A. Cyber risk and types of cyber-attacks

Cyber risk can be defined as “operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems” (Cebula and Young (2010)). Compared to risk categories covered by insurance, cyber risk shares characteristics with both property and liability risk, as well as catastrophic and operational risk (Eling and Wirfs (2016)). On the one hand, cyber risk can impact first (the target) and third parties (a counterpart to the target). On the other hand, losses due to cyber risk are frequently small and independent but they could also have a low frequency and a high impact (‘blackout scenario’). Cyber risk can be unrelated to cyber-attacks: for example, software updates or natural disasters can lead to the crystallization of cyber risk through business disruptions without any nefarious intent, as outlined in the definition of cyber incidents (see footnote 2).

Cyber-attacks can impact firms through the three main aspects of information security: confidentiality, integrity and availability. Confidentiality issues arise when private information within a firm is disclosed to third parties as in the case of data breaches. Integrity issues relate to misuse of the systems, as is the case for fraud. ³ Finally, availability issues are linked to business disruptions. The three types of cyber-attacks have different direct impacts on the targets: Business disruptions prevent firms from operating, resulting in loss revenue; fraud leads to direct financial losses; while the effects of data breaches take more time to materialize, through reputational effects as well as litigation costs. More generally, the risk of a loss of confidence following cyber-attacks could be high for the financial sector, given the reliance of financial institutions on the trust of their customers. Regarding the financial system, business disruptions are more likely to have direct short-term contagion effects than fraud or data breach, which tend to impact mainly the targeted firm in the short-term.

B. Which countries are more exposed to cyber risk?

The financial sector is highly exposed to cyber risk, across all types of countries. The International Telecommunication Unit (ITU)— an agency of the United Nations— provides a global cybersecurity index for the world. Their index is based on a range of factors, including legal, technical and organizational arrangements as well as capacity building and cooperation (ITU (2017)). Figure 3 shows the cross-country heterogeneity regarding cybersecurity, with most Advanced Economies and Emerging Markets having a high value of the cybersecurity index (above the median), while middle income and low-income countries tend to have lower values.

View Full Size

Global Cybersecurity Index

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Source: ITU (2017).

• Download Figure
• Download figure as PowerPoint slide

Since there is no quantitative measure of cyber risk by country for the financial sector, we build an indirect measure using media coverage. An index is computed using the number of articles referring to cyber risk by country, divided by the number of articles referring to risk in the financial sector (Figure 4). As shown in the map, almost all countries are covered. The index is highest in countries that recently suffered from cyber-attacks such as Bangladesh and the Baltic states.

View Full Size

Measure of cyber risk for banks

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Note: Number of articles featuring “cyber-attack” or “hack” or “cyber risk” or “cyber security” and “banks” or “bank” and “risk” divided by the number of articles featuring “banks” or “bank” and “risk” by country. The index is not computed for countries with fewer than 25 articles on cyber risk (light blue). Only articles in English were included. Period range: Jan-2014-Sep. 2017. Sources: Factiva; and author’s calculations.

• Download Figure
• Download figure as PowerPoint slide

Complete data on cyber-attacks is notoriously scarce. Available public and commercial datasets exist but they are incomplete, have different coverage and use different definitions of cyber-attacks, which makes the analysis of cyber losses difficult.⁴ Moreover, data on losses are gathered from different sources and using different methods (actual costs, estimated costs etc.) making their comparability difficult. Among non-public datasets, two main types are available: commercial data and consortium data. Commercial data providers such as SAS or IBM collect data on operational risk events— which includes cyber events based on publicly available information. Niche providers such as Advisen cover 37,000 cyber events. Consortium data is provided by ORX, a consortium of financial institutions that gathers data on operational risk events. ORX members provide anonymized data covering around 600,000 risk events which is available to members only. ORX also provides a dataset based on publicly available data, ORX News, which covers around 6,000 events, including cyber events related to cyber-attacks. Data on losses includes only direct losses— although indirect losses (reputation, business recovery and remediation etc.) account for more than 90 percent of total losses (Deloitte (2016)).

