cyber risk assessment case study

IEEE Account

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Want to create or adapt books like this? Learn more about how Pressbooks supports open publishing practices.

Module 1: Case Studies & Examples

In this section, we will review some examples of how to generate an initial estimate using two very basic methods. Then, we are going to walk through some case studies so that you can put what you’ve learned into the context of a cyber risk scenario.

The Value of the Initial Analysis

In any organization, decision-making is a crucial process that can significantly impact the success or failure of the organization. Making informed decisions requires access to accurate and relevant information. It does not, however, require in-depth, time-consuming, and expensive research and analysis. The initial analysis provides a quick, cost-effective analysis of risk. It allows decision-makers to have a timely analysis based on readily available data. If decision-makers determine that a more in-depth analysis is warranted, this gives them the opportunity to clearly scope the effort and provide their authorization for the expenditure of additional funds and resources.

What is an Initial Analysis?

An initial analysis is a preliminary assessment of a situation or problem. It involves gathering and analyzing information to understand the situation comprehensively. An initial analysis is typically conducted before making any significant decisions or taking any action. Its purpose is to provide decision-makers with the information they need to make informed decisions. In the case of quantifying risk, you are making estimates with fairly broad ranges (such as 20% or more). This provides an accurate, if broad, estimate. With more detail, the estimate becomes more precise.

Benefits of an Initial Analysis for Decision Support

An initial analysis is valuable for decision support because it gives decision-makers a comprehensive overview of the situation. It allows decision-makers to make informed decisions based on accurate and relevant information. There are several benefits of conducting an initial analysis.

Benefits of Conducting an Initial Analysis

• Provides a Comprehensive Overview : An initial analysis gives decision-makers a comprehensive overview of the situation. It helps decision-makers to understand the situation, including the challenges, risks, and opportunities. This comprehensive overview allows decision-makers to make informed decisions based on accurate and relevant information.
• Identifies Risks and Opportunities : An initial analysis helps to identify risks and opportunities associated with the situation. It allows decision-makers to assess the potential impact of these risks and opportunities on the organization. This information is critical to making informed decisions considering potential risks and opportunities.
• Helps to Identify and Prioritize Options : An initial analysis helps to identify and prioritize options for addressing the situation. It provides decision-makers with a range of options and the potential benefits and risks associated with each option. This information is critical to making informed decisions that consider all available options.
• Facilitates Consensus-Building : An initial analysis helps to facilitate consensus-building among decision-makers. It provides decision-makers with a shared understanding of the situation, which can help to build consensus around the best course of action. This consensus-building is critical to ensuring that decisions are made with the support of all decision-makers.
• Reduces the Risk of Making Poor Decisions : An initial analysis helps to reduce the risk of making poor decisions. It provides decision-makers with accurate and relevant information, which can help to reduce the risk of making decisions based on incomplete or inaccurate information. This can help avoid costly mistakes and ensure that decisions are made in the organization’s best interests.
• Approval for Additional Time and Resources : An initial analysis is typically conducted before making any significant decisions or taking any action. Its purpose is to provide decision-makers with the information they need to make informed decisions. However, in some cases, decision-makers may require additional information before deciding. In these cases, an initial analysis can serve as a basis for approving additional time and resources to produce a more in-depth analysis. This additional analysis can provide decision-makers with more detailed information, which can help to make more informed decisions. By using the initial analysis as a basis for approving additional time and resources, decision-makers can ensure that the additional analysis is focused on the most critical issues and provides the information they need to make informed decisions.

Figure 6 NOTE: Always begin with an initial analysis

General Guidelines for Developing Estimates

• Internet-facing assets generally represent a very high likelihood of compromise if there is an exploitable vulnerability. Any asset with a directly accessible interface to the internet could be considered to meet this criterion if it has an exploitable vulnerability.
• Vulnerabilities in perimeter defenses generally represent a very high likelihood of compromise.
• Vulnerabilities in high-value assets generally represent a very high risk.
• Vulnerabilities on web-based servers and applications represent a very high likelihood of compromise.
• Vulnerabilities on workstations generally represent a high likelihood of compromise.
• Vulnerabilities in databases represent a high likelihood of compromise.
• Vulnerabilities on unsupported systems or products may be considered a higher likelihood of compromise.
• Vulnerabilities that could cause extreme outages generally represent a very high risk.
• Vulnerabilities that could lead to initial access or privilege escalation generally represent a very high risk.
• Vulnerabilities that could lead to system compromise generally represent a higher risk.
• If you know what percentage of systems have a particular vulnerability, you can use this as the basis for a threat estimate.
• Zero-day vulnerabilities generally represent a very high risk.
• Perimeter defense Zero-Day vulnerabilities generally represent a very high risk.
• Web servers with Zero-Day vulnerabilities generally represent a very high risk.
• Web server and application exploits such as SQL and Cross-site scripting vulnerabilities generally represent a very high risk.
• Unsupported operating systems and applications generally represent a very high risk as these are frequently targets of attack.
• Remote code execution vulnerabilities generally represent a higher risk.
• Named exploits such as man-in-the-middle type attacks generally represent a higher risk.
• Vulnerabilities for which there may be known, or ongoing exploits generally represent a higher risk.
• Vulnerabilities with a public proof-of-concept generally represent a higher risk. Any vulnerability that can lead to initial access or privilege escalation generally represents a higher risk.
• Internal exploitable vulnerabilities generally represent an elevated risk.
• Strong perimeter defense can be a mitigating factor.
• Security by obscurity is not considered a mitigating factor.
• Policies or procedures may be considered a mitigating factor.
• Mitigating factors generally can reduce an estimate by a single 20% range. A very strong mitigation generally can reduce an estimate by two 20% ranges.
• Financially motivated cyber-criminals are generally very successful. You may want to specify the targeted system or data to refine the scope of your estimate.
• Insider threats are generally very successful.
• APTs or nation-states are generally very successful. You may want to specify a particular APT or nation-state to refine your estimate.
• An accidental misconfiguration is as dangerous as an intentional act.
• Poor processes and procedures can represent a risk, especially if they may be undocumented and not consistently applied.
• It is useful to stipulate the time period for your estimate and whether it is a factor in the likelihood of compromise. In some cases, this may be the time period until a patch or remediation is in place. In some cases, the longer the time period, the higher the likelihood of compromise. Similarly, in some cases, a shorter period of exposure may indicate a slightly lower likelihood of compromise.

Using a 1-5 Scale

Risk is an inherent part of any business or organizational activity. It is the possibility of an event occurring that could adversely impact the organization’s objectives. Risk can be expressed in various ways, including verbally, numerically, or graphically. One commonly used method of verbally expressing risk is through a 1-5 scale using the labels very low, low, moderate, high, and very high values.

The Five-Point Scale

The five-point scale is a simple and effective way to express risk verbally. It uses five categories to describe the level of risk associated with an event or activity. The categories are very low, low, moderate, high, and very high. Each category represents a different level of risk, with very low representing the lowest level of risk and very high representing the highest level of risk.

Figure 7 The 5-Point Scale Labels

This scale is beneficial because it allows for quick and easy understanding and consensus-building among different organizational groups. It is a simple and intuitive way to express risk that people with different levels of expertise in risk management can easily understand.

Converting the Scale to 20% Ranges

While the five-point scale is a useful way to express risk qualitatively, it can also be adapted into numerical form, represented by 20% ranges, to quantify the risk. This allows for a more precise and objective assessment of risk that can be used to make informed decisions about risk management.

To convert the five-point scale to 20% ranges, each category is assigned a range of probabilities. The ranges are as follows:

• Very Low: 0% – 20%
• Low: 21% – 40%
• Moderate: 41% – 60%
• High: 61% – 80%
• Very High: 81% – 100%

Figure 8 The 5-Point Scale Range Values

By assigning each category a range of probabilities, the level of risk associated with an event or activity can be quantified. When communicating this, you should note that this estimate is based on an initial range of 20% for each.

Benefits of Using the Scale

Using the five-point scale with values of very low, low, moderate, high, and very high is a good way to begin thinking, speaking, and quantifying risk. It provides a simple and intuitive way to express risk that people with different levels of expertise in risk management can easily understand. It also allows for quick and easy consensus-building among different organizational groups.

One of the benefits of using the 1-5 scale is the same as found by L. Hoffman and D. Clement (1970) 19 , which is the value of using “intuitive linguistic variables” for range variables. Another benefit is a five-point scale avoids the issues found in a three-point scale by allowing wider disbursement among the mid-range values. A simple three-point scale is susceptible to bias (most people are averse to using either the lowest or highest extremes and tend to default to mid-range values).

The conversion of the scale to 20% ranges provides a more precise and objective assessment of risk that can be used to make informed decisions about risk management. This allows for a more systematic and consistent approach to risk management that can help organizations identify, assess, and manage risk.

In addition, using the five-point scale can help promote a risk management culture within an organization. Providing a simple and intuitive way to express risk can encourage employees to think more proactively about risk and take appropriate steps to manage risk in their daily activities.

A five-point scale provides a simple and intuitive way to express risk that people with different levels of expertise in risk management can easily understand. Translating the qualitative descriptors of the five-point scale into corresponding 20% probability ranges enhances the precision of risk evaluations, allowing for a more quantifiable and objective approach to risk assessment. Using this scale can help promote a risk management culture within an organization and aid in consensus-building among different organizational groups.

Back-of-the-Napkin Math

This method is an easy way to quantify risk without advanced tools or models. It approximates an advanced method known as the Monte Carlo Simulation using ranges described in the 5-point scale method. This method produces a usable approximation but lacks the level of detail or ability to generate meaningful probability distribution charts available with the Monte Carlo simulation method. You only need a sheet of paper and a pen or pencil to use this method, which is why I call it the “back-of-the-napkin” method.

The Three-Point Range Values

Using three-point values is a simple and effective way to express a range, such as the level of threat and likelihood associated with an event or activity. The three values are minimum, most likelihood, and maximum.

When we quantify risk, we use the formula Threat x Likelihood = Risk . Each of these (threat, likelihood, and risk) is expressed as a range.

To this equation, we can add the impact as a way to rate the risk. Risk x Impact = Rating

The impact can be financial or operational, and whether the impact is Very High or Very Low is always established by the organization. If the impact is financial it is expressed as a dollar value.

Let’s look at how the three-point values are used to quantify risk.

Assume the threat values of .10, .20, and .30. Then assume the likelihood values are .20, .80, and .60. How do we multiply ranges?

Follow these steps to multiply two 3-value ranges:

• Multiply the first value of the first range by the first value of the second range.
• Multiply the second value of the first range by the second value of the second range.
• Multiply the third value of the first range by the third value of the third range.

[.10 .20 .30] x [.20 .60 .80] = [.10 x .20] [.20 x .60] [.30 x .80]

Now, just give the final three values.

.10 x .20 = .02

.20 x .60 = .12

.30 x .80 = .24

You get the following range [.02 .12 .24].

Now, let’s estimate the range for impact . Assume $10K, $20K, and $50K as the values.

[.20 .16 .18] x [ $10K $20K $50K] = [$2,000 $2,400 $12,000]

.20 x $10,000 = $2,000

.16 x $20,000 = $2,400

.18 x $50,000 = $12,000

Developing a Range Estimate from a Single Point Value

In many instances, you will only have a single-point value, such as the percentage of assets missing a patch. In this case, you can use the single point value as your most likely value and add +/- 10% to get a 20% range.

Example : If 20% of workstations are missing a patch, you could use the +/- 10% to produce the range .10-.20-.30. When using this method, you should note in your communications that this is a +/- 10% estimate based on the initial value of the weakness finding (20% of workstations with a missing patch).

Developing a Range from Multiple Variables .

