the cyber loss incident has three separate impacts. A cyber loss impact is defined as a financial loss (excluding insurance or tax effects) resulting from a cyber incident and includes all expenses associated with a cyber incident, including an indirect cost estimate. This definition of cyber loss impact excludes opportunity costs, forgone revenue and costs related to risk management and control enhancements implemented to prevent future cyber losses.99 9 We aim to capture these indirect costs separately. Inherent in this definition are elements of legal risk, including privacy protection risk, as applicable.1010 10 Legal risk includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions as well as private settlements.
4 Cyber loss classification
4.1 Classification principles
When creating a cyber loss impact classification scheme, an important underlying principle is to categorize aggregate loss impacts that are relatively similar in nature and contain similar drivers in order to facilitate actionable steps from a risk management perspective. Specifically,
- (a)
a cyber loss impact should be uniquely identified as belonging to a particular classification category,
- (b)
a particular cyber loss classification category should cover impacts with similar underlying drivers.
If a single cyber incident has multiple loss impacts, each loss impact could plausibly be assigned to a different classification category. In cases of incidents with multiple loss impacts, there should be a common identifier at the incident level (eg, a unique reference number) to link these individual records to the same underlying incident.
4.2 Classification
(a) Intentional | ||||
Incident | Basel | Incident | ||
consequence | External party | Non-external party | category | cause |
BDSEF |
An intentional business disruption at a third-party provider causes disruption to the firm |
An intentional act causes business disruption at the firm |
ET6 | CA01–99 |
Human error leads to an intentional business disruption at a third-party/external provider |
An internal human error leads to an intentional business disruption at the firm |
ET7 | CA01–99 | |
Data breach: PII |
An employee of a third-party provider uses their physical access to steal PII-classified data from the firm |
An employee of the firm uses their physical access to steal PII-classified data from the firm |
ET1 | CA01–99 |
An external party gains physical access under the control of a third-party provider to steal PII data from the firm |
An external party gains physical access that enables them to steal PII data directly from the firm |
ET2 | CA01–99 | |
Theft or loss of non-PII information |
An employee of a third-party provider steals non-PII data from the firm via remote access |
An employee of the firm steals non-PII data from the firm via remote access |
ET1 | CA01–99 |
An external party steals non-PII firm data from a third-party provider with remote access |
An external party steals non-PII firm data from the firm via remote access |
ET2 | CA01–99 | |
Theft of funds |
An employee of a third-party provider uses their access to steal money from the firm or its customers |
An external party defrauds a third party resulting in monetary loss to the firm or the firm’s customers |
ET1 | CA01–99 |
Theft of funds |
An employee of the firm uses their access to steal money from the firm or its customers |
An external party defrauds the firm, resulting in a monetary loss to the firm or the firm’s customers |
ET2 | CA01–99 |
(b) Unintentional | ||||
Incident | Basel | |||
consequence | Third party | Non-third party | category | |
BDSEF |
An unintentional business disruption at a third-party provider causes disruption to the firm |
A software or hardware failure at the firm causes business disruption |
ET6 | |
Data breach: PII |
A human error allows for unintentional business disruption at a third-party provider, exposing PII data |
A human error allows for unintentional business disruption at the firm, exposing PII data |
ET7 | |
Theft or loss of non-PII information |
A third-party provider loses non-PII firm data as a result of a hardware or software failure |
The firm loses non-PII data as a result of a hardware or software failure |
ET6 | |
A third-party provider loses non-PII firm data as a result of a faulty process or human error |
The firm loses non-PII firm data as a result of a faulty process or human error |
ET7 |
In line with the above reasoning, we organize our proposed cyber risk classification around six main concepts (the classification scheme is summarized in Table 1).
- (a) Intent:
-
an indicator for whether the cyber incident was deliberate or accidental.
- •
Intentional: when the cyber incident is malicious/intentional.
- •
Unintentional: when the cyber incident is not intentional.
- •
- (b) Cyber incident consequence:
-
the consequence of a cyber incident.
- •
Business disruption, system and execution failure (BDSEF) (CN01): any type of internal or external incident that disrupts the business or causes a software/hardware/IT failure where there was no initial data, technological or monetary loss.