ORX News data on cyber events is the main source used in this paper. The data cover 341 cyber risk events that impacted financial institutions and reported over 2009-2017. Around 1/3 of the events provide loss data which amounts to USD 6.5 billion overall. Based on the limited dataset, advanced economies are the main targets of cyber-attacks but EM and developing economies are also exposed to cyber risk (Figure 5), based on data from ORX News.⁵ AEs account for 80 percent of successful attacks, mainly in the U.S. (39 percent) and UK (7 percent) as shown in Figure 6. Among EMs, the BRICS account for most of the attacks (17 percent), mainly in Russia (6 percent), China (4 percent) and India (3 percent). Overall, financial institutions in more than 50 countries have been victims of cyber-attacks over the last few years according to reports in the public media.

View Full Size

Number of cyber-attacks by country in the ORX database

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Sources: ORX News; www.orx.org.

• Download Figure
• Download figure as PowerPoint slide

View Full Size

Share of cyber-attacks by country

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Sources: ORX News; IMF staff calculations

• Download Figure
• Download figure as PowerPoint slide

Among financial institutions, banks account for the bulk of the attacks (91 percent of the attacks), followed by insurance companies (7 percent). Among banks, retail banking activities (39 percent of the total) and credit cards services (25 percent) were the main business lines targeted.

Direct losses due to cyber-attack are generally unrelated to the size of the financial institution targeted (Figure 7). The largest losses recorded have been concentrated among smaller institutions, possibly due to lower absolute investment in IT security.

View Full Size

No relationship between size and losses due to cyber attacks

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Sources: ORX News, SNL.

• Download Figure
• Download figure as PowerPoint slide

Central banks in AEs and EMs have also been the victims of cyber-attacks. In AEs, attacks were either data breaches (U.S., Italy) or business disruptions (Norway, Sweden), while in EMs, most attacks were related to fraud, resulting in losses of USD 117 million (Table 1).

Table 1:

Recent cyber-attacks on central banks

Source: ORX News

Table 1:

Recent cyber-attacks on central banks

Institution	Year	Type of attack	Details
Federal Reserve Bank of Cleveland	2010	Data breach	Theft of 122,000 credit cards
Federal Reserve Bank of New York	2012	Data breach	Theft of proprietary software code worth USD 9.5 Million
Sveriges Riksbank	2012	Business Disruption	Distributed Denial of Service (DDoS) attack left the website offline for 5 hours
Banco Central del Ecuador	2013	Fraud	USD 13.3 Million stolen from the account of the city of Riobamba at the central bank
Federal Reserve Bank of Saint Louis	2013	Data breach	Publication of credentials of 4,000 US bank executives by Anonymous
Central Bank of Swaziland	2014	Fraud	Theft of USD 688,000
ECB	2014	Data breach	20,000 email addresses and contact information compromised
Norges Bank	2014	Business Disruption	DDoS attack on seven large financial institutions, resulting in suspended services during a day.
Central Bank of Azerbaijan	2015	Data breach	Theft of thousands of bank customers’ information
Bangladesh Bank	2016	Fraud	The SWIFT credentials of the Bangladesh central bank were used to transfer USD 81 Million from its account at the FRBNY. Hackers tried to steal USD 951 Million.
Bank of Russia	2016	Fraud	21 Cyber-attacks aimed at stealing USD 50 Million from correspondent bank accounts at the central bank, resulted in a loss of USD 22 Million.
Bank of Italy	2017	Data Breach	Hack of email accounts of two former executives.