When you have multiple variables, one approach to establishing your range is to take the highest and lowest values in the set, then establish your mid-point value by subtracting the lowest value from the highest and dividing that value by 2, then add that value to the lowest value. BYJUS.com, a global EdTech firm, has a basic explainer for ranges available at BYJUS.com “Range”. https://byjus.com/maths/range/ .

Example : 20% of servers are missing a patch and 45% of servers have a weak configuration that leaves them open to compromise. We can use 20% as the low value and 45% as the high value. To calculate the mid-range value, we subtract the lower value from the higher value (45-20=25) and divide that by 2 (25/2=12.5), then add that to the lower value (20+12.5=32.5). That gives us .20-.32.5-.45.

Figure 9 Back-of-the-Napkin Worksheet

Case Studies

For each of the scenarios provided, use the five-point scale to convert estimates of threat (weakness), likelihood (the likelihood that the weakness will be leveraged against the organization), risk, impact (a range of financial cost), and score. Reading and understanding the examples will guide your evaluation process and prepare you for the module quiz and final project.

The Branch Manager

As the branch manager sat in her office, she received an urgent message from the corporate security team about a newly released patch that addressed a critical vulnerability in the company’s network. Concerned about the potential risk to her branch, she immediately contacted the network operations group to inquire about the patch.

The network administrator reviewed the vulnerability data and determined that 28% of their web servers required the patch. She knew that this was a significant number of web servers involved. She also knew that a critical vulnerability on web facing servers posed a high risk to the organization.

However, the operations group could not apply the patch for a week due to other scheduled maintenance. The network administrator explained to the branch manager that the patch required significant testing and validation before being deployed to the production environment. She assured the branch manager that the operations group was working diligently to ensure the patch would be deployed as soon as possible.

• Assign a range to weakness . In this example, we have a percentage of the threat landscape that is missing a required patch. We can use this as the basis for our initial range for threat. 28% falls within the low range, so we can use this to justify a low rating for weakness. With 28% as a midpoint, we add +/- 10%, giving us a range of .18-.28-.38 for threat.
• Assign a range to likelihood . In the example we are told the missing patch has a critical severity and that it is on web servers. We can review our guidance for establishing an initial estimate and consider the criticality of the vulnerability and location (web servers); we can justify a very high risk range of .80-.90-1.0.
• Set the time period for the estimate . We will use the time period of “until patches are applied”. We could note that the longer this takes the more the likelihood of compromise increases.
• Calculate initial estimate .

University Case Study

The college has always prided itself on its commitment to technology and innovation. With a sprawling campus and a diverse student population, the college relies heavily on its network infrastructure to provide critical services to its students, faculty, and staff.

However, in recent months, the college has experienced several issues with its network infrastructure. Users across the campus had reported slow performance, intermittent outages, and other issues. Concerned about the potential impact of these issues, the college decided to perform an internal audit of its network infrastructure.

The audit revealed a number of significant issues with the college’s network infrastructure. The most pressing issue was that 70% of the college’s workstations required system upgrades due to recent end-of-life notices that hadn’t been tracked. The previous network administrator had recently left, and it had taken some time for the new administrator to come up to speed. As a result, critical updates and patches had been missed, leaving the college’s network vulnerable to potential cyber-attacks.

The new administrator found that there was little network documentation, and in fact, there was little segment across the campus. This meant that if a cyber-attacker were to gain access to one part of the network, they would have access to the entire network.

The new administrator was alarmed by the audit’s findings. She knew that the college’s network was vulnerable to potential cyber-attacks and that urgent action was needed to address the issues.

As she continued to review the network infrastructure, the new administrator read about a recent cyber-attack at another university. In that attack, the threat actor had moved laterally across the network and could compromise and exfiltrate sensitive data from the administration office. The attack had caused significant damage to the university’s reputation and resulted in a loss of trust among students, faculty, and staff.

• Assign a range to weakness . In this example, we are given the statistic that 70% of workstations are on an unsupported operating system version. We can use this percentage of the threat landscape (workstations) as the basis for an initial estimate. Using 70 as our mid-range value, we get .60-.70-.80, which is moderate to high.
• Assign a range to likelihood . For likelihood, we consider the network’s lack of segmentation and documentation and the recent attack on another university in which this weakness was leveraged, resulting in the exfiltration of sensitive data. This activity raises the likelihood that the university would be a target. We can use a range of very high , giving us .80-.90-1.0.

• Assign a range to impact . We can consider the impact experienced by the recent attack at another university as a potential impact on this university, given the lack of segmentation and documentation. We also know that 70% of workstations (including administrative) use an unsupported operating system. Combined, we can justify a very high impact range of .80-.90-1.0.

• Indicate applicable time period. We considered two key variables: vulnerable workstations and lack of network segmentation. Both of these would need to be addressed to change the risk, impact, or rating. When we indicate our applicable time periods, we need to note this and state that this estimate is applicable until these weaknesses are sufficiently addressed.

Health Care Facility Case Study

As the HIPAA compliance auditor arrived at the healthcare provider, she was ready to conduct a thorough audit of their HIPAA compliance measures. The healthcare provider hired an auditor to identify any systems vulnerabilities and provide recommendations for improvement.

As the auditor began her assessment, she quickly identified several areas of concern. She discovered that over 60% of the staff were not provided with HIPAA compliance training. The auditor found that the healthcare provider had not implemented a comprehensive training program to educate their staff on HIPAA compliance policies and procedures. This presented a significant risk, as the staff may unknowingly violate HIPAA regulations, leading to potential legal and financial liabilities.

In addition, the auditor found that 12% of the staff did not have dedicated laptops. This created a risk of unauthorized access to patient information, as multiple staff members with varying degrees of “need to know” shared laptops, potentially allowing staff who did not have the “need to know” to access patient records.

The auditor also discovered that 48% of the logging system was missing or inoperable due to some network configurations that were only partially implemented. This meant that the healthcare provider could not track and monitor access to patient records. This potentially meant that they could have a privacy violation or loss of sensitive information and not be aware of the violation, which could expose them to civil penalties or even criminal charges.

The auditor also found that patient data was not partitioned from other data on the network. This presented a significant risk, as the healthcare provider’s network could be compromised by external threat actors, and the lack of data partitioning could allow lateral movement, resulting in sensitive data being stolen or ransomed.

After compiling her assessment, the auditor estimated that the healthcare provider’s HIPAA compliance posture did have significant weaknesses, with a significant risk of unauthorized internal access. She noted that the lack of HIPAA compliance training, the inadequate number of workstations, the missing logging system, and the lack of data partitioning presented a significant risk of HIPAA violations and data breaches. She estimated that the healthcare provider’s legal liability from the identified weaknesses could be significant, as the provider could be held responsible for any financial losses or damages suffered by patients due to the breach.

The auditor’s report included detailed recommendations for the healthcare provider to improve their HIPPA compliance measures. She advised the provider to implement a comprehensive HIPPA compliance training program to educate their staff on HIPPA regulations and procedures. She also recommended that the provider increase the number of laptops from 132 to 150 to ensure that patient records were not left unintentionally exposed to staff that lacked the “need to know.”

To address the missing logging system, the auditor recommended that the healthcare provider implement a comprehensive system that tracks and monitors access to patient records. She advised the provider to implement least privilege role-based access controls and appropriate network segmentation to separate patient data from other network data.

The estimated cost to implement the auditor’s recommendations was significant. The healthcare provider would need to invest between $50,000 to $100,000.

• Estimate the weakness . We can use the 12% estimate of missing laptops as the basis for estimating the weakness as a percentage of the threat landscape. We can use a very low estimate of 0-.12-.22.  The lack of sufficient data separation was linked to the risk of external threat actors moving laterally and potentially stealing or ransoming sensitive data.  The lack of logging is of concern, but it is not a weakness that can be leveraged to result in an attack. Rather, it results in a lack of visibility and awareness.
• Estimate the likelihood . We can use the 60% of staff lacking the training to estimate the likelihood of inadvertent unauthorized access to patient-sensitive data. We could use a .50-.60-.70 range or moderate to high. We have insufficient data to estimate the likelihood of an external attack because no relevant weaknesses were identified in the audit.

Accounting Firm Case Study

The cybersecurity auditor arrived at the accounting firm of Smith and Associates, ready to conduct a thorough audit of their cybersecurity measures. The firm hired the auditor to identify any systems vulnerabilities and provide recommendations for improvement.

As the auditor began his assessment, he quickly identified several areas of concern. He discovered that 67% of the firm’s workstations had outdated software, including operating systems and applications. This presented a significant risk, as obsolete software can contain known vulnerabilities that cyber-attackers can exploit.

In addition, the auditor found that 29% of the workstations had outdated anti-virus software. This was a significant concern, as anti-virus software is the first line of defense against malware and other cyber threats. Outdated anti-virus software can be ineffective against new and emerging threats, leaving the firm’s systems vulnerable to attack.

The auditor also discovered that the firm’s public-facing web server had multiple SQL vulnerabilities. SQL vulnerabilities are a common target for cyber-attackers, as they can be exploited to gain unauthorized access to databases and steal sensitive data. The auditor was particularly concerned about this vulnerability, as it posed a significant risk to the firm’s clients and their confidential financial information.

After completing his assessment, the auditor stated that the firm’s cybersecurity posture has several significant weaknesses that could likely be leveraged in an attack. He noted that the outdated software and anti-virus, combined with the SQL vulnerabilities on the public-facing web server, created a significant risk of cyber-attack. He recommended that the firm immediately address these vulnerabilities and improve its cybersecurity posture.

According to a recent report by IBM, the average data breach cost is $3.86 million. This includes costs associated with detecting and containing the breach, notifying affected individuals, and providing identity theft protection services. The report also found that the cost per lost or stolen record containing sensitive information was $180.

If the accounting firm suffered a data breach, the financial impact could be substantial. For example, if the attackers had stolen 10,000 client records, the cost of the breach could have been $1.8 million.

• Estimate the weakness. We have two weaknesses related to the workstations: 67% are using outdated operating systems and applications, and 29% have outdated anti-virus. We subtract the lowest value from the highest value (67-29=38) and divide that by 2 (38/2=19), then add that to the lowest value (29+29=48). That gives us the range of .29-.48-.67, which is low-high. We have one web server with an SQL vulnerability, which we consider very high by default. That range is .80-.90-1.0.
• Estimate the likelihood. For the workstations we will estimate the likelihood as high or .60-.70-.80. We will estimate the likelihood of compromise for the web server as very high or .80-.90-1.0.

• Estimate the risk rating for workstations and web server , each based on a $ 5 0,000, $ 5 50,000, and $ 2, 00,000 cost range . Compare to determine which source is more likely to result in a higher financial impact . In this example we are not splitting the financial cost between two probable risk sources, rather we’re comparing the two potential sources of a potential data breach with a single potential financial impact and comparing the resulting rating which is given in financial terms.

Cybersecurity Risk Quantification Copyright © by Charlene Deaver-Vazquez. All Rights Reserved.

This is a potential security issue, you are being redirected to https://csrc.nist.gov .

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock Locked padlock icon ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST CSWP 11

Case studies in cyber supply chain risk management: summary of findings and recommendations.

    Documentation     Topics

Date Published: February 2020

Jon Boyens (NIST) , Celia Paulsen (NIST) , Nadya Bartol (Boston Consulting Group) , Kris Winkler (Boston Consulting Group) , James Gimbi (NIST)

This document is part of Case Studies in Cyber Supply Chain Risk Management-new research that builds on the CSD C-SCRM program's 2015 publications aimed at identifying how C-SCRM practices have evolved. For this case study series, NIST conducted interviews with 16 subject matter experts across a diverse set of six companies in separate industries, including: digital storage, consumer electronics, renewable energy, consumer foods, healthcare, and enterprise cybersecurity. These interviews informed the production of all documents in this series, including six individual company case studies, a summary of findings and recommendations, and a key practices document. This document summarizes findings and recommendations from the case studies. It describes trends, correlations, and novel findings garnered from an analysis of the interviews as a whole and may cover information not reported in any particular individual case study.