- •
Data breach (CN02): any type of data loss or exposure involving personally identifiable information (PII).1111 11 PII here is defined as any information about an individual that can be used to distinguish or trace an individual’s identity and any other information that is linked or linkable to an individual (Ogata et al 2019, p. 42; McCallister et al 2010).
- •
Theft or loss of non-PII information (CN03): any type of theft or loss of technology, intellectual property, business proprietary information or any other information that is not PII.
- •
Theft of funds (CN04): any type of incident that led to an immediate and direct loss of funds and was carried out via a digital channel.
- •
- (c) Origin:
-
an indicator for whether the cyber incident originated at the institution or at an external entity.
- •
External party: when the cyber incident initiated at a third party/vendor or any other external entity.
- •
Non-external party: when the cyber incident initiated at the institution or its subsidiary.
- •
- (d) Basel event-type category:
-
the BCBS event category assigned to the cyber incident.1212 12 As previously discussed, cyber risk is considered a form of operational risk. In this regard, the Basel event-type categorization is important from a consistency perspective of how to map cyber risk to the broader concept of operational risk. The Basel event-type categorization also provides additional granularity to meaningfully differentiate cyber loss events already classified according to other classification concepts.
- •
Internal fraud (ET1): losses due to acts of a type intended to defraud, misappropriate property, circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party.
- •
External fraud (ET2): losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.
- •
Employment practices and workplace safety (ET3): losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims or from diversity/discrimination events.
- •
Clients, products and business practices (ET4): losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product.
- •
Damage to physical assets (ET5): losses arising from loss or damage to physical assets from a natural disaster or other events.
- •
Business disruption and system failures (ET6): losses arising from disruption of business or system failures.
- •
Execution, delivery and process management (ET7): losses from failed transaction processing or process management, or from relations with trade counterparties and vendors.
- •
- (e) Cyber incident cause:
-
the method through which a malicious cyber attack is carried out.1313 13 This list is nonexhaustive and is expected to be expanded on an ongoing basis.
- •
Denial-of-service (CA01): a denial-of-service (DoS) attack floods systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. A distributed denial-of-service (DDoS) occurs when attackers use multiple compromised devices to perform the attack.
- •
Man-in-the-middle (CA02): a man-in-the-middle (MitM) attack, also known as an eavesdropping attack, occurs when attackers insert themselves into a two-party transaction. Once the attackers have interrupted the traffic, they can filter and steal data.
- •
Phishing (CA03): the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data such as credit card and login information or to install malware on the victim’s machine.
- •
Drive-by attack (CA04): in a drive-by download attack, hackers look for insecure websites and plant a malicious script into hypertext transfer protocol (http) or hypertext preprocessor (PHP) code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might redirect the victim to a site controlled by the hackers. The “watering hole” is the most common strategy to execute this type of attack.1414 14 A “watering hole” attack targets a victim that belongs to a particular group (organization, industry or region). The strategy of the attacker is to guess or observe which websites the group often uses and to infect one or more of them with malware.
- •
Password attack (CA05): a password attack happens when an unauthorized party obtains access to a person’s password by looking around the person’s desk, by “sniffing” the connection to the network to acquire unencrypted passwords, by using social engineering, by gaining access to a password database or by outright guessing (brute force or dictionary attack).
- •
SQL injection (CA06): a structured query language (SQL) injection occurs when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not.
- •
Cross-site scripting (CA07): cross-site scripting (XSS) attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application.
- •
Birthday attack (CA08): birthday attacks are made against secure hash algorithms that are used to verify the integrity of a message, software or digital signature.1515 15 This is a brute-force type of attack, the success of which largely depends on the greater likelihood of collisions found between random attack attempts and a fixed degree of permutations, as described in the well-known “birthday problem”.
- •
Malware (CA09): software designed with malicious intent that contains features or capabilities which can potentially cause harm (directly or indirectly) to entities or their information systems.
- •
Pharming (CA10): pharming uses malicious code executed on the user’s device to redirect to an attacker-controlled website with the aim of extracting confidential user information.
- •
Other (CA99): any other type of cyber attack that is not defined above. This category would serve as a “catch all” category for cyber attacks with a known type but that are not captured by another existing category.
- •
Unknown (CA00): when the type of cyber attack is unknown to the institution.
- •
- (f) Asset exploited.
-
- •
Network (AE01): an incident involving a network or server and/or switches, routers, cables and other devices in the server room.