Source: ORX News

View Table

Table 1:

Recent cyber-attacks on central banks

Institution	Year	Type of attack	Details
Federal Reserve Bank of Cleveland	2010	Data breach	Theft of 122,000 credit cards
Federal Reserve Bank of New York	2012	Data breach	Theft of proprietary software code worth USD 9.5 Million
Sveriges Riksbank	2012	Business Disruption	Distributed Denial of Service (DDoS) attack left the website offline for 5 hours
Banco Central del Ecuador	2013	Fraud	USD 13.3 Million stolen from the account of the city of Riobamba at the central bank
Federal Reserve Bank of Saint Louis	2013	Data breach	Publication of credentials of 4,000 US bank executives by Anonymous
Central Bank of Swaziland	2014	Fraud	Theft of USD 688,000
ECB	2014	Data breach	20,000 email addresses and contact information compromised
Norges Bank	2014	Business Disruption	DDoS attack on seven large financial institutions, resulting in suspended services during a day.
Central Bank of Azerbaijan	2015	Data breach	Theft of thousands of bank customers’ information
Bangladesh Bank	2016	Fraud	The SWIFT credentials of the Bangladesh central bank were used to transfer USD 81 Million from its account at the FRBNY. Hackers tried to steal USD 951 Million.
Bank of Russia	2016	Fraud	21 Cyber-attacks aimed at stealing USD 50 Million from correspondent bank accounts at the central bank, resulted in a loss of USD 22 Million.
Bank of Italy	2017	Data Breach	Hack of email accounts of two former executives.

Source: ORX News

Among cyber-attacks, fraud and data breaches are more prevalent, yet business disruption is also significant. In the ORX News dataset, fraud accounts for 43 percent of events, data breaches 34 percent and disruption 23 percent. While business disruptions are known immediately, the other types of cyber-attacks can take place for months or years before being noticed and reported, which could lead to a downward bias in the dataset.

Patterns can be identified for each type of cyber-attacks using text-mining techniques (see Bholat et al. (2015) for an overview) applied to the ORX News dataset, which provides for each case background information in text form. More precisely, correspondence analysis — a statistical technique to provide a graphical representation of the structure of a dataset— is used to identify the words which tend to cluster around the three types of cyber-attacks (Figure 7).⁶ Business disruption is associated with DDoS attacks which typically impact the website of the target— when a very large number of requests are sent to the targeted servers, overloading the system and making it unable to operate. Data breaches are linked with credit card information, and fraud is associated with money transfers, and a loss amount — since around 80 percent of the events with loss data are cyber-related fraud. The word “bank” is in the middle of the chart since banks are the main targets of all three types of attacks. The x-axis can be interpreted as a measure of the informational content regarding losses (with most events in the business disruption category having no loss information), while the y-axis measures whether the impact of the cyber-attack is immediate (business disruption or fraud) or takes more time to materialize, as in the case of data breaches.

A. Why are financial institutions highly exposed to cyber risk?

In information security risk management, risk is defined as a combination of consequences and likelihood (ISO (2011)), where likelihood is a function of threat levels and the ease of exploitation of existing vulnerabilities:

In this context, financial institutions are highly exposed to cyber-risk due to a combination of factors. Kopp et al. (2017) show that threat levels are particularly high for financial institutions due to cybercrime, hacktivism, proxy organizations—sophisticated attackers conducting espionage on behalf of a beneficiary— and surveillance of communication by third parties. Vulnerabilities to cyber incidents (including cyber-attacks) can be considered high because financial institutions are dependent on highly interconnected networks and critical infrastructures. Moreover, many institutions have legacy systems which might not be resilient to cyber-attacks (Friedman (2016)). The increased level of sophistication of cyber criminals, along with the decline in the cost of launching cyber-attacks, make institutions with legacy systems all the more vulnerable. Consequences of cyber-attacks are also high because financial activity is dematerialized and therefore highly dependent on technology.

B. Vulnerabilities in the financial sector

Single Point of Failure and critical infrastructures

Financial institutions are particularly exposed to cyber risk due to their reliance on critical infrastructures and their dependence on highly interconnected networks. Critical financial market infrastructures include payment and settlement systems, trading platforms, central securities depositories, and central counterparties. The critical infrastructures represent a Single Point of Failure and any successful attack could have wide-ranging consequences.⁷

A business disruption of a financial market infrastructure or a set of large financial institutions could have a significant impact due to risk concentration (Kopp et al. (2017)) and the lack of substitutes in the case of Financial Market Infrastructures (FMIs). If a payment and settlement systems goes offline during the day, market participants would be unable to process transactions and therefore be exposed to liquidity and solvency risk. Similarly, if one or several large banks are disrupted and unable to process transactions, their counterparts would be subject to liquidity and solvency risk.

