Cyber Quantification Non-financial Risk Management GRAFT & DAIR Lois Tullo Sohail Farooq GRI BankingBook Analytics Email: ltullo@globalriskinstitute.org (BBA) Email: sohail@bba.to 1
Drivers of nonfinancial risk Climate Change - Rising CO2 levels Inflation Migration Continues US Governance Uncertainty Asset Bubble Russian Ukraine Conflict N. Korea Weapons Testing Cyberattacks Syrian Conflict Increasing National Sentiments Aging Population Income & Wealth Disparity Increasing Polarization of Society Japanese Earthquakes South Sudan Drought / Conflict Increasing Urbanization Yemen Crisis South China Sea Conflict Fiscal Crisis/ Sovereign Debt Illicit Trade Extreme Weather Events Increasing Global Cyber Dependence 2
Nonfinancial Risk Regulatory Expectations OSFI’s 2020 plan include the goal for Federally regulated financial institutions and pension plans to be better prepared to identify and develop resilience to non-financial risks before they negatively affect their financial condition. OSFI is pursuing efforts in the oversight of non-financial risks to support their effective management by FRFIs and pension plans. Key objectives related to this priority include: • Continuing to develop OSFI’s regulatory and supervisory approaches to technology risks, including digitization, cloud computing, risk modelling and cyber risk. 3
Nonfinancial Risk Regulatory Expectations The EU has issued The Non-Financial Reporting Directive (2014/95/EU) requires large public interest entities with over 500 employees (listed companies, banks, and insurance companies) to disclose certain non-financial information. • A company is required to disclose information on environmental, social and employee matters, respect for human rights, and bribery and corruption, to the extent that such information is necessary for an understanding of the company’s development, performance, position and impact of its activities. • Non-Financial Risk information should be reported if it is necessary for an understanding of the development, performance and position of the company. 4
Non-Financial Risk Management Using the Global Risks and Trends Framework (GRAFT) GRAFT is a new approach designed to help organizations including banks, insurance companies, pension funds and asset managers identify, assess and respond to Non-Financial Risk. • Used in order to avoid pitfalls that could threaten an organization’s long-term survival or conversely to leverage for the benefit of the organization. A method that: • Compares the assumptions supporting your strategic plan with the correlations of prioritized Global Risks and Trends to identify Key Insights for the organization; • Promotes a common language, shared understanding and quantification of the implications of Global Risks and Trends on your organization’s strategic plan; and • Defines the roles of the BOD, Sr Mgt, RM, BU, IA. And enables more informed decisions making process. 5
Overview of Global Risks and Trends Framework for Nonfinancial Risk Management Organizational Vision & Strategy Risk Appetite Statement Geopolitical GRAFT T r e Economic Societal n d s Impact Global Risks R i & Trends s k s Key Strategies Environmental Technological Urgency & Strategic Assumptions Key Insights New and profound insights regarding the interplay of risk and trends to enlighten and enhance strategic decision making 6
GRAFT Implementation Continuum Emerging Risks & Ad hoc Identification Stand alone process Emerging Risks & Emerging Risk & Trends Trends not yet focused of Emerging Risks & to identify Emerging Trends integrated Completely Integrated on by the organization Trends Risks & Trends into ERM process into Strategic Planning Qualitative Quantification Measurement of Measurement of Emerging Risks & Emerging Risks & Trends Trends 7
In managing cyber risk, focus is pre-dominantly on identifying causes and managing them Causes Impact • Buy more bandwidth. ... A balanced approach is needed to classify and model Denial of service • Build redundancy into your losses attributed to cyber events infrastructure Web-based attacks • Configure your network hardware Direct Indirect against DDoS attacks. ... Malicious insiders • Deploy anti-DDoS hardware and Profit warning Media coverage software modules. ... • Deploy a DDoS protection appliance. Phishing and social engineering Loss of credibility and Dividends cut customer-base ... • Protect your DNS servers…. Stolen devices • Rights issue Using prepared statements with Reputational loss parameterized queries. This ensures ……. that the SQL code is defined first and Losses Drop in rating/Share price then the queries are passed later. The …….. effect is that the database can differentiate between SQL code and Malware SQL data. This means that the code is not vulnerable to SQL injection … Viruses, worms, trojans • ………. 8