- •
Hardware (AE02): an incident involving hardware, such as a point-of-sale, personal computer/laptop, automated teller machine, etc.
- •
Media/data (AE03): an incident involving either physical documentation containing classified information or data or data-related vulnerabilities.
- •
People/processes (AE04): an incident involving direct user privileges, assistance from people or processes/procedures involving people.
- •
Application/software (AE05): an incident involving software or application-related vulnerabilities.
- •
External provider (AE06): an incident involving the cloud or cloud-related assets.
- •
Other (AE98): an incident involving other assets that do not fit into any of the above categories.
- •
Not applicable (AE00): the asset exploited is not applicable.
- •
We provide more examples in Section 6, illustrating the proposed classification scheme through real-life examples of cyber incidents.
Lastly, it is important to emphasize that the proposed classification scheme is expected to evolve and to be periodically updated as new technologies, their applications in banking and finance and associated cyber threats continue to develop and emerge.
5 Data collection variables
Our data collection proposal to gather the appropriate information needed to study cyber-related losses is described in this section. We have settled on the proposed number of variables after receiving extensive feedback from industry participants and consortiums. The decision to have two schedules was made after several rounds of discussions with industry participants.
While larger banks might be able to afford to collect all cyber incidents, for smaller banks collecting this type of detailed data might be too cost-prohibitive. Our proposal would be for smaller banks to report using the aggregate level schedule. While we acknowledge that the data collection schedule is not all encompassing, we attempt to take into account the costs and benefits from potential industry participants.
The two proposed schedules in our data collection schedule are as follows.
- (1)
A detailed “loss incident” schedule: this would track cyber risk incidents from which financial losses were realized and would be particularly useful for financial loss modeling. We discuss the variables that compose this schedule in this section.
- (2)
An aggregated monthly schedule: this would track both the cyber attacks that resulted in financial losses (incidents) and those that did not result in financial losses (events) at a monthly frequency. Such a schedule would be particularly useful for tracking cyber risk trends in addition to financial loss modeling.
Next, we discuss the variables proposed for collection in both the incident and aggregate levels. Our schedule is dynamic in nature (ie, constructed in such a way that we will be able to expand it on a continuous basis). Largely, our list is consistent with the ORX cyber and information security risk data collection schedule (Carrivick et al 2020). However, there are several variables that are absent from the ORX data collection schedule and present in ours. These differences stem largely from certain aspects of how both frameworks are structured. In the list below, we explain why we include each of the variables in our proposed data collection.
5.1 Loss incident level variables
Chronological order identification (ID) number.
For incidents with multiple impacts, this variable represents the cardinal order reflecting the chronology of the different impacts. Capturing this variable would allow researchers to identify which attack type (if there were multiple) was first.
Occurrence date.
This variable captures the date on which the cyber loss incident occurred or began. Capturing this variable would allow researchers to investigate the determinants of cyber losses through a time series analysis.
Discovery date.
This variable captures the date on which the cyber loss incident was first discovered by the institution. The loss incident’s discovery date must not be earlier than its occurrence date. This variable would allow researchers to estimate how long each event went undiscovered (time to discovery) and gain a deeper understanding into which cyber losses go undiscovered for longer.
Remediation date.
This variable captures the date on which the cyber loss incident was fully remediated by the institution. The loss incident’s remediation date must not be earlier than its occurrence and discovery dates. This variable would allow researchers to estimate the amount of time it takes to remediate each type of cyber loss (time to remediation).
Accounting date.
This variable captures the date on which the financial impact, including the remediation cost, of the cyber loss incident was first recorded on the institution’s financial statements. The accounting date must be consistent with, and no later than, the date on which a legal reserve is established. Generally, the loss incident’s accounting date should not be earlier than its occurrence date or discovery date; however, there are cases where the accounting date can accurately be reflected prior to the discovery date. Capturing this variable would allow researchers to better understand the financial impact of the cyber loss incident from an accounting perspective.
Gross loss amount (US dollars).
This variable captures the total financial impact of the cyber loss incident before any recoveries and excluding insurance and/or tax effects. Capturing this figure would allow researchers to directly estimate the total financial impact of the cyber loss incident. The gross loss amount would include all expenses associated with a cyber loss incident (except for opportunity costs, forgone revenue, provision and provision write backs and costs related to risk management and control enhancements implemented to prevent future cyber losses). In addition, the following types of incidents would not be included in the gross loss amount or the institution’s completed schedule.