This document also contains recommendations for further research, study, and guidance development. The research concludes that C-SCRM is an evolving discipline that requires further attention from the user and research communities. While varied practices exist at mature organizations, less mature organizations are in need of further practical guidance and methods for implementing and evolving C-SCRM programs and practices. Proposed follow-up research opportunities include: quantitative cyber supply chain risk analysis and metrics; requirements to consider adding to supplier terms and conditions; sample supplier tiering structure (especially if an organization has a large number of suppliers) or other methods of applying criticality; and creating additional case studies that showcase successful C-SCRM programs that can be used by aspiring organizations as guidance.

Control Families

None selected

Documentation

Publication: https://doi.org/10.6028/NIST.CSWP.11

Supplemental Material: Cyber SCRM Key Practices and Case Studies

Document History: 02/04/20: CSWP 11 (Final)

cybersecurity supply chain risk management

• Previous Article

Contributor Notes

Cyber risk is an emerging source of systemic risk in the financial sector, and possibly a macro-critical risk too. It is therefore important to integrate it into financial sector surveillance. This paper offers a range of analytical approaches to assess and monitor cyber risk to the financial sector, including various approaches to stress testing. The paper illustrates these techniques by applying them to Singapore. As an advanced economy with a complex financial system and rapid adoption of fintech, Singapore serves as a good case study. We place our results in the context of recent cybersecurity developments in the public and private sectors, which can be a reference for surveillance work.

• I. Motivation

Prominent cybersecurity incidents have raised the public profile of cyber risk. 2 The most notorious cyberattacks globally were WannaCry and NotPetya. The WannaCry ransomware attack of May 2017 affected computer systems in more than 150 countries ( Reuters, 2017 ). Possibly the most destructive cyberattack ever, NotPetya cost at least US$10bn ( Wired, 2018 ). Although not aimed at the financial sector, these attacks affected banks, ATM networks and card payment systems. The most well-known cyberattack in Singapore breached the confidential data held by a system of healthcare providers known as SingHealth ( Straits Times, 2018 ).

Financial services are becoming increasingly digitalized, broadening the attack surface 3 for possible cyber events. Financial institutions are relying more on digital assets, introducing new entry points into their networks and digitizing tasks and processes. These strategies require financial institutions to weigh cyber risks against the benefits of efficiency and customer experience. Financial services are the fourth most-digitized sector of the economy (Gandhi and others, 2018), and therefore highly exposed to cyber risk. The financial services sector also owns a lot of sensitive personal information, which explains why it is consistently one of the most highly targeted economic sectors for data breaches ( Verizon, 2017 – 19 ). At the same time, external threats to financial institutions are rising with the volume of internet traffic, the number of its connected devices and the falling cost of launching large-scale cyberattacks ( Cambridge Centre for Risk Studies, 2019 ).

Cyber risk can have systemic consequences for financial intermediation. A cyber event could lead to a run 4 on the deposits of a bank or to claims against an insurer. Traditionally, supervisors have treated cyber risk as a type of operational risk subject to microprudential supervision. However, an attack on a systemically important financial institution, a central counterparty, 5 or a major ATM network, the corruption of data of upstream providers on which financial contracts are based, or the disruption of critical third-party providers like global software providers or cloud computing services, could all have systemic implications. Cyberattacks could also target several financial institutions at the same time. Systemic effects can be exacerbated by financial and technological links between firms, concentrations, common exposures and second-round confidence effects. The possibility for systemic impacts on financial intermediation creates financial stability risks, which more national authorities are recognizing (OFR, 2017; MAS, 2018 ; Bank of Canada, 2019 ).

Cyber risk could even be macro-critical, meaning that it could contribute to macroeconomic fluctuations, without necessarily triggering a financial crisis. The Council of Economic Advisers (2018) estimates that malicious cyber activity costs the U.S. economy between 0.3 and 0.6 percent of GDP in a typical year, but that the costs of a downside scenario could be several multiples greater. Under the downside scenario of a cyberattack on a national power grid, key infrastructure and amenities such as fuel supply, water supply, hospitals, public transportation, ports, railways, airports and communication services could be affected. Lloyds and Cambridge University (2015) estimate that a localized power outage in the U.S. lasting two weeks would cost two percent of GDP and affect various economic aggregates, including public and private consumption, labor productivity, imports and exports. Cybersecurity is becoming seen as a matter of public health and safety and national security (WEF, 2016; New York Times, 2019). While it remains to be seen whether cyberattacks could disrupt the functioning of fiscal or monetary policy, or whether cyber risk could lead to balance of payments stresses in a country, the IMF World Economic Outlook has recently added cyberattacks to its list of the main risks to global growth. 6

Public agencies with a mandate for macroeconomic and financial stability have a responsibility to assess cyber risk levels, but policymakers may be daunted by the lack of data and tools. The International Telecommunications Union (ITU) produces a Global Cybersecurity Index, which is useful for cross-country comparisons, tracking progress over time, and identifying areas for improvement. 7 However, it applies to whole economies, leaving open the question of how to assess and monitor cyber risk in financial sectors.

Several studies have provided a useful assessment of the impact of cyber risk on the financial system. Kamiya and others (2018) examine the drivers of the likelihood and severity of data breaches among financial and non-financial firms using a sample of 188 such incidents between 2005 and 2014. Bouveret (2019) estimates the tail quantiles of the distribution of direct losses (i.e., value-at-risk) from 341 cybersecurity incidents affecting financial institutions between 2009 and 2017. Some work is required to customize and apply these methods to monitor cyber risk to the financial sector of a given country. Santucci (2018) lists processes and frameworks for cyber risk management, 8 but the only measurement methodology appears to be cyber value-at-risk. 9

Limited data availability is a key challenge to assessing and monitoring cyber risk. 10 Few datasets are publicly available, given the confidentiality of cybersecurity incidents. The novelty of cyber risk means that existing datasets provide short time series for analysis. Except where regulations require it, financial institutions are reluctant to disclose cybersecurity incidents, given potential regulatory or legal sanctions. Reporting is not standardized currently, so financial institutions’ estimates of direct losses may not be comparable. 11 Indirect losses, including reputational effects, are difficult to quantify and can take time to materialize. Data may also become obsolete quickly, given the rapid pace of change in the information technology (IT) sector.

This paper offers simple analytical techniques and data sources for policymakers to assess and monitor cyber risk in the financial sector as part of their regular surveillance operations. It draws on the experience of Singapore given its that significant commitment to building capabilities in this area. 12 Despite the above challenges, we find that some data and methods are readily available to analyze cyber risk. Key indicators can be collected and tracked, event studies can be conducted, survey estimates can be requested, statistical models estimated in other contexts can be applied in data-poor environments, and quantitative results can be presented in a standardized format. This quantitative work complements more qualitative ongoing work on cyber risk surveillance approaches and policy frameworks for the financial sector (e.g., BCBS, 2018 ; FSB, 2017 – 18 ; IMF, 2019b ; Kopp and others, 2017 ).

The rest of the paper is structured as follows. Section II further motivates surveillance of cyber risk through transmission channels of cyber events to the financial sector. Section III describes some analytical approaches, including tools and data, for monitoring and analyzing cyber risk in the financial sector. The regulatory approach by the MAS and efforts by financial institutions to deal with the cybersecurity threat in Singapore are introduced in Section IV . These approaches can serve as a checklist for those with responsibility for surveillance of cyber resilience and for other jurisdictions seeking to improve their institutional arrangements. Section V concludes and provides directions for future work.

II. Financial Stability Implications of Cyber Risk 13

This section presents the broad framework for considering financial stability risks posed by cyber events. We first provide a brief introduction of the different types of cyber events and their risk transmission channels before discussing a simple approach for determining how systemically impactful different cyber events can be. By focusing on system-wide financial implications of cyber events, this framework can complement existing risk analyses which tend to focus more on operational risks that cyber events pose from an entity-level perspective.

• A. Microprudential Risks Posed by Cyber Events

Cyber events can be broadly categorized into three types, based on the harm that they inflict: theft, disruption, and damage. 14 Theft-related cyberattacks extracts items that are valuable to the perpetrator, such as funds, monies, customer credentials, intellectual property or market-valuable information. Disruption-related cyberattacks can disrupt business functionality or degrade the availability of transactions or communications. Websites or servers, and internet-based businesses are examples of business functionalities that can be disrupted. Finally, a cyberattack can also affect data integrity, or damage system hardware or software or other equipment. 15

Successful cyberattacks can cause financial institutions to experience various microprudential risks, namely solvency, liquidity, market, operational, legal, and/or reputational risks ( Figure 1 ). When an individual bank incurs significant monetary losses or loses access to the payments system in which interbank transactions take place due to a cyberattack, its capital buffers can be drawn down and it could face possible technical defaults from inability to receive and make payments. A bank can experience a deposit run and a liquidity shortage if a cyberattack undermines customers’ and counterparties’ confidence in the institution. 16 A cyberattack on critical financial market infrastructure, or corruption of time-sensitive market data can potentially cause financial institutions to suffer market losses due to adverse market movements or erroneous trading decisions. Lastly, legal and reputational risks associated with successful cyberattacks could also lead to a further erosion of confidence and create knock-on impacts on a financial institution’s solvency and liquidity positions. These cyber events could also accentuate the existing vulnerabilities in the banking system.

Cyber Risk and Systemic Risk: Transmission Channels

Citation: IMF Working Papers 2020, 028; 10.5089/9781513526317.001.A001

• Download Figure
• Download figure as PowerPoint slide

The microprudential implications of cyber events for insurers differ slightly from that of banks. Other than risks posed by direct cyberattacks on themselves, insurers are exposed to underwriting losses arising from the provision of affirmative or non-affirmative (silent) cyber insurance coverage for clients While affirmative cyber insurance explicitly cover losses arising from cyberattack events, non-affirmative (silent) cyber coverage refers to insurance policies that provide implicit, unintended coverage. For example, a cyberattack can cause the malfunction of cooling systems that can result in hardware overheating, thus leading to a fire that can be claimed under a fire insurance policy—these policies provide non-affirmative (silent) cyber insurance coverage. Claims arising from these exposures, if significant, can impair the solvency and liquidity positions of insurance companies.

• B. Systemic Risk Transmission Channels of Cyber Events

Beyond posing microprudential risks for individual entities, cyber events can also propagate these risks through the entire financial system and cause systemic risks 17 through three broad transmission channels, namely risk concentration, risk contagion, and erosion of confidence, as shown in Figure 1 . 18

Risk concentration: a cyberattack on a key financial market infrastructure, third-party service provider, or a systemically important financial institution could mean a loss of services that cannot be easily and promptly substituted.

Risk contagion: a cyberattack on a financial institution could lead to difficulties that spill over to other financial institutions, given the highly interconnected nature of the financial system.

Erosion of confidence: a widespread attack could trigger an erosion of confidence across several financial institutions or the financial system.

Risk concentration arises when cyberattacks are launched on financial market infrastructures or entities that the financial system is heavily reliant on for its daily functioning and operations. Examples of such critical financial market infrastructures include payment and settlement systems, trading platforms, central securities depositories, and central counterparties. The disruption of critical financial market infrastructure would hamper market transactions and expose market participants to liquidity and solvency risk. 19 Similarly, the disruption of material infrastructures such as power grids, telecommunications networks and IT infrastructures (e.g., cloud providers or internet service providers) could cause a large disruption to the provision of financial services and negative consequences for the real economy. The shift in recent years to greater adoption of technology in the provision of financial services could also result in increased reliance on a few common key third-party entities that provide proprietary technology solutions. These critical service providers could come under direct cyberattack themselves and propagate risks to their institutional clients from the financial sector.