Several papers have already looked at the impact of a disruption of a large market participant on FMIs. For example, Clarke and Hancock (2014) use the Bank of Finland payment simulator to analyze the impact of operational disruptions of the largest fifteen participants on intraday liquidity in the Australian Real Time Gross Settlement system. Their results show that the amount of unsettled payment varies according to the time of disruption and the participants size.⁸ Similarly, as part of their risk management framework, Central Counterparties (CCPs) — and their supervisors—regularly assess the impact of events that could be the result of a cyber-attack leading to the business disruption of clearing members. For example, the recent stress tests of CCPs run by the European Securities and Markets Authority (ESMA) estimates the impact of the default of two large clearing members on the CCP (credit risk) and the consequences of the failure of a custodian (liquidity risk).⁹ To some extent, the stress test framework can also be used to model the impact of a successful cyber-attack on market participants.

The disruption of material infrastructures such as power grids and IT infrastructures (Cloud providers or operating systems) could also have a large macroeconomic impact. Recent studies estimate that a disruption of part of the U.S power grid could lead to up to USD 1 trillion in losses and a disruption of IT infrastructures up to USD 53 billion (Table 2).

Table 2:

Impact of disruption of infrastructures (all sectors)

Sources: Lloyd’s (2015, 2017)

Table 2:

Impact of disruption of infrastructures (all sectors)

Scenario	Target	Losses (in billion of USD)
Electricity blackout	Energy infrastructures	243-1,024
Cloud Service Providers hack	Cloud Providers	5-53
Mass vulnerability attack	Operating System	10-29

Sources: Lloyd’s (2015, 2017)

View Table

Table 2:

Impact of disruption of infrastructures (all sectors)

Scenario	Target	Losses (in billion of USD)
Electricity blackout	Energy infrastructures	243-1,024
Cloud Service Providers hack	Cloud Providers	5-53
Mass vulnerability attack	Operating System	10-29

Sources: Lloyd’s (2015, 2017)

Fraud

Cyber-attacks can be used for fraudulent purposes, as evidenced recently by theft using SWIFT (Box 2). Access to confidential information, including clients’ credentials used for online payment can be used by cyber-criminals. In the dataset, cyber-related fraud accounts for 90 percent of reported losses.

Box 2:

Recent cyber-attacks using SWIFT

Over the last three years, at least ten attacks were based on the SWIFT system— a messaging system used by financial institutions for financial transactions. Hackers accessed the victims’ SWIFT credentials and sent fraudulent payment orders on behalf of the target (EM banks) to the hackers’ bank accounts—in some cases transiting through AE banks and central banks. Initial losses amounted to USD 336 Million, while actual losses were around USD 87 Million, as some orders were frozen and some money was recouped.

Table 3:

Cyber-attacks using SWIFT

Sources: ORX News, Financial Times. * Current estimated losses are based on publicly available information. Targeted institutions are in the process of recovering the losses through legal proceedings.

Table 3:

Cyber-attacks using SWIFT

Institutions	Date	Initial losses (USD million)	Current estimated losses* (USD million)
Banco del Austro (Ecuador)	Jan. 2015	12.2	9.4
Bangladesh Central Bank	Feb. 2016	81	66
Union Bank of India	Jul. 2016	171	0
TP Bank (Vietnam)	May 2016	1	0
Akbank (Turkey)	Dec. 2016	4	4
Far Eastern International Bank (Taiwan, Province of China)	Oct. 2017	60	0.5
NIC Asia Bank (Nepal)	Oct. 2017	4.4	0.6
Globex (Russia)	Dec. 2017	1	0.1
Unidentified bank (Russia)	Dec. 2017	Unknown	6
City Union Bank (India)	Jan. 2018	2	Unknown

Sources: ORX News, Financial Times. * Current estimated losses are based on publicly available information. Targeted institutions are in the process of recovering the losses through legal proceedings.