- Near misses:
-
cyber risk incidents that do not result in an actual financial loss or gain to the institution.
- Timing incidents:
-
cyber risk incidents that cause a temporary distortion of the institution’s financial statements in a particular financial reporting period but that can be fully corrected when later discovered (eg, revenue overstatement, accounting and mark-to-market errors).
- Forgone revenues/opportunity costs:
-
the potential future revenues forfeited or unable to be collected due to cyber risk related failures.
- Gains:
-
situations where a cyber risk results in a financial gain for the institution.
Remediation cost (US dollars).
This variable captures the direct remediation cost of the cyber loss incident before any recoveries and excluding insurance and/or tax effects. Capturing this variable would allow researchers to study which types of cyber loss incidents are more costly than others in terms of remediation costs. The remediation cost would be included in the gross loss amount and represents all the expenses the institution bears to fully remediate the cyber incident.
Indirect cost (US dollars).
This variable captures the indirect costs of the cyber loss incident. The indirect cost would include expenses related to forgone revenues and/or opportunity costs.1616 16 Here, we define forgone revenues and opportunity costs as the forfeit of potential future revenues or inability to collect potential future revenues due to failures related to cyber risk. It is important to capture this variable, even as an approximation, because indirect costs can sometimes be as substantial as direct costs, if not even more substantial.
Recovery amount (US dollars).
This variable captures the recovery amount following a cyber-related incident. Capturing this variable would allow researchers to discover which cyber loss events are more challenging in terms of the recovery of funds. We define recovery as an independent occurrence related to the cyber loss incident, separate in time, in which funds or outflows of economic benefits are received from a third party, excluding funds received from insurance providers.
Insurance recovery (US dollars).
This variable captures funds recouped as a result of existing insurance coverage as related to the cyber risk incident. Capturing this variable would allow researchers to learn more about which factors explain how insured amounts are recovered.
Cyber incident consequence category.
All loss incidents reported by the institution would be mapped to one of four “cyber incident consequence” categories, which are described in detail in Section 4.2(a). Capturing this variable would allow researchers to distinguish between different types of cyber incidents.
Asset exploited.
This variable captures the category of the tangible or intangible asset through which an incident was carried out.1717 17 Specifically, the categories for the asset exploited are: network; hardware; media/data; people/processes; application/software; external provider; other; and not applicable. Detailed definitions are provided in Section 4.2(f). Capturing this variable would allow researchers to learn more about specific vulnerabilities that allow attacks to take place.
Cyber incident cause category.
All loss incidents reported by the institution would be mapped to one of the twelve “cyber incident cause” categories. These categories are described in detail in Section 4.2(b). Capturing this variable would allow researchers to learn more about the specific causes of each cyber incident.
Intent indicator (intentional versus unintentional).
This variable captures the presence or absence of intent in each incident. Unlike many other cyber data collections, we include the unintentional incidents. When it comes to cyber risk, there are many events that start out unintentionally, but that lead to severe circumstances.1818 18 For example, according to the UK Information Commissioner’s Office, human error was the cause of approximately 90% of data breaches in 2019. This was up from 61% and 87% the previous two years. Capturing these events would allow researchers to differentiate between intentional and unintentional incidents and gain a deeper understanding of underlying risk drivers for both of these categories.
External party indicator.
This variable is included to capture whether an incident transpired due to the involvement of a third party or an internal actor. By allowing this differentiation, we can learn more about different risk drivers that lead to cyber incidents for both categories.
Basel event-type category: level 1.
All loss events reported by the institution would be mapped to one of the seven “level 1 event types”. These categories are described in detail in Section 4.2(e). Capturing this variable would allow researchers to map the collected cyber events to the existing Basel operational risk management framework.
Basel business line: level 1.
This variable captures the business line involved, as defined by the Basel operational risk management framework. Capturing this variable would allow researchers to study the underlying risk drivers for each of the business lines.
Acquired or merged entities.
If the loss incident being reported originated from an acquired or merged entity, then this variable would capture the name of the respective acquired or merged entity.1919 19 The timeline for exclusion/inclusion of losses from merged or acquired entities is consistent with the BCBS guidelines.