Risk contagion effects can also arise due to the high degree of interconnectedness within the financial system. For instance, impairment of business activities in a systemically important financial institution can curtail its ability to process transactions and post margins to its counterparties, resulting in heightened liquidity and solvency risks among multiple financial institutions. The failure of a highly interconnected and systemically important financial institution can cause multiple counterparty failures and trigger a ‘domino’ effect across the entire financial system.

Finally, the confidence effects of a cyber event can create systemic risks for the financial system. The impact of a loss of confidence can be difficult to estimate and predict and would depend on the length and severity of the damage or disruption caused by the cyberattack. Furthermore, while financial institutions can mitigate the direct loss impact of a cyber event through capital and liquidity buffers, an erosion of confidence can create a self-fulfilling chain effect that can overwhelm their existing buffers or contingency measures. For instance, an initial round of deposit withdrawals due to a cyber event can weaken a bank and further erode confidence, eventually culminating in a bank run with mass withdrawals. Given the potential outsized impacts of this transmission channel, measures such as coordinated crisis communications and effective contingency plans would be required to help maintain confidence during crises and minimize the likelihood of systemic outcomes.

Although the three channels described above are largely similar to the way traditional financial shocks are transmitted through the financial system, a key difference lies in the speed of materialization of risks within the financial system. The impact of a cyber event on a financial institution can quickly cause problems to materialize within the entity and transmit these to the rest of the financial system much faster than traditional forms of risks. Another key difference is that a cyberattack at multiple non-systemic but (technologically) connected financial institutions could spill over to large systemically important financial institutions, even if the direct financial contagion from non-systemic firms would be limited. It is thus pertinent that policymakers develop a deeper understanding of the impact and transmission channels of cyber events and respond in a timely manner to minimize the risk that an event leads to systemic risk.

• C. Systemicity of Cyber Events

An accurate assessment of systemic risk impact of a cyber event would require both an understanding of the nature of different cyber events and identification of the relevant risk transmission channels. Figure 2 below provides an example of an approach to differentiate and assess the systemicity of different types of cyberattacks. For instance, theft and disruption-related cyberattacks are likely to place pressure on a financial institutions’ liquidity and solvency buffers and the adequacy of these buffers would influence whether financial institutions would propagate these shocks to their counterparties and contribute to systemic outcomes. Post-crisis, the buildup of buffers among financial institutions is likely to help mitigate theft and disruption-related impacts and lower the likelihood of systemic outcomes from these types of cyberattacks.

Systemic Risk of Various Cyber Events

Conversely, cyberattacks involving data damage can result in higher systemic risk. Financial institutions are particularly vulnerable to data damage, given the importance of data integrity in the financial sector. The financial impact of data damage could be significant, with indirect effects, such as loss of clients and reputational risk, likely to be more material than direct effects (recovery and litigation costs). The loss of confidence in the data damage event could be very severe, especially if data manipulation has gone undetected for a prolonged period. This is because its impact would have propagated to a wider group of financial institutions, and any rectification would take an extended period.

III. Analysis of Cyber Risk to Financial Institutions

This section describes some approaches, including tools and data, for monitoring and analyzing cyber risk in the financial sector. It illustrates how they can be applied, focusing on Singapore as a case study. Other approaches, like on-site inspections, penetration testing and thematic reviews, are also identified in the Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector published by the G-7.

• A. Reinterpreting Traditional Risk Analyses as Cyber Risk Analyses

Traditional solvency stress tests, liquidity stress tests and contagion risk analyses already capture some aspects of cyber risk to financial institutions. For example, solvency stress tests already simulate a situation where asset prices decline sharply. A cyber event, particularly a form of fraudulent market manipulation, could be the source of this fall in asset prices. Liquidity stress tests already simulate a situation where depositors withdraw from an individual bank and where banks are also forced to sell or lend their assets at discounted prices to meet such cash requirements. A cyber risk event, possibly including a loss of reputation, could be the source of this liquidity stress. Contagion risk analyses, based on networks of bilateral exposures between financial institutions, simulate a cascading transmission of credit and liquidity risk between institutions. A cyber event, leading to a loss of confidence in a bank, for example, could be the source of the initial bank failure that causes domino effects via the interbank network.

Therefore, cyber risk to financial institutions can be assessed to some extent by the resilience of those institutions to traditional solvency, liquidity and contagion risks. In the Singapore context, a comprehensive set of risk analyses were published following the 2019 Financial Sector Assessment Program ( IMF, 2019c ). Since staff concluded that the financial system would remain resilient under adverse macroeconomic conditions, this implies that the buffers are also adequate for mitigating the impact of cyberattacks, even in the absence of a direct appraisal of cyber risk and resilience.

• B. Key Indicators

Indicators on cyber risk in the financial sector are useful for assessing risk. These could be based on data of past incidents, investments, ratings or time to address risks. They are analogous to the idea of financial soundness indicators, applied to cyber risk.

Data on cybersecurity incidents can be analyzed by agencies tasked with monitoring financial stability. In many countries, a mandatory reporting framework for breaches of customers’ confidential information is already in place. Official cybersecurity operations centers often collect data on cyber events. The frequency of events can be monitored through time, as well as in the distribution of events across types of financial firm. For example, Figure 3 illustrates the rising frequency of cybersecurity incidents internationally, 20 which could reflect a combination of more frequent incidents and improved detection of incidents. 21 , 22 In Singapore, cyberattacks on financial institutions have primarily targeted securities firms and banks (second panel of Figure 3 ) and only one, thus far has led to a direct pecuniary loss. Most of the cyberattacks in Singapore were aimed at causing business disruptions like distributed denial of service (DDoS) attacks and website vandalism. Nevertheless, there have also been incidents of ransomware and attacks on third-party providers (including providers of cloud services and productivity and marketing software). Of course, many cybersecurity incidents do not incur losses while others can incur large losses, so frequencies of events only provide partial information. If data on financial losses are available, then the total value of losses can analogously be tracked over time and across types of financial institutions. 23

Other indicators can also be monitored:

Resources allocated to cybersecurity can be measured in headcount and proportion of the IT budget. PWC (2014) finds that firms allocate 4 percent of their IT budget to cybersecurity; in Singapore, the Cyber Security Agency (CSA) recommends 8 percent ( CSA, 2018 ).

Private sector firms (e.g., BitSight) produce cybersecurity ratings for financial institutions that can be monitored. 24

Financial institutions often collect information on the time they take to patch vulnerabilities, replace end-of-life software or detect malicious activity on their networks. A typical benchmark is to apply patches for critical vulnerabilities within 15 days and for high vulnerabilities within 30 days. 25

Financial institutions also collect information on the numbers of devices with or installations of outdated software.

Financial institutions can measure the proportion of staff that have completed security training courses . Some institutions perform regular phishing exercises on their own staff, measuring and tracking the proportion of staff that passes the tests.

Indices for monitoring can be constructed from predictive models that provide early warning of unusual activity. These can be constructed by applying statistical techniques to analyze network traffic data or firewall logs.

Internet searches for the cybersecurity of specific financial institutions can be monitored through time, for example using Google Trends ( Redscan, 2019 ).

Frequency of Cybersecurity Incidents (number of events)

BCBS (2018 ) lists other indicators that firms themselves monitor. These include numbers of times malware or websites were blocked, numbers of online directories containing stakeholder information, numbers of and ratings from penetration tests, numbers of unknown devices on networks. The appendix gathers some of the potential indicators from this subsection into example templates for regulators and financial institutions.

• C. Monitoring Risk Without Cybersecurity Incident Data

If cybersecurity incident data are available, models of the likelihood and severity of incidents can be estimated, as described in the following subsection. However, even if such data are not available, published models that were estimated in other contexts can be applied to the jurisdiction of interest. For example, studies like Kamiya and others (2018) provide formulae that can be used to estimate the likelihood of a cyberattack on a firm or the fall in stock price that would result from a hypothetical cyberattack on a firm if it were to occur. These formulae are coefficients of regressions estimated on publicly available data. To apply a formula to a given firm, one only needs to calculate some firm-specific variables like size, Tobin’s q , stock return, leverage and asset intangibility as inputs. 26 These calculations can be updated in real time, as firm-specific variables change. One caveat of such approaches is that estimates will be affected by the sample selection bias that underlies any dataset on which these formulae are based.

Another useful analytical technique in the absence of data are questionnaires, which could be a self-assessment or a tool for the regulator to gain information from financial institutions (possibly within the supervision process). Healey and others (2018) provide examples of questions.

• D. Data Sources, Event Studies and Value-at-Risk

Datasets are also available for bespoke analysis on cyberattacks, and we provide below two examples of studies that were conducted using these datasets.

Kamiya and others (2018) used data published by the Privacy Right Clearinghouse (The PRC), for their event study analysis. The authors use a sample of 188 cyberattacks that led to data breaches on U.S. financial and non-financial firms between 2005 and 2014. The authors find that median stock returns fall by 50 basis points and value-weighted stock returns fall by 76 basis points on a cyberattack, both of which estimates are statistically significant. The authors also control for other asset pricing factors, but it is unclear whether these are correlated with incidents of data breaches.

We analyzed a subset of 341 cyberattacks pertaining to financial institutions worldwide using news stories data compiled by the Operational Riskdata eXchange Association (ORX). 27 An event study approach suggests that financial firms’ stock prices fall by 45 and 39 basis points on days of cyberattacks leading to data breach or business disruption respectively (first panel of Figure 4 ). 28 The loss on data breaches is similar to the 50 basis points found by Kamiya and others (2018) , whose coverage is slightly different. 29 Incidents of cyber-related fraud have had much smaller effects. Nevertheless, the wide confidence bands in Figure 4 suggest that these losses are difficult to distinguish from normal stock market volatility.

Severity of Cyberattacks

Apart from event studies, such data can also be used to estimate the value-at-risk associated with cyber events, which is the largest loss that could be expected to occur with a given level of confidence. Bouveret (2019) uses ORX news stories data to estimate the value-at-risk of direct losses from cyber events, expressed in constant price U.S. dollars. To illustrate a similar approach with a slightly new application, the second panel of Figure 4 shows the (estimated lognormal) distribution of direct losses in percent of the organization’s revenues of the previous year. 30 The 95 percent one-year value-at-risk is then 4.7 percent of revenues, but it is subject to significant estimation uncertainty. 31 This estimate is in Une with Bouveret (2019) , who estimâtes an analogous value-at-risk of 17 percent of net income, 32 which is about 2.5 percent of gross income for the firms in our data. Our value-at-risk is expected to be a bit larger because it is conditional on observing a (positive) loss, while Bouveret’s (2019) is an unconditional estimate.

Again, every dataset on cybersecurity incidents is affected by sample selection bias and the results of analyses must therefore be taken with caution. Since most of the events in the PRC and ORX datasets are not systemic events for the financial sector, such estimates should also not be considered as estimates of the systemic risk from cyberattacks, which could be larger.

• E. A Cyber Risk Assessment Matrix (Cyber RAM)

A Risk Assessment Matrix (RAM) is an analytical device commonly used in IMF surveillance to present the results of an assessment undertaken by staff. 33 A RAM is a table, where rows index downside scenarios and columns show the likelihood and severity of each. The same device can be used to present the results of an assessment of cyber risk, which could be the collective judgement of a group of experts or a summary of the results of a survey. 34

Table 1 illustrates this presentational device based on a MAS-administered cyber stress test of 18 banks in Singapore in 2019. In the stress test, banks were asked to describe two severe cyber risk scenarios that they would be most vulnerable to. The first cyber risk scenario had to feature a direct cyberattack on the bank, while the second scenario had to feature a cyberattack on an external party (e.g., third-party service provider) on which the bank relies for its operations. In formulating these scenarios, banks could either reference known events, or come up with hypothetical ones that are unprecedented but plausible. Banks were also asked to provide (i) qualitative analysis of transmission channels; (ii) mitigating measures that could be taken in response to the cyberattack; and (iii) quantitative estimates of potential losses with and without the mitigating measures. The ‘likelihood’ shown in this table is based on the proportion of banks that identified the scenario, rather than on any expert judgement. A column could be added to the table with information on banks’ estimated losses under each scenario, to capture severity.

