Cyber Quantification Non-financial Risk Management GRAFT & DAIR - - PowerPoint PPT Presentation

1

Cyber Quantification Non-financial Risk Management

GRAFT & DAIR

Lois Tullo GRI Email: ltullo@globalriskinstitute.org Sohail Farooq BankingBook Analytics (BBA) Email: sohail@bba.to

2

Drivers of nonfinancial risk

Cyberattacks

Increasing National Sentiments Asset Bubble US Governance Uncertainty Fiscal Crisis/ Sovereign Debt Illicit Trade Inflation Migration Continues Russian Ukraine Conflict South Sudan Drought / Conflict Syrian Conflict

Increasing Global Cyber Dependence

Extreme Weather Events Yemen Crisis Increasing Urbanization

• N. Korea Weapons Testing

South China Sea Conflict Japanese Earthquakes Aging Population Climate Change - Rising CO2 levels Income & Wealth Disparity Increasing Polarization of Society

3

Nonfinancial Risk Regulatory Expectations

OSFI’s 2020 plan include the goal for Federally regulated financial institutions and pension plans to be better prepared to identify and develop resilience to non-financial risks before they negatively affect their financial condition. OSFI is pursuing efforts in the oversight of non-financial risks to support their effective management by FRFIs and pension

• plans. Key objectives related to this priority include:
• Continuing to develop OSFI’s regulatory and supervisory

approaches to technology risks, including digitization, cloud computing, risk modelling and cyber risk.

4

Nonfinancial Risk Regulatory Expectations

The EU has issued The Non-Financial Reporting Directive (2014/95/EU) requires large public interest entities with over 500 employees (listed companies, banks, and insurance companies) to disclose certain non-financial information.

• A company is required to disclose information on environmental,

social and employee matters, respect for human rights, and bribery and corruption, to the extent that such information is necessary for an understanding of the company’s development, performance, position and impact of its activities.

• Non-Financial Risk information should be reported if it is necessary

for an understanding of the development, performance and position

• f the company.

5

Non-Financial Risk Management Using the Global Risks and Trends Framework (GRAFT) GRAFT is a new approach designed to help organizations including banks, insurance companies, pension funds and asset managers identify, assess and respond to Non-Financial Risk.

• Used in order to avoid pitfalls that could threaten an organization’s

long-term survival or conversely to leverage for the benefit of the

• rganization.

A method that:

• Compares the assumptions supporting your strategic plan with the

correlations of prioritized Global Risks and Trends to identify Key Insights for the organization;

• Promotes a common language, shared understanding and

quantification of the implications of Global Risks and Trends on your organization’s strategic plan; and

• Defines the roles of the BOD, Sr Mgt, RM, BU, IA. And enables more

informed decisions making process.

6

Organizational Vision & Strategy Risk Appetite Statement

Key Insights

New and profound insights regarding the interplay of risk and trends to enlighten and enhance strategic decision making

Global Risks & Trends

Geopolitical Economic Societal Environmental Technological

Key Strategies & Strategic Assumptions

T r e n d s R i s k s Urgency

Impact

GRAFT

Overview of Global Risks and Trends Framework for Nonfinancial Risk Management

7

GRAFT Implementation Continuum

Ad hoc Identification

• f Emerging Risks &

Trends Emerging Risk & Trends Completely Integrated into Strategic Planning Emerging Risks & Trends not yet focused

• n by the organization

Stand alone process to identify Emerging Risks & Trends Emerging Risks & Trends integrated into ERM process

Quantification Measurement of Emerging Risks & Trends Qualitative Measurement of Emerging Risks & Trends

8

In managing cyber risk, focus is pre-dominantly on identifying causes and managing them

Causes Impact

Malicious insiders Phishing and social engineering Stolen devices ……. Malware Viruses, worms, trojans Web-based attacks Denial of service ……..

• Buy more bandwidth. ...
• Build redundancy into your

infrastructure

• Configure your network hardware

against DDoS attacks. ...

• Deploy anti-DDoS hardware and

software modules. ...

• Deploy a DDoS protection appliance.

...

• Protect your DNS servers….
• Using prepared statements with

parameterized queries. This ensures that the SQL code is defined first and then the queries are passed later. The effect is that the database can differentiate between SQL code and SQL data. This means that the code is not vulnerable to SQL injection …

• ……….