Detailed description of loss incident.
This indicator variable would take into consideration whether a detailed description of the loss incident has been filled out by the bank. Capturing this variable would allow researchers to derive more details about each incident, if needed. It will also allow for future enhancement of the data collection framework, as it will provide more insight into which relevant aspects of cyber incidents are not captured by the existing framework.
Detailed description of remediation action.
This indicator variable would take into consideration whether a detailed description of the remediation action has been taken to address the cyber risk incident (including technical details for information technology fixes).
Threat actor.
This variable captures the type of threat actor (either an entity or a person) that caused or contributed to the event. While we recognize the difficulty of capturing this variable, it would provide an immense amount of insight into the incident: capturing this variable would allow researchers to differentiate between the types of actors and learn more about underlying risk drivers and other relevant characteristics that contribute to each cyber incident.
Primary/secondary control failure.
These variables capture the codes for the primary and secondary controls that were set to prevent the event from occurring. We propose to use the NIST framework to capture the failed controls. The reason for this is because most banks use the NIST framework as their first choice for control classification. For example, 74% of institutions with an ORX membership rely on the NIST framework to capture failed controls. Capturing this variable would allow researchers to learn more about the main determinants of failure in the prevention of cyber incidents.
Event status.
This is an indicator variable denoting whether all necessary information related to the event is known and has been submitted. Capturing this variable would allow researchers to keep track of current and closed cyber incidents.
For the aggregate schedule, we propose to collect only select variables from the above list that would allow us to capture a picture of cyber loss in the aggregate.2020 20 Specifically, we include the following variables in the aggregate schedule: reporting date; incident cause; total number of cyber events; total number of cyber incidents (direct or indirect losses greater than zero); loss amounts (total gross losses; total recovery amount; total defense cost). As the definitions remain the same, we do not include a separate list within the paper.
6 Classification matrix case study
In this section, we discuss several real-life examples of cyber incidents and demonstrate how they would map this into our proposed data collection schedule.
6.1 Intentional incidents
6.1.1 An insider infiltrates a firm’s computer system and gains access to confidential (non-PII) data
In February 2018, SunTrust Bank disclosed that a former employee had shared information regarding 1.5 million customers with a criminal third party. According to SunTrust, PII was not exposed, and breached data mostly included the names, telephone numbers, addresses and account balances of the 1.5 million customers. In addition, SunTrust had not detected any unexplained or criminal activities linked to the impacted accounts (Hufford and Rexrode 2018).
Classification: intentional/theft or loss of non-PII information/non-external party/ET1/CA99.
6.1.2 Criminals use malware to gain access to firm accounts and transfer funds
In February 2016, in an effort to hack the software the Bangladesh central bank uses to send Swift massages, a team of hackers successfully transferred USD101 million from the bank’s account at the Federal Reserve Bank of New York to a number of bank accounts in the Philippines. In this attack, the hackers initially requested the transfer of USD951 million to their accounts, of which USD850 million was detected, with the transfers flagged as suspicious transactions (Al-Mahmood 2016).
Classification: intentional/theft of funds/external party/ET2/CA09.
6.1.3 A firm is hit by DDoS attack that disrupts service
In March 2012, a wave of DDoS attacks hit Bank of America, JPMorgan Chase, US Bank, Citigroup, Wells Fargo and PNC Bank. The attack generated more than 60 gigabytes of traffic per second, and this high volume of traffic affected users’ ability to access the website. The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called “Operation Ababil” (Francis 2012).
Classification: intentional/BDSEF/external party/ET6/CA01.
6.2 Unintentional incidents
6.2.1 Human error at a third-party provider exposes PII data
Morgan Stanley failed to protect the PII of 15 million people, according to the US Securities and Exchange Commission (SEC). The bank hired a moving and storage company with no experience in data destruction to decommission thousands of hard drives and servers. It failed to monitor this company’s work over the course of the five years from 2015. The moving company sold the devices to a third party, which auctioned them online with some unencrypted data intact. Morgan Stanley recovered some of the devices, but not all (Saulsbery 2022).
Classification: unintentional/data breach: PII/non-external party/ET7/CA0.