Cyber Risk Assessment Matrix for Banks /1

2/ The likelihoods reported in this table are based on the fraction of banks that identified the scenario as a significant risk to themselves, rather than on any expert judgement.

Specific types of cyber risk scenarios envisaged by banks in Singapore generally fall into three categories, theft of data or money, disruption of banks’ IT or payment systems and damage/corruption of customer data, with banks indicating that they would be most affected by first two categories (money theft and IT system disruptions). The most typical cyberattack scenario is in the form of a phishing email which infects user workstations with malware, and subsequently spreads within the bank network to other systems, resulting in theft of data or money and disruption of services.

Banks indicate that adequate measures are in place to mitigate the attacks, including multiple layers of security controls, like strong data encryption, access controls, regular cyberattack simulations, and disaster recovery measures. Unsurprisingly, systemic cyber risk scenarios are relatively unexplored by individual banks. The cyber RAM can also include scenarios that were identified by policymakers, not only by financial institutions themselves.

• F. Stress Tests on Cyber Risk in Singapore

Policymakers can obtain estimates of the likelihood and severity of cyberattacks by asking financial institutions to assess them using proprietary data. These estimates obtained are checked for reasonableness with simple validation checks and by comparing estimates across financial institutions. Such exercises also encourage financial institutions to allocate more resources to this area and develop their risk management practices. These tests could involve estimating losses from a prescribed scenario, identifying scenarios that would result in severe losses and estimating the coverage against cyber risk that financial institutions have written.

The MAS conducts stress tests and industry-wide exercises for financial institutions to assess their resilience to cyber threats from two complementary perspectives. While the focus of stress tests is on the adequacy of capital and liquidity buffers to weather the impact of cyberattacks, industry-wide exercises test their business continuity and crisis management plans to respond and recover from cyberattacks.

A cyber risk scenario was first introduced in the MAS’ industry-wide stress test (IWST) in 2016 to attune participants to the microprudential implications of cyber risks. In the scenario, an international crime syndicate was assumed to have launched a series of simultaneous hacking attacks on some of the financial institutions in the Asia region, including Singapore. The cyberattack resulted in loss of entire customer databases and a 24-hour system downtime for the banks’ client-facing (including mobile and web-based) operational systems. The stress test results showed a somewhat smaller impact on banks than expected, and the estimated losses varied significantly across banks. This partly reflected the fact that some banks did not explicitly account for systemic impacts arising from financial contagion and confidence effects. Indeed, the few banks that considered systemic transmission channels (e.g., inability by affected counterparties to fulfill payment obligations and customer deposit withdrawals due to confidence effects) reported much larger losses than the other banks. In addition, banks were still building up expertise in quantifying the microprudential costs of cyber risks, and the exercise provided a valuable learning experience for both the banks and MAS.

Direct life and general insurers were likewise required to quantify the losses that they could potentially experience because of disruption to their operations under the same cyberattack scenario that was prescribed for banks. In addition, the scenario included disruption to five of the insurers’ largest clients to whom they had provided affirmative cyber insurance coverage. For disruption of insurers’ operations, insurers considered impacts from a decline in new business volume/termination of existing business and increase in operational and other costs arising from system remediation or compensation to policyholders. For disruption to clients to whom the insurers had provided affirmative cyber insurance coverage, the cyberattack was expected to trigger claim losses that exceed the limits of the cyber policies. The 2016 cyber stress test results suggested that insurers were not materially impacted by the scenario. No insurer failed the cyber risk scenario.

The MAS, in collaboration with the IMF, built on the 2016 exercise by conducting another stress test on cyber risk as part of the 2019 IWST and the Financial Sector Assessment Program (FSAP). As described above in the context of the cyber RAM, banks were asked to identify the most impactful direct and third-party cyberattack scenarios. This approach allowed MAS to explore the most dire cyber scenarios (for financial buffers and profits). It also facilitated MAS’ understanding of the banks’ identification of the relevant transmission channels and built up an internal inventory of cyber scenarios for future work. The 2019 approach, however, had the disadvantage of being more difficult to aggregate and compare results across banks.

As seen in Table 2 , the results of the 2019 IWST bank cyber stress test were aggregated separately for scenarios relating to theft, disruption and damage as the banks had performed stress tests on different cyber scenarios. Banks estimated that they would be most affected by theft of funds and business disruption scenarios but would have ample capital, and liquidity buffers to mitigate the impact of these cyberattacks ( Table 2 ). On average, banks estimated that losses from a direct cyberattack would amount to about 35–65 percent of quarterly net profits, depending on the cyber scenario type, and would cause the Capital Adequacy Ratio (CAR) and the Liquidity Coverage Ratio (LCR) to drop by 0.1–0.4 and 8.4–35 percent respectively. Indirect cyberattacks result in smaller losses of 20–50 percent of quarterly net profits and insignificant falls in the CAR and LCR. Results also suggest that confidence effects from cyberattacks are likely to impact banks more immediately through the customer deposit channel rather than credit demand. Banks expect most of the costs of these cyberattacks to reflect declines in future revenue due to reputational impact and other costs such as monies stolen, legal charges and marketing/public relations expenses.

Bottom-up Estimates of Banks’ Losses from a Direct Cyberattack

(In percent)

As part of the 2019 IWST exercise, Singapore insurers were asked to measure their exposures to cyber risk through the affirmative and non-affirmative (silent) cyber risk coverage that they had written. Specifically, the MAS surveyed 17 direct general/composite insurers on the claims that would arise if their ten largest clients of affirmative cyber coverage and their 10 largest clients of property and casualty insurance were victims of cyberattacks. In the scenario, sensitive data in the organizations’ client-facing, back-end and backup systems were corrupted and stolen under a ransomware attack. The scenario prevented these organizations from resuming their operations using accurate and complete data for at least four weeks.

Direct insurers expected the claims from affirmative and non-affirmative (silent) cyber coverage to be manageable, mainly due to reinsurance arrangements in place. Insurers reported exposure of S$600 million and S$3.4 billion for affirmative and non-affirmative (silent) cyber coverage, respectively. Claims arising from these exposures amounted to S$1.8 billion, which were shared between the direct insurers and their reinsurers and could be offset against a release of technical reserves. The net losses reduced the aggregate CAR of these insurers by only three and two percentage points for affirmative and non-affirmative (silent) cyber coverage, respectively. Some insurers which participated in the cyber stress test exercise and had exposure to silent cyber coverage have since put in place risk mitigation actions, including inserting appropriate exclusion clauses in their contracts.

• G. Analysis of Cyber Risks Posed by Outsourcing Relationships

A comprehensive analysis of cyber risks would need to also incorporate risks posed by financial institutions’ outsourcing relationships. It is common for financial institutions to adopt outsourcing practices to enhance efficiency by tapping on third-party service providers with specialized expertise. However, outsourcing activities also expose firms to cyber risks associated with the IT security posture of their outsourcing partners. For example, cyber breaches at outsourcing partners could led to disruption of outsourced services, leakage of sensitive customer information, or compromise of financial institutions’ IT environments through the IT linkages that they have established with their partners. This creates a risk that needs to be monitored. Furthermore, concentration risk can arise if many financial firms rely on the same service providers, particularly if these outsourcing service providers are reputable and established in their areas of expertise.

In Singapore, the MAS regularly collects information on outsourcing arrangements of financial institutions. In particular, financial institutions are expected to maintain an updated register of all existing outsourcing arrangements and to submit this register to MAS at least annually or upon request. MAS uses the information in the registers to determine if there are any commonly-used service providers that may warrant closer scrutiny given potential concentration risks. The MAS recently completed a review of concentrations of financial institutions to outsourcing providers. The review concluded that there are no significant operational linkages between major financial institutions and technology firms.

• H. Mapping the Network of Financial and Cyber Exposures

The financial-cyber network map is an approach that regulators can use to analyze cyber risk exposures further ( IMF, 2019b ). Usually, interconnectedness of financial claims and obligations is measured independently of information and communications technology (ICT) interconnectedness. However, these connections can provide complementary information if combined. For example, two firms may not be directly connected, but may be connected through other firms by a combination of financial and ICT connections. 35 The connections can also signal contagion or concentration risks and firm-specific vulnerabilities that can inform microprudential supervisors.

Such a map is comprised of nodes and edges. The nodes include all financial institutions, critical information infrastructures and third-party providers. Therefore, the first step in constructing such a map is to identify these entities. The edges are the financial and ICT connections between entities. In turn, ICT connections could reflect actual or potential data flows between computer systems. Such data flows could be measured in terms of importance to the business 36 or simply by whether or not a connection exists. Financial exposures between financial institutions are typically collected in standard supervisory reporting templates. ICT exposures to third-party provides are sometimes collected as part of the approvals process for material outsourcing relationships. Information on other relationships must be collected separately or estimated.

Once a dataset of all nodes and edges is established, it forms the (possibly weighted) adjacency matrix of a network that can be plotted as a network ‘map’ using standard software. Different colors could be used to distinguish financial and ICT connections. 37 Constructing such a map is ongoing in Singapore. Accordingly, the accompanying chart shows a stylized depiction ( Figure 5 ).

An Example of a Financial-Cyber Network Map

IV. Approaches to Cybersecurity in the Singapore Financial Sector

• A. Regulatory Approach

As Singapore’s central bank and financial regulator, the MAS works closely with the CSA to administer the Cybersecurity Act 2018 and oversee the cybersecurity of the financial sector. The MAS regards cyberattacks as a growing threat to the financial system and expects the increasing digitalization of financial services to heighten cyber risk. The MAS has adopted a cybersecurity strategy with the following strategic elements.

Regulation and Guidance

The MAS sets minimum regulatory requirements and expectations on technology risk management (TRM) in Notices and Guidelines. Specifically:

The TRM Notice obliges financial institutions to maintain minimum levels of availability, resilience and recoverability for their critical systems. Financial institutions are also required to implement IT controls to preserve confidentiality of customer information.

The Cyber Hygiene Notice obliges financial institutions to implement a set of cybersecurity measures to mitigate common and pervasive cybersecurity threats. These include implementing network perimeter defense, malware protection, multi-factor authentication, timely patch updates, and establishing baseline configuration standards.

TRM Guidelines recommend technology risk management practices, including those relating to cyber surveillance and security operations, cybersecurity testing, and protection of online financial services.

Supervision

The MAS verifies financial institutions’ compliance with regulatory requirements and expectations through onsite inspections and off-site surveillance. Where there are areas of supervisory concerns, the MAS follows up with financial institutions to ensure that the concerns are addressed promptly and effectively. To anticipate and promptly respond to cyber risk, the MAS also monitors key financial institutions’ cybersecurity strategy and changes in their risk management frameworks and controls.

Cyber Surveillance and International Co-operation

The MAS collects and analyzes cyber threat information from various sources in its Financial Sector Security Operations Center (FS-SOC). Relevant insights, distilled from the FS-SOC, are shared with financial institutions to build collective cyber situational awareness and resilience within the financial system. The MAS has also forged strong partnerships with the international community, including international standard-setting bodies to help shape cyber risk management standards. 38

Competency Building and Industry Collaboration

To develop cybersecurity skills in Singapore, MAS has established a Cybersecurity Capability Grant to encourage international financial institutions to base their cybersecurity functions in the country. 39 This enables the deepening of cybersecurity operational capabilities in Singapore, like SOCs and cybersecurity centers of excellence. The MAS also partners with industry. The Association of Banks in Singapore (ABS) Standing Committee on Cyber Security (SCCS), formed in 2013, is a forum for the IT security heads of key financial institutions to discuss cyber threats and countermeasures. This committee has issued industry guidelines to raise cybersecurity standards, organized cybersecurity seminars to create greater awareness of cyber threats and conducted tabletop exercises to test response measures.