View Table

Table 3:

Cyber-attacks using SWIFT

Institutions	Date	Initial losses (USD million)	Current estimated losses* (USD million)
Banco del Austro (Ecuador)	Jan. 2015	12.2	9.4
Bangladesh Central Bank	Feb. 2016	81	66
Union Bank of India	Jul. 2016	171	0
TP Bank (Vietnam)	May 2016	1	0
Akbank (Turkey)	Dec. 2016	4	4
Far Eastern International Bank (Taiwan, Province of China)	Oct. 2017	60	0.5
NIC Asia Bank (Nepal)	Oct. 2017	4.4	0.6
Globex (Russia)	Dec. 2017	1	0.1
Unidentified bank (Russia)	Dec. 2017	Unknown	6
City Union Bank (India)	Jan. 2018	2	Unknown

Sources: ORX News, Financial Times. * Current estimated losses are based on publicly available information. Targeted institutions are in the process of recovering the losses through legal proceedings.

Emerging technologies such as Fintech are also particularly exposed to cyber-attacks given their reliance on technology. Technological innovations may increase vulnerabilities to cyber-attacks, as specialized firms might have fewer controls and risk management procedures than large, vertically integrated regulated intermediaries (IMF (2017a)). Greater use of technology could also expand the range and numbers of entry points into the financial system, which hackers could target. Fintech activities could also increase third-party reliance, where firms outsource activities to a few concentrated providers. In this case, the disruption of a provider could increase systemic risk due to the centrality of the provider in the financial system (FSB (2017)). Cyber-attacks on Fintech firms (mainly online exchanges allowing the trading of Bitcoins and providing wallet services) have resulted in at least USD 1,450 Million in losses due to fraud since 2013 (Table 4).

Table 4:

Cyber-attacks on Fintech firms

Sources: ORX News, Financial Times

Table 4:

Cyber-attacks on Fintech firms

Institution	Date	Estimated losses (USD Mn)
Inputs.io	Oct. 2013	1.3
GBL	Oct. 2013	5
Bitcoin Internet Payment Services	Nov. 2013	1
MT Gox	Jan. 2014	470
BitPay	Dec. 2014	1.9
EgoPay	Dec. 2014	1.1
Bitstamp	Jan. 2015	5.3
Bitfinex	May. 2015	0.3
Gatecoin	May 2016	2
DAO Smart Contract	Jun. 2016	50
Bitfinex	Aug. 2016	72.2
CoinDash	Jul. 2017	7
Tether	Nov. 2017	31
NiceHash	Dec. 2017	64
Coincheck	Jan. 2018	534
BitGrail	Feb. 2018	170
Coinsecure	Apr. 2018	33

Sources: ORX News, Financial Times

View Table

Table 4:

Cyber-attacks on Fintech firms

Institution	Date	Estimated losses (USD Mn)
Inputs.io	Oct. 2013	1.3
GBL	Oct. 2013	5
Bitcoin Internet Payment Services	Nov. 2013	1
MT Gox	Jan. 2014	470
BitPay	Dec. 2014	1.9
EgoPay	Dec. 2014	1.1
Bitstamp	Jan. 2015	5.3
Bitfinex	May. 2015	0.3
Gatecoin	May 2016	2
DAO Smart Contract	Jun. 2016	50
Bitfinex	Aug. 2016	72.2
CoinDash	Jul. 2017	7
Tether	Nov. 2017	31
NiceHash	Dec. 2017	64
Coincheck	Jan. 2018	534
BitGrail	Feb. 2018	170
Coinsecure	Apr. 2018	33

Sources: ORX News, Financial Times

The high degree of interconnectedness across firms can lead to rapid contagion effects. For corporates, due to the high interconnectedness across supply chains, a successful attack on part of the network could spread rapidly to other firms. For example, in June 2017, a ransomware targeting Ukraine lead to losses of at least USD 1.3 billion for multinational firms across sectors (transportation, construction or food) linked to Ukrainian companies.¹⁰ For financial institutions, a disruption of one large bank, making it unable to process transactions and post margins could spread quickly to its counterparties and the financial market infrastructures, resulting in heightened liquidity and solvency risk.