Quantifying cyber-attack losses Developing an impact-based approach Loss of Competitive advantage Profit warning Replacement of asset Benefits Dividends cut Cost-benefit analysis Fines and judgements Rights issue Insurance Loss of Productivity Loss of equity/capital Contribution of cyber risk in pricing frameworks Cost of Response Breakdown of Int’l Governance Control framework Loss of Reputation Inter-state conflict Risk appetite Media coverage Supply chain disruption Effective communication Contiguous malware Deception and misinformation Loss of equity/capital Systemic Firm-wide 9
Practice survey: Factor Analysis of Information Risk (FAIR) approach Challenge with the with the modelling of FAIR Risk = f(probable frequency, probable magnitude) approach • Views events in terms of one likelihood parameter and one impact parameter rather Worst case than the entire set of such pairs that in fact Severe (6) H H C C C outcomes by describe an event FAIR: Type of • Focuses on “phantom” risks (high likelihood, Probable loss magnitude (PLM) loss that high impact) and gives insufficient attention to M H C C High (5) H occurs real risks (low likelihood, high impact) • hundreds of Fails to recognize that it is the potential high times a year impact but low likelihood manifestation of each Significant (4) M M H H C and each time type of event that poses the challenge in terms causes billion of risk quantification (capital) dollar in o Can put you out of business or cause Moderate (3) H H L M M losses severe harm o Difficult to understand and prioritise in advance M M Low (2) L L M • Fails to capture the fact that it is events with significant low likelihood but high impact “tails” that pose the challenge rather than Very Low (1) L L M M M events for which a low likelihood and high impact has arbitrarily been picked Low (2) Med (3) High (4) Very High (5) Very Low (1) Loss event frequency (LEF) 10 10
Difference between FAIR and DAIR FAIR approach Impact-based approach - DAIR Benefits High (3) 3 6 9 High (3) Likelihood Likelihood Med (2) 2 4 6 Med (2) Low (1) 1 2 3 Low (1) Low (1) Med (2) High (3) Low (1) Med (2) High (3) Impact Impact DAIR defines cyber risk impact modelling FAIR describes cyber risk as probability- in terms of severity or as Unexpected Loss weighted severity or “mean severity” 11 11
Distribution Analysis for Information Risk (DAIR) framework. DAIR is a cyber quantification methodology that maps cyber events with a hierarchical risk taxonomy to evaluate the impact of cyber loss events. DAIR enhances a firm’s understanding of cyber risk exposure by: • highlighting where the highest dollar level of threat may be coming from; • helping management and boards set and monitor their cyber risk appetite, make decisions based on the organization’s risk tolerance level; • helping to make better informed decisions relating to expenditures on cyber risk mitigation, insurance and internal capital requirement; and • helping the management demonstrate to regulators that they are managing cyber risk in a comprehensive way 12
Variants of Cyber Loss Factors and Meta-Risk Classification Key Variants of Cyber Loss Organization-wide Classifications • Operational risk: Within the context of operational risk, cyber risk can be defined as “operational risk to information technology assets that have • Loss of cyber and/or physical consequences affecting the confidentiality, availability, or integrity of property due to a cyber event information or information systems”. Basel’s includes legal risk, but excludes strategic and reputational risk. [BIS 2006] • Loss of reputation and/or damage to • stakeholders’ perception of an Business risk: Business risk is the risk of having costs higher than revenues due to shocks to margins, volumes or costs. institution’s franchise due to a cyber event • • Loss of cyber and/or physical Systemic risk: Systemic risk is the risk of disruption to financial services that is property due to contagion or (i) caused by an impairment of all or parts of the financial system and (ii) has systemic event caused by a cyber the potential to have serious negative consequences for the real economy. event, e.g., breakdown of Fundamental to the definition is the notion of negative externalities from a international governance, cyber disruption or failure in a financial institution, market or instrument. [BofE warfare 2019] 13
Recommend
More recommend