Cyber Security Agency (CSA)

The Singapore government established the CSA in 2015 to oversee Singapore’s national cybersecurity functions. The CSA’s mandate includes the protection of critical information infrastructures, strategy and policy development, security operations, and ecosystem development.

The Cybersecurity Act 2018 (“Act”) requires owners of critical information infrastructures to implement a set of mandatory measures 40 to protect these systems against cyberattacks. The Act also requires owners to notify the CSA of cybersecurity incidents.

• B. Efforts by Financial Institutions

Major financial institutions in Singapore adopt multiple layers of security mechanisms to mitigate cyberattacks, which reduces single points of failure in defenses and addresses different attack vectors:

Predictive mechanisms use data analytics and machine learning tools to analyze cyber threat intelligence and understand adversaries.

Preventive mechanisms segregate internet browsing and email access on endpoint terminals to insulate the internal corporate network and prevent cross-contamination.

Detective mechanisms monitor systems and endpoints to identify anomalies and suspicious activity, in some cases through dashboards with real-time metrics.

Respond and recovery mechanisms in the form of cybersecurity exercises to test the ability to respond promptly to cyber threats and implement recovery plans.

Key financial institutions in Singapore have established their own SOCs to integrate the analysis of system and security events. These SOCs are equipped with tools 41 to see into the IT operating environment and detect cyberattacks early. Some financial institutions also plan to establish cyber security fusion centres. These incorporate cyber intelligence gathering and analysis, security operations, security incident management as well as cyber forensics investigation, to identify and respond more proactively to advanced threats. Staff in SOCs undergo regular professional training.

• V. Conclusions

Cyber risk poses a growing threat to financial stability, and public agencies will need to do more to better understand and assess its financial stability implications. This paper helps in this task by presenting data sources and methods for analyzing cyber risk. These include key indicators that can be collected and tracked through time, event studies, value-at-risk, custom surveys, structured presentation via a cyber RAM and financial-cyber network maps. These analytical approaches are illustrated with applications to Singapore, and the appendix provides example templates for data collection. Even in the absence of cyber event data, this paper argues that models estimated in other contexts can be applied regularly in a given jurisdiction. 42 The quantitative results of the Singapore analyses, and descriptions of the public and private sector cybersecurity initiatives there, should provide a reference for surveillance work.

The (one-year, 95 percent) value-at-risk of 4.7 percent of gross revenues consumes a significant amount of the capital budget for operational risk (which in the Basel III standard includes cyber risk). The BCBS has recommended capital requirements for operational risk of about 11 percent of gross income for banks with gross income up to €1bn, 43 which is intended to cover unexpected loss from many sources besides cyber risk, and possibly at a higher level of confidence than 95 percent. 44 This suggests that for these banks, even just the 95th percentile of cyber risk consumes about two-fifths 45 of the capital budget for operational risk over one year. One final point to note is that our value-at-risk estimate is a measure of idiosyncratic rather than systemic risk because it is based on idiosyncratic events. However, by modifying the approach to allow for correlations between events across firms, 46 measures of systemic cyber risk can be derived.

However, many questions remain. For example, further work needs to estimate the size of systemic risk from cyberattacks to the financial sector. The papers cited here focus on firm-specific events, and financial institutions often do not internalize the implications of a cyber incident on systemic risk in the bottom-up stress tests for Singapore. Systemic losses could be larger but could also be somewhat offset by diversification effects. Another example relates to the potential selection biases in the datasets on cyber events. To overcome such biases, future analyses may find it useful to build in first-stage models of the selection process.

The financial-cyber network map is a recent idea that has yet to be applied in practice. When such data become available, specialized contagion risk models may need to be developed to analyze such data. For example, contagion could be modelled over a two-layer network, where one layer represents the financial links and the other layer represents the ICT links. Similarly, concentration analysis for outsourcing arrangements has been described here. In applications, such analysis needs to distinguish between concentration risk, and the desirable concentration that arises when many financial institutions use the same reputable third-party providers.

Afonso , G. , Curti , F. , McLemore , P. and A. Mihov . 2019 “ Understanding Cyber Risk: Lessons from a Recent Fed Workshop .” Blog, Liberty Street Economics , Federal Reserve Bank of New York .

• Search Google Scholar
• Export Citation

Bank of Canada , 2019 , “ Financial System Review ”.

Basel Committee on Banking Supervision , 2011 . “ Operational Risk – Supervisory Guidelines for the Advanced Measurement pproach .” Bank for International Settlements, June .

Basel Committee on Banking Supervision , 2016 . “ Standardised Measurement Approach for Operational risk .” Consultative Document, March .

Basel Committee on Banking Supervision , 2018 . “ Cyber Resilience: Range of Practices .” Bank for International Settlements, December .

Bouveret , Antoine , 2019 , “ Estimation of losses due to cyber risk for financial institutions ,” Journal of Operational Risk , 14 ( 2 ) pp. 1 – 20 .

Cambridge Centre for Risk Studies , 2019 , “ Cyber Risk Outlook .” Judge Business School, University of Cambridge. Prepared in collaboration with Risk Management Solutions, Inc .

Committee on Payments and Market Infrastructures , 2016 . “ Guidance on cyber resilience for financial market infrastructures .” Joint with the Board of the International Organization of Securities Commissions. June .

Council of Economic Advisers , 2018 , “ The cost of malicious cyber activity to the U.S. economy .” White House .

Cyber Security Agency of Singapore , 2018 , “ Singapore Cyber Landscape 2017.” ISBN: 978-981-11-7062-1

Department of Homeland Security , 2011 . “ Subject: Vulnerability Remediation Requirements for Internet-Accessible Systems .” Binding Operational Directive 19 – 02 .

Danielsson , Jon , Morgane Fouche , and Robert Macrae , 2016 , “ Cyber Risk as Systemic Risk ,” VOX CEPR Policy Portal .

Financial Stability Board , 2017 . “ Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices .” October .

Financial Stability Board , 2018 . “ Cyber Lexicon .” November .

Gandhi , P. , Khanna , S. and S. Ramaswamy , 2016 , “ Which Industries are the Most Digital (And Why)? ” Harvard Business Review, April .

Healey , J. , Mosser , P. , Rosen , K. and A. Wortman , 2018 . “ The Ties That Bind: A Framework to Assess the Linkage Between Cyber Risks and Financial Stability .” Working Paper, Project on Cyber Risk to Financial Stability, School of International and Public Affairs, Columbia University. December , pp. 1 – 12 .

International Monetary Fund , 2015 . “ Guidance Note for Surveillance under Article IV Consultations .” May. ( Washington : International Monetary Fund ).

International Monetary Fund , 2019a . “ Singapore: Financial Sector Stability Assessment .” ( Washington : International Monetary Fund ).

International Monetary Fund , 2019b . “ Cybersecurity Risk Supervision .” Departmental Paper No. 19/15, Monetary and Capital Markets Department. ( Washington : International Monetary Fund ).

International Monetary Fund , 2019c . “ Singapore: Technical Note on Financial Stability Analysis and Stress Testing .” ( Washington : International Monetary Fund ).

International Monetary Fund , 2019d . “ World Economic Outlook, April 2019: Growth Slowdown, Precarious Recovery .” ( Washington : International Monetary Fund ).

International Monetary Fund , Financial Stability Board, and Bank for International Settlements, 2016 , “ Elements of Effective Macroprudential Policies .” Available at: https://www.imf.org">www.imf.org/external/np/g20/pdf/2016/083116.pdf

Jones , N. and B. Tivnan , 2018 . “ Cyber Risk Metrics Survey, Assessment, and Implementation Plan.” Case no. 18–1246 , The Homeland Security Systems Engineering and Development Institute , May .

Kamiya , Shinichi , Jun-Koo Kang , Jungmin Kim , Andreas Milidonis , Rene M. Stulz , 2018 , “ What is the Impact of Successful Cyberattacks on Target Firms? ” NBER Working Paper No. 24409 , National Bureau of Economic Research .

Kopp , E. , Kaffenberger , L. and Jenkinson , N. , 2017 . “ Cyber Risk, Market Failures, and Financial Stability .” Working Paper no. 17/185 , International Monetary Fund .

Lloyds and Cambridge University Center for Risk Studies , 2015 . “ Business Blackout: The Insurance Implications of a Cyberattack on the US Power Grid .” Emerging Risk Report – 2015 .

MAS , 2018 , “ Financial Stability Review ”.

Office of Financial Research , 2017 . “ Cybersecurity and Financial Stability: Risks and Resilience .” OFR Viewpoint 17–01, February 15 .

Oliver Wyman , 2019 . “ Navigating Cyber Risk Quantification. The Art and Science of Cyber Quantification Through a Scenario-Based Approach .”

ORX , 2016 . “ Capital impact of the SMA. ORX benchmark of the proposed Standardised Measurement Approach .” Available at https://managingrisktogether.orx.org/sites/default/files/downloads/2017/05/orxcapitalimpactofthesma1.pdf .

PricewaterhouseCoopers , 2014 . “ Managing Cyber Risks in an Interconnected World,” September .

Redscan , 2019 . “ Cyber Security in Search: Analysis of Google Search Trends 2004–2019 .” Redscan Cyber Security Limited . Available at https://www.redscan.com/wp-content/uploads/2019/09/Redscan-Report_-Cyber-Security-In-Search_Sept19.pdf

Reuters , 2017 , “ Cyber attack hits 200,000 in at least 150 countries: Europol”. May 14 .

Santucci , L . 2018 . “ Quantifying Cyber Risk in the Financial Services Industry .” Discussion Paper no. 18–03 , Consumer Finance Institute, Federal Reserve Bank of Philadelphia .

The Straits Times , 2018 , “ Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore’s worst cyber attack.” July 20 . URL: https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most

Verizon , 2017 , “ Data breach investigations report ”.

Verizon , 2018 , “ Data breach investigations report ”.

Verizon , 2019 , “ Data breach investigations report ”.

Wired , 2018 , “ The untold story of NotPetya, the most devastating cyberattack in history”. August 22 .

World Economic Forum , 2016 . “ Understanding Systemic Cyber Risk .” White Paper, Global Agenda Council on Risk & Resilience, October .

• Appendix I. Example Data Reporting Templates

This appendix provides example templates that could be used to collect data from individual financial firms on their cyber risk exposure and cybersecurity practices. Note that these templates are stylized representations and should be tailored to each jurisdiction.

The authors gratefully acknowledge comments and suggestions from Antoine Bouveret, Christopher Wilson, Dan Nyberg, Daniel Wang, Edward Robinson, Ibrahim Ergen, Martin Čihâk, Rosemary Lim, Tan Yeow Seng, Ulric Eriksson von Allmen, Vincent Loy, and participants at the MCM Quantm Seminar at the IMF, while retaining responsibility for any errors or omissions. The authors are grateful to Stéphanie Ng for excellent research assistance.

The definition of cyber, cyber risk, cyber incident and cybersecurity used here follows the lexicon published in FSB (2018) .

The attack surface is the set of characteristics of an information system that permit an adversary to probe, attack, or maintain presence in it. This definition is taken from the glossary of the National Initiative for Cybersecurity Careers and Studies, available at: https://niccs.us-cert.gov/about-niccs/glossary .

Deposit insurance may not prevent a large-scale run of depositors seeking to avoid having their deposits frozen or their account information corrupted.

Including a central bank and financial market infrastructure.

See, for example, the discussion in IMF (2019d) .