Dividends cut Rights issue Profit warning Losses

A balanced approach is needed to classify and model losses attributed to cyber events

Media coverage Loss of credibility and customer-base Reputational loss Drop in rating/Share price

Indirect Direct

9

Quantifying cyber-attack losses

Developing an impact-based approach

Dividends cut Rights issue Profit warning Loss of equity/capital

Cost of Response Fines and judgements Loss of Reputation Replacement of asset Loss of Competitive advantage Loss of Productivity Media coverage Contiguous malware Deception and misinformation

Inter-state conflict Supply chain disruption Breakdown of Int’l Governance Loss of equity/capital

Systemic Firm-wide

Risk appetite Insurance Effective communication Cost-benefit analysis Control framework Contribution of cyber risk in pricing frameworks

Benefits

10

Risk = f(probable frequency, probable magnitude)

Practice survey: Factor Analysis of Information Risk (FAIR) approach

10

Probable loss magnitude (PLM) Loss event frequency (LEF) Moderate (3) Low (2) Very Low (1) Low (2) Med (3) High (4) M M M M L L L L L M M M M H M M H H M H H C H H C C H C C C Significant (4) High (5) Severe (6) Very Low (1) Very High (5) Worst case

• utcomes by

FAIR: Type of loss that

• ccurs

hundreds of times a year and each time causes billion dollar in losses Challenge with the with the modelling of FAIR approach

• Views events in terms of one likelihood

parameter and one impact parameter rather than the entire set of such pairs that in fact describe an event

• Focuses on “phantom” risks (high likelihood,

high impact) and gives insufficient attention to real risks (low likelihood, high impact)

• Fails to recognize that it is the potential high

impact but low likelihood manifestation of each type of event that poses the challenge in terms

• f risk quantification (capital)
• Can put you out of business or cause

severe harm

• Difficult to understand and prioritise in

advance

• Fails to capture the fact that it is events with

significant low likelihood but high impact “tails” that pose the challenge rather than events for which a low likelihood and high impact has arbitrarily been picked

11

Difference between FAIR and DAIR

11

FAIR approach High (3) Med (2) Low (1) Likelihood Low (1) Med (2) High (3) Impact 9 6 3 6 4 3 2 1 2 Impact-based approach - DAIR High (3) Med (2) Low (1) Likelihood Low (1) Med (2) High (3) Impact

Benefits

FAIR describes cyber risk as probability- weighted severity or “mean severity” DAIR defines cyber risk impact modelling in terms of severity or as Unexpected Loss

12

Distribution Analysis for Information Risk (DAIR) framework.

DAIR is a cyber quantification methodology that maps cyber events with a hierarchical risk taxonomy to evaluate the impact of cyber loss events. DAIR enhances a firm’s understanding of cyber risk exposure by:

• highlighting where the highest dollar level of threat may be coming from;
• helping management and boards set and monitor their cyber risk

appetite, make decisions based on the organization’s risk tolerance level;

• helping to make better informed decisions relating to expenditures on

cyber risk mitigation, insurance and internal capital requirement; and

• helping the management demonstrate to regulators that they are

managing cyber risk in a comprehensive way

13

Variants of Cyber Loss Factors and Meta-Risk Classification

Key Variants of Cyber Loss Organization-wide Classifications

• Loss of cyber and/or physical

property due to a cyber event

• Operational risk: Within the context of operational risk, cyber risk can be

defined as “operational risk to information technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems”. Basel’s includes legal risk, but excludes strategic and reputational risk. [BIS 2006]

• Loss of reputation and/or damage to

stakeholders’ perception of an institution’s franchise due to a cyber event

• Business risk: Business risk is the risk of having costs higher than revenues

due to shocks to margins, volumes or costs.

• Loss of cyber and/or physical

property due to contagion or systemic event caused by a cyber event, e.g., breakdown of international governance, cyber warfare

• Systemic risk: Systemic risk is the risk of disruption to financial services that is

(i) caused by an impairment of all or parts of the financial system and (ii) has the potential to have serious negative consequences for the real economy. Fundamental to the definition is the notion of negative externalities from a disruption or failure in a financial institution, market or instrument. [BofE 2019]

14

Mapping Cyber Events With DIAR Hierarchical Framework

Malicious insiders Phishing and social engineering Stolen devices ……. Malware Viruses, worms, trojans Web-based attacks Denial of service Response Fines and judgements Reputation Replacement Competitive advantage Productivity Operational cyber risk Business cyber risk Systemic cyber risk

Hierarchical risk taxonomy Forms of Losses

…….. Actions of people Systems and technology failures Failed internal processes External events System-wide losses