Data breaches

Financial institutions are also particularly vulnerable to data breaches. Given their reliance on customer’s data to conduct business, the financial sector suffered the most incidents with data loss in recent years— including the Equifax data breach where hackers may have stolen personal information of more than 145 million U.S customers. The economic impact of data breaches is hard to assess since indirect effects (loss of clients, reputation risk) are likely to be more material than direct effects (recovery and litigation costs). In the U.S. alone, more than 260 million records were breached due to hacking over the last three years in the financial sector (Figure 9). The Ponemon Institute estimates that the average cost per stolen record was USD 141 in 2017 (Ponemon (2017)). Applying the Ponemon estimates, losses due to data breach over the last three years would be around $38 billion for U.S. financial firms alone.

View Full Size

Correspondence analysis (terms contributing the most by types of attack)

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Sources: ORX News, author’s calculations

• Download Figure
• Download figure as PowerPoint slide

View Full Size

Data breaches in the U.S.

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Source: Privacy Rights Clearinghouse

• Download Figure
• Download figure as PowerPoint slide

A. Overview of the methodology

This section aims to illustrate how models employed for operational risk assessment for banks and the pricing for insurance contracts can also be applied to developing a framework for an analysis of cyber risk. This analysis yields estimates and distribution of aggregate financial system losses due to cyber-attacks. The results are particularly important for the financial services sector, since regulators require banks and insurance companies to hold risk capital for operational losses which might result from cyber-attacks. The usefulness of these results for policymakers, regulators, and practitioners is illustrated in two applications (with and without contagion across firms).

The empirical strategy is to define cyber risks as a sub-group of operational risk, allowing us to clearly identify relevant data. The data on cyber-attacks is extracted from ORX News.¹¹ All losses are expressed in U.S. dollars, and in the following analysis adjusted for inflation to make them comparable over time.

To analyze the statistical properties of cyber-attacks we use tools from actuarial science. First, we fit the data on losses from ORX News using a lognormal distribution for the body of the distribution and extreme value theory for the tail, following the standard approach in actuarial science to model losses. After having estimated the distribution and frequency of losses, the average loss and risk measures (value at risk (VaR), and expected shortfall (ES)) are estimated.¹² Risk measures show how much capital a firm needs to cover the losses with a given confidence level. Second, aggregated losses are computed with Monte Carlo simulations, assuming that the frequency of each cyber event follows a Poisson distribution.

B. Estimation of aggregated losses due to cyber risk

The approach taken to estimate aggregate loss distribution follows approaches used in actuarial science to model insurance claims, and to assess operational risk for banks under the Advanced Measurement Approach in the Basel II framework (Shevchenko (2010)). The method is based on i) the frequency of events, ii) the distribution of losses, and iii) the aggregate distribution of losses, considering the frequency and loss distribution. Figure 10 shows the different components of the method. Once the frequency (top-left panel) and distribution of losses due to cyber-attacks are estimated (top-right panel), it is possible to estimate the distribution of aggregated losses (bottom panel).¹³

View Full Size

Estimation of aggregated losses

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

• Download Figure
• Download figure as PowerPoint slide

Formally, the aggregate losses Z due to cyber risk are given by:

where the frequency N is a discrete random variable — the number of cyber-attacks per year— and X₁, …,X_N are positive random severities (losses). The aggregate losses are equal to the sum of individual losses due to cyber risk over the time horizon (one-year).

We also assume that N and X_i are independent, i.e. the frequency and severities of cyber incidents are independent.