7 Conclusion
How large are the losses of US banks due to cyber risk? This question remains open. This paper was, in part, motivated by the sense of urgency that this unanswered question poses. Owing to the recent alarming developments in the realm of cyber space, the ability to define, classify and measure cyber risk for financial institutions is urgent. We propose a data collection framework, with the aim of greater understanding and monitoring of the cyber risk that US banking institutions currently face.
Even though cyber risk is on the rise, the quantification and analysis of cyber risk has not yet matured to the point where it can be consistently measured and managed against corporate risk appetites. This impedes efforts to effectively measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats. This paper provides a preliminary cyber risk definition and classification of cyber risk for risk management purposes in order to fill this gap.
Declaration of interest
The authors report no conflicts of interest. The authors alone are responsible for the content and writing of the paper. The views expressed in this paper are solely those of the authors and do not necessarily reflect the views of the Federal Reserve Bank of Richmond, the Federal Reserve Bank of New York or the Federal Reserve System.
Acknowledgements
We thank Tom Barkin, Steve Bishop, Luke Carrivick, Jill Cetina, Nida Davis, Michelle Gluck, Greg Gupton, Jason Healey, Nika Lazaryan, Marco Migueis, Keith Morales, Patricia Mosser, Hema Parekh, Will Robinson, Stacey Schreft, David Stabenaw and Todd Waszkelewicz for helpful comments and suggestions. We thank Sonia Karami, Cooper Killen, Laurel Mazur and James Schulte for excellent research assistance.
References
- Abdymomunov, A., and Mihov, A. (2019). Operational risk and risk management quality: evidence from US bank holding companies. Journal of Financial Services Research 56(1), 73–93 (https://doi.org/10.1007/s10693-017-0284-3).
- Abdymomunov, A., Curti, F., and Mihov, A. (2020). US banking sector operational losses and the macroeconomic environment. Journal of Money, Credit and Banking 52(1), 115–144 (https://doi.org/10.1111/jmcb.12661).
- Aldasoro, I., Gambacorta, L., Giudici, P., and Leach, T. (2020). Operational and cyber risks in the financial sector. Working Paper 840, Bank for International Settlements, Basel. URL: http://www.bis.org/publ/work840.pdf.
- Al-Mahmood, S. Z. (2016). Hackers lurked in Bangladesh central bank’s servers for weeks. Wall Street Journal, March 22. URL: https://on.wsj.com/42rj666.
- Amir, E., Levi, S., and Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies 23, 1177–1206 (https://doi.org/10.1007/s11142-018-9452-4).
- Basel Committee on Banking Supervision (2006). International convergence of capital measurement and capital standards: a revised framework. Standards Document, Bank for International Settlements, Basel. URL: http://www.bis.org/publ/bcbs128.pdf.
- Berger, A. N., Curti, F., Mihov, A., and Sedunov, J. (2022). Operational risk is more systemic than you think: evidence from US bank holding companies. Journal of Banking and Finance 143, Paper 106619 (https://doi.org/10.1016/j.jbankfin.2022.106619).
- Bianchi, D., and Tosun, O. K. (2019). Cyber attacks and stock market activity. Working Paper, Social Science Research Network (https://doi.org/10.2139/ssrn.3190454).
- Carrivick, L., Bishop, S., Ivell, T., Wong, V., and Farha, R. (2020). An emergent taxonomy for operational risk: capturing the wisdom of crowds. The Journal of Operational Risk 15(2), 1–26 (https://doi.org/10.21314/JOP.2020.238).
- Chernobai, A., Ozdagli, A., and Wang, J. (2021). Business complexity and risk management: evidence from operational risk events in US bank holding companies. Journal of Monetary Economics 117, 418–440 (https://doi.org/10.1016/j.jmoneco.2020.02.004).
- Crosignani, M., Macchiavelli, M., and Silva, A. F. (2021). Pirates without borders: the propagation of cyber attacks through firms’ supply chains. Staff Report 937. Federal Reserve Bank of New York. URL: http://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr937.pdf.
- Curti, F., and Mihov, A. (2018). Fraud recovery and the quality of country governance. Journal of Banking and Finance 87, 446–461 (https://doi.org/10.1016/j.jbankfin.2017.11.009).
- Curti, F., Ergen, I., Le, M., Migueis, M., and Stewart, R. T. (2016). Benchmarking operational risk models. Finance and Economics Discussion Series, Board of Governors of the Federal Reserve System, Washington, DC (https://doi.org/10.17016/FEDS.2016.070).