In the latest ITU index, Singapore ranks sixth globally and first in the Asia Pacific region.

The author lists the Information Risk Assessment Methodology (IRAM), Risk IT, Factor Analysis of Information Risk (FAIR), the National Institute of Standards and Technology (NIST) cybersecurity framework and cyber value-at-risk (CyberVaR).

FAIR is also a cyber value-at-risk method. It is a proprietary method developed by the Open Group, a global consortium of organizations ( Jones and Tivnan, 2018 ).

This view appears, for example, in Oliver Wyman (2019) and Santucci (2018) . BCBS (2018) notes the lack of established data and the immaturity of resilience metrics. The need to enhance data collection is mentioned in Afonso and others (2019) .

Direct losses may include costs of identifying a cyberattack, notifying customers, forensic investigation, data recovery, compensating customers (e.g., with free credit score monitoring), public relations, and legal costs.

Singapore is also a leader in this area based, for example, on the ITU cybersecurity index rankings (see footnote 6).

This section is based on Box C in the Financial Stability Review published by the MAS in November 2018 .

Cyber events are often related to but can be unrelated to cyberattacks: for example, software updates or natural disasters can lead to the crystallization of cyber risk through business disruptions without any nefarious intent (Bouveret, 2018). However, they often occur upon a cyberattack that targets financial institutions or the financial system. The section mainly focuses on financial stability implications of cyber events that are associated with cyberattacks.

‘Damage’ is used here to mean physical damage (to data integrity, software or hardware) as opposed to pecuniary losses.

Duffie and Younger (2019) provide a contrarian view, arguing that cyber incidents are unlikely to lead to deposit runs, given that large U.S. banks’ liquid assets are enough to cover their wholesale funding obligations due within one month.

Systemic risk is defined as the risk of disruptions to the provision of financial services, which is caused by an impairment of all or parts of the financial system, with serious negative consequences for the real economy ( IMF-FSB-BIS, 2016 ).

Several studies have noted the possibility of cyber risk having systemic implications. The Institute of International Finance (2017) has investigated possible cyberattack scenarios that could lead to systemic outcomes, and the resulting impact on affected financial institutions and the entire financial system. The World Economic Forum (WEF) (2016) describes the financial risks as well as potential systemic impact associated with a cyber event that disrupts payment, clearing and settlement arrangements. The Office of Financial Research (2017) suggests three channels through which cyber events can threaten financial stability—(i) lack of substitutability (of a service), (ii) loss of confidence in a financial institution or the financial system, and (iii) loss of data integrity. This contrasts with earlier literature which argued that almost all cyber risk is microprudential and that a cyberattack could only lead to a systemic crisis if it were timed impeccably to coincide with other non-cyber events that undermine confidence in the financial system and the authorities ( Danielsson, Fouché, and Macrae, 2016 ).

For this reason, the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions have issued guidelines on the recoverability of the operations of such financial market infrastructures in response to a cyberattack ( CPMI-IOSCO, 2016 ).

Given the confidentiality of the Singapore data, this method is illustrated with published data for Canada.

Indeed, Chart 10 in Bank of Canada (2019) shows that more past cybersecurity incidents are being discovered each year.

It could also in principle reflect an increasing number of reconnaissance attempts by attackers e.g., port scanning activities.

Losses can take time to materialize and can be difficult to measure. Therefore, distributions of losses need to be complemented by frequency distributions.

BitSight scores companies and CIIs on a scale of 250–900 based on 4 categories of data: compromised systems, security diligence (e.g., access points, website security, patching speed, server software), user behavior (secure file sharing, exposed staff credentials) and public disclosures (media reports of incidents).

These deadlines are mandated for the information systems of federal agencies in the United States (DHS, 2019).

Models that include fixed effects require extra care, because the estimated firm-specific fixed effects from the old context would not be applicable to the firms in the new context. If the model is first-differenced, then these fixed effects would be eliminated. Then the first-differenced model can be used to track increases or decreases in (but not the level of) the likelihood or severity of loss.

Besides compiling similar data from news stories, ORX also collects data on cybersecurity incidents (data breaches, fraud and business disruption) from its members and shares the data with them. Besides compiling data from news stories, ORX also collects data on cybersecurity incidents (data breaches, fraud and business disruption) from its members and shares the data with them.

The stock price falls are measured around the day on which the cyberattack was first made public. A more thorough analysis could use abnormal returns from an asset pricing model, but the appropriate model for an international dataset is uncertain.

Kamiya et al (2018) use data on U.S. events only and include attacks on non-financial firms.

In the analysis hère, losses are aggregated to the firm—year level and matched to each firm’s gross revenues of the previous year. The distribution we fit is therefore the distribution of yearly losses, in percent of revenues, directly. By contrast, Bouveret (2019) fits a distribution to the event-level losses in constant price U.S. dollars, and combines it with a calibrated Poisson random variable for the number of events in any given year, to simulate a compound distribution of annual (constant price U.S. dollar) losses. After deriving the dollar value-at-risk, external data is then used to express this estimated value-at-risk as a percent of net revenues. The author’s approach might then overestimate the value-at-risk (in percent of revenues) if there is a positive corrélation between nominal losses and income, as suggested by our data and certain results in Kamiya et al. (2018 ).

The 68 percent bootstrapped confidence interval puts the (95 percent) value-at-risk between 1.6 and 9.8 percent of revenues. Part of the uncertainty cornes from the difficulty in matching ORX data to Bloomberg data on revenues. Of the 102 events in the ORX news stories data with direct losses, only 21 events match to Bloomberg data on revenues. The greatly reduced sample size motivâtes the choice hère of a simple lognormal distribution rather than the more flexible distributions considered in Bouveret (2019) .

The value of 17 percent cornes from scaling up the average of 10 percent of net income by the ratio of the 95* percentile loss of US$167bn to the average loss of US$100bn (ail of which appear on page 4 of that paper).

A RAM appears in IMF Article IV reports. This RAM contains material risks, including potentially cyber risk, if it is material for the country in question. This RAM is explained in Box 5 of IMF (2015) . The cyber RAM proposed here differs from this RAM in that it enumerates more material scenarios relating to cyber risk and excludes scenarios that are immaterial from a cyber risk perspective.

A similar presentational device is proposed by Santucci (2018) . The advantage of the cyber RAM proposed here is that it collects all scenarios into one table.

No special technique is needed to combine financial and ICT exposures.

One measure of the importance of data flows to the business is their size in bytes.

The map can be seen as the graph of a two-layer network, where one layer depicts financial connects and the other depicts ICT connections.

The MAS is currently chairing the Financial Stability Board (FSB) working group on Cyber Incident Response and Recovery (CIRR), which aims to develop a toolkit to help financial institutions respond to and recover from cyber incidents effectively.

Such functions include SOCs, fusion centers and centers of excellence.

Such measures include conducting regular audits and risk assessments and participating in exercises to validate response measures.

Such tools include Security Information and Event Management (SIEM) solutions, network traffic inspection solutions, and security analytics tools.

This idea is discussed in Section III.C . Of course, if cyber event data are available, then they should be used instead.

More specifically, BCBS (2016) proposes that capital requirements grow with a “business indicator” at a rate of 0.11 per euro. In turn, the “business indicator” is an aggregate of income from interest, leases, dividends, services and financial trading. It is designed to be a proxy for exposure to operational risk, but ORX (2016) has shown that it is almost equal to gross income (R 2 = 0.96). For this brief discussion, the “business indicator” is assumed to be equivalent to gross income.

BCBS (2016 ) is not explicit about the level of confidence underlying its formula for capital requirements. However, the advanced measurement approach to operational risk under the Basel II standard specified that capital for operational risk should be sufficient to cover 99.9 percent of one-year losses ( BCBS, 2011 ).

Two-fifths here is calculated as the ratio of 4.7 to 11. Using 2.5 from Bouveret (2019) instead of 4.7, this drops to one-fifth. Therefore, the fraction is large, despite the caveats that our calculated value-at-risk applies to all financial institutions, not just banks, and is subject to substantial estimation uncertainty.

Bouveret (2019 ) allows for such correlations.

Same Series

• Cyber Risk, Market Failures, and Financial Stability
• Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment
• Fintech, Inclusive Growth and Cyber Risks: Focus on the MENAP and CCA Regions
• Measuring Systemic Risk-Adjusted Liquidity (SRL): A Model Approach
• Systemic Contingent Claims Analysis: Estimating Market-Implied Systemic Risk
• Systemic Risk from Global Financial Derivatives: A Network Analysis of Contagion and Its Mitigation with Super-Spreader Tax
• Experiences with Macroprudential Policy—Five Case Studies
• Addressing Interconnectedness: Concepts and Prudential Tools
• Growth at Risk: Concept and Application in IMF Country Surveillance
• Technological and Economic Decoupling in the Cyber Era

Other IMF Content

• Cybersecurity Risk Supervision
• Chapter 3 Cyber Risk: A Growing Concern for Macrofinancial Stability
• Singapore: Financial System Stability Assessment
• Mexico: Financial Sector Assessment Program-Technical Note on Cyber Resilience and Financial Stability
• Singapore: Financial Sector Assessment Program-Technical Note-Fintech: Implications for the Regulation and Supervision of the Financial Sector
• Singapore: Financial Sector Assessment Program; Detailed Assessment Of Observance-CPSS-IOSCO Principles for Financial Market Infrastructures
• Sweden: Financial Sector Assessment Program–Technical Note on Cybersecurity Risk Supervision and Oversight
• Singapore: Financial Sector Assessment Program; Technical Note-Financial Stability Analysis and Stress Testing
• Japan: Financial Sector Assessment Program-Technical Note on Cyber Resilience and Financial Stability
• South Africa: Financial Sector Assessment Program-Technical Note on Cybersecurity Risk Supervision and Oversight

Other Publishers

Asian development bank.

• Different Approaches to Learning Science, Technology, Engineering, and Mathematics: Case Studies from Thailand, the Republic of Korea, Singapore, and Finland
• Managing Digital Risks: A Primer
• Reaching the Sustainable Development Goals through Better Local-Level Data: A Case Study of Lumajang and Pacitan Districts in Indonesia
• Disaster Recovery Planning: Explanatory Note and Case Study
• Uniquely Urban: Case Studies in Innovative Urban Development
• Waste to Energy in the Age of the Circular Economy: Compendium of Case Studies and Emerging Technologies
• Singapore's Ecosystem for Technology Startups and Lessons for Its Neighbors
• The Development and Social Impacts of Pakistan's New Khanki Barrage: A Project Benefit Case Study
• Fintech Policy Tool Kit for Regulators and Policy Makers in Asia and the Pacific
• Clean Heating Technologies: A Pilot Project Case Study from Northern People's Republic of China

Inter-American Development Bank

• International Case Studies of Smart Cities: Singapore, Republic of Singapore
• Study of Social Entrepreneurship and Innovation Ecosystems in South East and East Asian Countries: Case Study; Bettr Barista Coffee Academy, Singapore
• Coastal Zone Management: Climate Change Adaptation and Disaster Risk Management; Case Study Suriname
• How Accurate is Our Misinformation?: A Randomized Trial to Assess the Cost-Effectiveness of Administering Alternative Survey Modes to Youth at Risk; Dominican Republic Case Study
• Risk across Borders: A Study of the Potential of Microinsurance Products to Help Migrants Cope with Cross Border Risks
• Debt Sustainability under Catastrophic Risk: The Case for Government Budget Insurance
• Agriculture and Adaptation to Climate Change: The Role of Insurance in Risk Management; The Case of Colombia
• Attractors of Institutional Investment in Latin American Infrastructure: Lessons from Envision Project Case Studies
• Identification of Institutional Factors in Bank Operations: Flexibility v. Early Detection; Case Studies in the Citizen Security and Transparency Sub-Sectors
• Tracer Study of Beneficiaries of Youth-targeted Social Prevention Programs: The Case of RISE in Jamaica

Nordic Council of Ministers

• Nordic dietary surveys: Study designs, methods, results and use in food-based risk assessments

The World Bank

• Guatemala Study on Disaster Risk Management of Cultural Heritage: The Case of Antigua Guatemala
• Evaluating Sovereign Disaster Risk Finance Strategies: Case Studies and Guidance.
• Outcomes and Risk Based Supervision in Pensions: Methodology with a Case Study for Costa Rica
• Adaptive Social Protection and Disaster Risk Management: A Case Study of Japan
• Singapore as an innovative city in East Asia: an explorative study of the perspectives of innovative industries
• Cyber Resilience of Autonomous Mobility Systems: Cyber Attacks and Resilience-Enhancing Strategies
• Forest-Smart Mining: Offset Case Studies
• The Impact of Flooding on Urban Transit and Accessibility: A Case Study of Kinshasa
• Analysis of the Impact of Investments in Disaster Risk Reduction and Prevention in Mexico: Case Study of Tabasco between 2007 and 2011
• Climate Risk Case Study: Bulleh Shah Paper Mills - Packages, Ltd., Kasur, Pakistan.
• Share on facebook Share on linkedin Share on twitter

Table of Contents

• View raw image
• Download Powerpoint Slide

International Monetary Fund Copyright © 2010-2021. All Rights Reserved.