In the remainder of the paper, we focus on particular distributions for the frequency of cyber-attacks and distribution of losses. In practice, both the frequency and the distribution of losses are likely to evolve over time as cybercrime expands and cybersecurity is strengthened. As such, the distributions used in this paper can be seen as a point-in-time assessment rather than a definitive assessment on how cyber-losses should be estimated. Additionally, distributions could also be different by types of attacks, types of targets and types of countries affected. Policy interventions and further efforts on cybersecurity could also change the shape of the distributions.

Distribution of losses

Average losses are around USD 66 million in dataset, with a median at USD 4.7 million. Most losses are below USD 200 million, with an outlier at around $4,010 million (Figure 11).¹⁵

View Full Size

Histogram of losses

Citation: IMF Working Papers 2018, 143; 10.5089/9781484360750.001.A001

Source: ORX News.

• Download Figure
• Download figure as PowerPoint slide

We chose to model the distribution of losses by using two distributions depending on the level of losses (spliced distribution). The choice of a spliced distribution provides flexibility to model differently small and large losses, while using one simple distribution would be too restrictive (Cruz et al. (2015)). The body of the distribution (‘bulk’) follows a lognormal distribution and the right tail follows a Generalized Pareto Distribution (GPD), commonly used in extreme value theory to model fat tails (Coles (2001) and Scarrott and MacDonald (2012)). The GPD is used to model potential large losses due to cyber-attacks, although such events have not yet occurred.

For the bulk of losses, where x ≤ u the distribution is lognormal, X ~ LN(μ, σ) and its probability density function f is given by:

$f\left(x\right)=\frac{1}{x\sqrt{2\pi {\sigma }^2}}exp(-\frac{(\ln \left(x\right)-\mu {)}^2}{2{\sigma }^2})$

For the tail, where x > u the distribution is given by X ~ GPD(ξ, α, β), with the shape parameter ξ, the scale parameter β, and threshold parameter α and the density function is:

$f\left(x\right)=\frac{1}{\beta }{(1+\frac{\xi (x-\alpha )}{\beta })}^{(-\frac{1}{\xi }-1)}$

The parameters of the spliced distribution (μ, σ, ξ, α, β, u) are estimated by maximum likelihood using the evmix package in R (Hu and Scarrott (2017)).¹⁶ The estimate for u yields $119 million, implying that losses below this threshold follow a lognormal distribution and above a GPD.

C. Results

In the baseline case, average losses due to cyber-attacks for the countries in the ORX sample amount to USD 97 billion or 9 percent of banks net income (Table 5).¹⁷ The VaR would range between USD 147 and 201 billion (14 to 19 percent of net income) and the expected shortfall between USD 187 and 281 billion. Those estimates point to sizeable potential aggregated losses in the financial sector, far above publicly reported losses by financial institutions in these jurisdictions. However, estimated losses due to cyber risk are a fraction of operational risk losses for banks— which amounted to USD 260 billion in 2007 and 375 billion in 2009 (Hess (2011)).

Table 5:

Aggregate losses due to cyber risk

Note: VaR is the Value-at-Risk, ES is the Expected Shortfall. Net income data based on a sample of 7,947 banks for 2016. ^*It is assumed that each cyber attack has a 20% probability to affect two or more firms. Sources: ORX News, SNL, and staff calculations.

Table 5:

Aggregate losses due to cyber risk

	Baseline		Scenario 2 (severe)
Independence
	% net income	USD bn	% net income	USD bn
Average	9	97	26	268
VaR (95%)	14	147	34	352
ES (95%)	18	187	40	409
VaR 99%	19	201	41	427
ES (99%)	27	281	52	539
Assuming 20% dependence*
Average	12	127	34	351
VaR (95%)	18	184	43	446
ES (95%)	22	229	49	509
VaR 99%	24	248	51	529
ES(99%)	32	329	62	642

Note: VaR is the Value-at-Risk, ES is the Expected Shortfall. Net income data based on a sample of 7,947 banks for 2016. ^*It is assumed that each cyber attack has a 20% probability to affect two or more firms. Sources: ORX News, SNL, and staff calculations.