- Curti, F., Fauver, L., and Mihov, A. (2022a). Workforce policies and operational risk: evidence from US bank holding companies. Journal of Financial and Quantitative Analysis, forthcoming (https://doi.org/10.1017/S0022109022000989).
- Curti, F., Frame, W. S., and Mihov, A. (2022b). Are the largest banking organizations operationally more risky? Journal of Money, Credit and Banking 54(5), 1223–1259 (https://doi.org/10.1111/jmcb.12933).
- De Fontnouvelle, P., Dejesus-Rueff, V., Jordan, J. S., and Rosengren, E. S. (2006). Capital and risk: new evidence on implications of large operational losses. Journal of Money, Credit and Banking 38(7), 1819–1846 (https://doi.org/10.1353/mcb.2006.0088).
- Eisenbach, T. M., Kovner, A., and Lee, M. J. (2021). Cyber risk and the US financial system: a pre-mortem analysis. Staff Report 909, Federal Reserve Bank of New York (https://doi.org/10.2139/ssrn.3522710).
- Financial Stability Board (2018). Cyber Lexicon. FSB, Basel. URL: http://www.fsb.org/wp-content/uploads/P121118-1.pdf.
- Frame, W. S., McLemore, P., and Mihov, A. (2020). Haste makes waste: banking organization growth and operational risk. Working Paper 2023, Federal Reserve Bank of Dallas (https://doi.org/10.24149/wp2023).
- Frame, W. S., Lazaryan, N., McLemore, P., and Mihov, A. (2022). Operational loss recoveries and the macroeconomic environment: evidence from the US banking sector. Working Paper 2215, Federal Reserve Bank of Dallas (https://doi.org/10.24149/wp2215).
- Francis, E. (2012). Hackers, possibly from Middle East, block US banks’ websites. ABC News, September 27. URL: https://abcn.ws/3nMVTfC.
- Healey, J., Mosser, P., Rosen, K., and Wortman, A. (2021). The ties that bind: a framework to assess the linkage between cyber risks and financial stability. Journal of Financial Transformation 53, 94–107. URL: http://www.capco.com/Capco-Institute/Journal-53-Operational-Resilience/The-Ties-That-Bind.
- Hilary, G., Segal, B., and Zhang, M. H. (2016). Cyber-risk disclosure: who cares? Research Paper 2852519, McDonough School of Business, Georgetown University, Washington, DC (https://doi.org/10.2139/ssrn.2852519).
- Hufford, A., and Rexrode, C. (2018). SunTrust employee may have stolen information about 1.5 million clients. Wall Street Journal, April 20. URL: https://on.wsj.com/2qMY1Dn.
- Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., and Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyber attacks on target firms. Journal of Financial Economics 139(3), 719–749 (https://doi.org/10.1016/j.jfineco.2019.05.019).
- Kissel, R. (ed) (2013). Glossary of key information security terms. Revision 2, May. NIST, Gaithersburg, MD (https://doi.org/10.6028/NIST.IR.7298r2).
- Makridis, C., and Dean, B. (2018). Measuring the economic effects of data breaches on firm outcomes: challenges and opportunities. Journal of Economic and Social Measurement 43(1–2), 59–83 (https://doi.org/10.3233/JEM-180450).
- McCallister, E., Grance, T., and Scarfone, K. (2010). Guide to protecting the confidentiality of personally identifiable information (PII). Special Publication 800-122. NIST, Gaithersburg, MD (https://doi.org/10.6028/NIST.SP.800-122).
- National Institute of Standards and Technology (2013). NIST risk management framework. Special Publication 800-53 (Revision 4). NIST Joint Task Force Transformation Initiative, Gaithersburg, MD (https://doi.org/10.6028/NIST.SP.800-53r4).
- Ogata, M., Franklin, J., Voas, J., Sritapan, V., and Quirolgico, S. (2019). Vetting the security of mobile applications. Special Publication 800-163 (Revision 1). NIST, Gaithersburg, MD (https://doi.org/10.6028/NIST.SP.800-163r1).
- Saulsbery, G. (2022). Morgan Stanley fined
$
35M by SEC over improper data disposal. Bankingdive.com, September 20. URL: https://bit.ly/3LUXyHY.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net