• [81.177.182.136]
• 81.177.182.136

Character limit 500 /500

• Quick links
• 10 Trends Shaping 2024
• Global Private Equity Risk Index Highlights Risky Insight From Digital Chatter
• 2023 Fraud and Financial Crime Report
• Popular topics
• Valuation Advisory Services
• Compliance and Regulation
• Corporate Finance and Restructuring
• Investigations and Disputes
• Digital Technology Solutions
• Business Services
• Environmental, Social and Governance Advisory Services (ESG)
• Environmental, Social and Governance
• Consumer and Retail
• Financial Services
• Industrials
• Technology, Media and Telecom
• Energy and Mining
• Healthcare and Life Sciences
• Real Estate
• Our Experts
• Client Stories
• Transactions
• Restructuring Administration Cases
• Settlement Administration Cases
• Anti-Money Laundering
• Artificial Intelligence
• Cost of Capital
• Cryptocurrency
• Financial Crime
• M&A Updates
• Valuation Outlook
• Blogs / Publications
• Webcasts and Videos

Cyber Security Case Studies

Managed detection and response case studies, client story, building cyber resilience amid microsoft azure migration.

Seamless Response to Ransomware and a Cyber Resilience Upgrade

Managed Detection and Response

Reducing a hospitality company’s cyber risk surface.

Enhancing Security Visibility for a Leading Asset Management Firm

Elevating Cyber Security Maturity of a Housebuilding Company

Protecting the 2008 U.S. Presidential Election from Cyber Attacks

by Alan Brill

Endpoint Detection and Response to Increase Plastics Manufacturer’s Cyber Posture

Stronger Threat Detection and Response for UK Bank: Reduced False Positives, Swifter Response

Enhanced Ransomware Defences for Global Shipping Business with Robust MDR

Large Hospital Leverages Managed Detection and Response for Increased Resilience and Compliance Reporting

Defending Healthcare Organization Against Persistent Trickbot Attacks

Optimized Security Operations and Cyber Governance for Asset Management Firm

Digital Forensics and Incident Response Case Studies

Digital forensics and incident response, online skimming attack facilitated by work-from-home arrangements.

Electronic Gift Card Fraud Investigation Uncovers Contractual Risks

Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware

Insider Threat Case Study: Digital Forensics Reveals Fraud, Potential Regulatory Concerns

by Kevin Wong, Ben Hawkins

Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank

by Kevin Wong, Imran Khan

Transatlantic Cyber Investigation Unmasks Insider Threat, Preempts Ransom Attempt

by Michael Quinn, Ben Hawkins, Justin Price

Office 365 Business Email Compromise Investigation Leads to Stronger Security

by Devon Ackerman

Business Email Compromise Attack Investigation and Remediation for Insurance Broker

Proactive Services Case Studies

Penetration testing, continuous penetration testing optimizes security in agile product development for software startup.

Scaling Up Application Security for a Global Telecommunications Company

by Rahul Raghavan, Rob Deane

Safeguarding Election Security Through Penetration Testing

AWS Penetration Testing Gives In-Depth Cyber Risk Insight to Specialist Bank

State of Arkansas Cyber Security Assessment

by Frank Marano, Jeff Macko

Red Team Exercise Helps International Trade Organization Comply with FCA Cyber Security Mandates

Other Cyber Security Case Studies

Cyber governance and risk, gdpr assessment and u.s. data privacy laws action plan for a global biopharmaceutical company.

Cyber Litigation Support

Uncovering critical historical data to progress a complex legal case.

Taking an Underwriter’s Security Posture From At-Risk to Resilient

Kroll Assists Entertainment Conglomerate in Achieving Holistic Digital Transformation with Cloud Native Security Platform Implementation

by Frank Marano, Rahul Raghavan, Rob Deane

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Agile Penetration Testing Program

Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Application Threat Modeling Services

Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.

Application Security Services

Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Connect With Us

Chief Financial Officers Ignoring Cyber Risk Worth Millions of Dollars According to Kroll Report

Kroll Acquires Crisp, Trusted Provider of Real-time Risk Intelligence

by Andrew Burke

Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

Kroll Acquires Resolver, a Leader in Risk Intelligence Technology

Threat Intelligence

Webinar – fighting advanced malware threats: kimsuky and the screenconnect vulnerability.

Get the latest insights into threat actor activity straight from the frontlines fueled by data from Kroll’s incident response intelligence and elite analyst.

Threat Landscape

Webinar – state of cyber defense: manufacturing edition.

Drilling down into the latest threats and vulnerabilities of the manufacturing sector, identifying the gaps in detection and response, which are currently impacting the mitigation process.

Webinar – AI Security Testing: Prompt Injection Everywhere

Kroll offers a glimpse into the security vulnerabilities faced by businesses adopting Artificial Intelligence (AI), Machine Learning (ML) and Large Language Model (LLM) following eight months of LLM penetration testing.

Kroll is headquartered in New York with offices around the world.

More About Kroll

• Trending Topics
• Find an Expert
• Media Inquiry

• Accessibility
• Code of Conduct
• Data Privacy Framework
• Kroll Ethics Hotline
• Modern Slavery Statement
• Privacy Policy

Cybersecurity Risk Management Process – A Case Study

• Case study about a fictional utility’s cybersecurity risk management process
• Implementation of DOE’s Electricity Sector Cybersecurity Risk Management Program guidance
• Potential steps needed for risk assessment, risk response, and risk monitoring

Developing a risk management process for cybersecurity

Cybersecurity is a perennial concern for utilities, who are responsible for some of the nation’s most critical infrastructure. This document aims to assist electric utilities in their consideration and development of cybersecurity risk management practices and to illustrate possible implementation of the U.S. Department of Energy’s Electricity Sector Cybersecurity Risk Management Program (RMP) guidance.

The paper presents the case of a fictitious municipal utility (Papaya Electric) that decides to develop a risk management program to address cybersecurity. The fictional scenario covers automation functions and operational variables and constraints common to many utilities. The study illustrates how real-world organizations may require a number of adjustments to risk management and operations methodologies to accommodate utility business constraints and priorities.

What’s in the report

• Overview of the fictitious municipal utility, key actors, and events triggering the pursuit of a cybersecurity risk management process
• Framing and steps for risk assessment, risk response, and risk monitoring for the executive, business operations, and systems and application levels
• Key lessons learned about the RMP

Fill out this form to get the report.

• Name * First Last
• Phone (Optional)
• Job Function * Administration Business Development Customer Relations Distribution Engineering & Technical Generation & Transmission Planning Projects & Programs Regulatory, Policy & Legal Other
• Job Level * C-level Vice President Director Manager Professional
• Sign me up to receive updates on Grid Integration?

Gain access to premium data, insights, discounts, exclusive webinars, and more. Join our community of over 1,000 members.

© 2000-2024 Smart Electric Power Alliance. All Rights Reserved.    Account | Contact | Terms & Conditions | Privacy Policy

• Share on Twitter
• Share on Facebook
• Share on LinkedIn

Morningside Campus Access Updates

Cyber risk case study: a scenario-based approach to identifying and mitigating key threats.

• Enterprise Risk Management
• Enterprise Risk Management CPA

Cybersecurity threats continue to expand in number and complexity, and finding an approach to managing them effectively is elusive.

Organizations are struggling to (a) prioritize among the myriad cyber risks; (b) make a business case for recommended mitigation; and (c) draw a rigorous, defensible line in the sand limiting the scope of cyber risk management. In this session, we begin with the current state of cybersecurity risks.

Then, we discuss how a value-based ERM approach uses deterministic scenarios and quantitative models to (a) sort out which cyber risk scenarios to focus on; (b) support mitigation decisions with robust risk-reward data; and (c) define a “cyber risk appetite” to contain the focus of cyber risk management to a manageable level. We will then share some early lessons from a case study that is starting to successfully apply this approach and enhance its cyber risk management, particularly surrounding their use of vendors.

Attendees will learn:

• How to better prioritize among a disparate and growing set of cyber risks
• What data is used to make the business case for targeted cyber risk mitigation
• An approach to defining “cyber risk appetite"

Shahryar Shaghaghi

Professor of Professional Practice, Enterprise Risk Management; Technology, Risk Management and Cybersecurity Executive

Program Director and Senior Lecturer in Discipline, Enterprise Risk Management; President, SimErgy Consulting

Dave Bartholomew

AVP Operational Risk, Institutional Division, Pacific Life

• Advanced Search

Paralyzed or Compromised: A Case Study of Decisions in Cyber-Physical Systems

New citation alert added.

This alert has been successfully added and will be sent to:

You will be notified whenever a record that you have chosen has been cited.

To manage your alert preferences, click on the button below.

New Citation Alert!

Please log in to your account

Information & Contributors

Bibliometrics & citations, view options, recommendations, dependency-based security risk assessment for cyber-physical systems.

A cyber-physical attack is a security breach in cyber space that impacts on the physical environment. The number and diversity of such attacks against Cyber-Physical Systems (CPSs) are increasing at impressive rates. In times of Industry 4.0 and ...

Robust Cyber-Physical Systems

In this paper we comprehensively survey the concept and strategies for building a resilient and integrated cyber-physical system (CPS). Here resilience refers to a 3S-oriented design, that is, stability, security, and systematicness: Stability means the ...

Cyber-physical systems security: Limitations, issues and future trends

Typically, Cyber-Physical Systems (CPS) involve various interconnected systems, which can monitor and manipulate real objects and processes. They are closely related to Internet of Things (IoT) systems, except that CPS focuses on the ...

Information

Published in.

https://ror.org/04qyvz380San Jose State University, San Jose, CA, USA

Springer-Verlag

Berlin, Heidelberg

Publication History

Author tags.

• Cyber-physical systems
• Situation Awareness
• Sunburst attack

Contributors

Other metrics, bibliometrics, article metrics.

• 0 Total Citations
• 0 Total Downloads
• Downloads (Last 12 months) 0
• Downloads (Last 6 weeks) 0

View options

Login options.

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Share this publication link.

Copying failed.

Share on social media

Affiliations, export citations.

• Please download or close your previous search result export first before starting a new bulk export. Preview is not available. By clicking download, a status dialog will open to start the export process. The process may take a few minutes but once it finishes a file will be downloadable from your browser. You may continue to browse the DL while the export process is in progress. Download
• Download citation
• Copy citation

We are preparing your search results for download ...

We will inform you here when the file is ready.

Your file of search results citations is now ready.

Your search export query has expired. Please try again.