View Table

Table 5:

Aggregate losses due to cyber risk

	Baseline		Scenario 2 (severe)
Independence
	% net income	USD bn	% net income	USD bn
Average	9	97	26	268
VaR (95%)	14	147	34	352
ES (95%)	18	187	40	409
VaR 99%	19	201	41	427
ES (99%)	27	281	52	539
Assuming 20% dependence*
Average	12	127	34	351
VaR (95%)	18	184	43	446
ES (95%)	22	229	49	509
VaR 99%	24	248	51	529
ES(99%)	32	329	62	642

Note: VaR is the Value-at-Risk, ES is the Expected Shortfall. Net income data based on a sample of 7,947 banks for 2016. ^*It is assumed that each cyber attack has a 20% probability to affect two or more firms. Sources: ORX News, SNL, and staff calculations.

In the severe scenario— where the frequency of events is twice the peak observed in 2013— average losses would amount to USD 268 billion (26 percent of net income) and risk indicators would range between USD 352 and 539 billion (34 to 52 percent of net income).

The introduction of contagion effects across financial institutions would increase aggregate losses by around 20 percent, in line with the assumptions used in the modelling of contagion effects.

The estimates provided in this paper are broadly in line with existing estimates. Symantec (2013) reports an annual cost of cybercrime of USD 113 billion, using a survey to measure cyber-attacks and the average cost per attack. Anderson et al. (2013) estimate direct and indirect losses around USD 215 billion using data from 2007-2012 on different types of cyber-crime (online banking fraud, tax fraud etc.), mainly from the UK and then extrapolated to the world. McAffee (2014) estimates global costs to be between USD 375 and 575 billion.¹⁸ However, most existing studies use very different data source and methodology to estimate losses, some of which are not directly tractable, while this paper provides a tractable framework to estimate the cost of cyber risk.

The estimated losses are several orders of magnitude higher than what the cyber insurance market can so far cover. The insurance market for cyber risk has grown recently to reach around USD 3 billion in premium globally in 2017 and is expected to reach USD 12 to 20 billion in the next decade (Fitch Ratings (2017)). However, most institutions do not have cyber insurance— with take-up rates of less than 30 percent across sectors—, coverage is limited and it is challenging for insurers to price cyber risk due to uncertainty about exposures and risks of correlated exposures.^{19, 20}

D. Robustness and sensitivity analysis

Applying the framework faces a number and of challenges and the methodology used is subject to caveats. Therefore, the estimated losses should be considered illustrative, rather than a definitive estimation of losses due to cyber-attacks.

First, the data used is incomplete. Data on losses is partial and the sample might be biased towards certain countries such as the U.S. Given the delays in reporting and disclosing cyber-attacks, the data used might not represent accurately the current level of cyber risks.²¹ The estimation also mixes two different datasets: ORX News for the losses and Advisen for the frequency of events. A consistent framework to collect data on cyber risk could alleviate this bias. Relatedly, it is assumed that all financial institutions are subject to the same risk of cyber-attacks, although in practice institutions are exposed to varying degrees. The degree of financial institutions’ exposure could be linked to the criminal and geopolitical environment, access to cybersecurity human capital (of both defenders and attackers), degree of connectivity to the global financial system, and degree of complexity and reliance on IT systems.

Second, the results are dependent on the modelling assumptions for the distribution of losses and contagion. For example, a lognormal distribution provides a better fit than the spliced distribution for the historical data used. If a lognormal distribution is used, average losses amount to USD 38 billion (against USD 97 billion) and the 95% VaR and Expected Shortfall would be USD 51 billion and USD 60 billion respectively. Appendix 2 compares results obtained by using different spliced distributions for losses. More generally, the framework outlined in the paper is flexible enough so that different modelling assumptions can be tested.

Finally, losses might vary according to the type of attack: business disruption is more likely to cause contagion than fraud for example. Ideally, for each type of cyber-attack one would estimate a different loss distribution. Richer datasets would allow the estimation of different distributions by type of cyber-attack.