Long list of cyber crimes DAIR Models to quantify cyber risk

15

• Operational cyber risk

Business cyber risk Systemic cyber risk

16

Operational Cyber Risk Quantification Steps

• 1. Asset Bucketing
• 2. Scenario Analysis
• 3. Frequency Distribution
• 4. Severity Distribution
• 5. Convolution process
• 6. Simulation (Monte Carlo example)
• 7. Loss Adjustment Using Control Scorecard

Operational risk

17

DAIR Identifies an Exposure indexation of crucial assets

1 2 3 4 5 6 7 8 9 10 2 4 6 8 10

Threat Vulnerability

Cohort 3 Cohort 2 Cohort 1 Size of bubble reflects relative Exposure risk of assets

Operational risk

18

Quantification: Curve fitting and convolution Process

External Fraud Internal Fraud Damage to Physical Assets Execution Delivery and Process Management Business Disruption and System Failures Execution Delivery and Process Management Clients, Products, and Business Processes VaR ($) Scenario 1: Phishing X X X X Scenario 2: Ransomware X X Scenario 3: Data breach/Hack X X X X X . X . X X X X . X X X X X Scenario (n): Malware X X X X X

Internal Losses External Losses Near Misses

Step 3: Aggregation of asset cohorts Step 2: Data Input

Frequency Severity

4 3 2 1

Frequency Severity

4 3 2 1

Exposed assets

Event Type 1 Event Type n

. . . . . . . . . . . . cSBU1

Event Type 1 Event Type n

. . . .

Frequency Severity Frequency Severity

. . . . . . . .

Step 4: Frequency and Severity Curve Fitting Exposed assets Step 5: Creation of “Convolution Tree”

Critical people Processes Data Systems/ Technology

Step 1: Exposure identification of assets

Ranked by Exposure

Operational risk

19

Loss distribution is generated stochastically on the basis of a frequency and a severity distribution for each scenario

• B. Select frequency
• C. Select severities
• D. Calculate loss

How many losses occur in the year? How big are these losses? Total of event severities

Scenario 1

Internal fraud

Scenario 2

Money laundering

Scenario 3 etc. . . . . . . . . .

$XXMM $XXMM Freq=4 Freq=2 3.9 4 Frequency Probability 2.2 1 Frequency Probability 17M 1.5M 20k 1M Severity Probability 40k 1.3 M Severity Probability

• A. Start iteration:

Simulate each severity scenario Loss Probability

• E. Calculate total

yearly loss

• F. Repeat for many iterations
• G. Rank and ‘stack’ yearly losses to build

loss distribution (∑yr3) New loss Simulated year (‘iteration’) 1 2 3 1 2 3 Scenario XX yr 1

Σ

yr 2

Σ

yr 3

Σ

XX $ X MM

19

20

Loss Adjustment Using Control Scorecard

• After cyber loss estimates are determined for each cohort across business units, KRIs can be

drawn together for each asset cohort.

• The KRIs are then evaluated for controls against potential losses.
• Capital is then allocated based on the effectiveness of.

Application of DAIR in control framework

Risk identification

2 3 4 5

Map cyber risks to KRI long list Adopt risk/ KRI map to asset cohorts Define acceptable KRI limits Calibrate the impact on scenarios

21

• Operational cyber risk
• Business cyber risk

Systemic cyber risk

22

Business Cyber Risk Quantification

• Business cyber risk captures

the knock-on effects of cyber events, such as reputational

• risk. Some secondary impacts

include:

• negative media coverage
• loss of creditability
• reputational loss
• loss of customer base
• credit rating downgrade
• significant drop in share

price

• large fines

Earnings

Expected earnings

Probability

Profit warning Dividends cut Rights issue

23

Modeling Business Risk Business risk capital (BRC) is the amount of capital required to be held against unexpected cyber losses. The calculation of BRC is based upon the following assumptions:

• Known fixed cost bases (non-volume dependent)
• Volume-dependent costs (VDC)
• Operating revenue (OR) is revenue derived from margins, spreads or

commissions.

• Variable Margin (VM) is log-normally distributed and defined as:

24

Modeling Business Risk In a mature business, variable margin is log-normally distributed with mean 𝜈𝑊𝑁and standard deviation 𝜏𝑊𝑁. Worst case variable margin at the appropriate confidence interval is calculated from the normal distribution of LnVM with mean 𝜈𝑀𝑜𝑊𝑁and standard deviation 𝜏𝑀𝑜𝑊𝑁. Business risk capital is thus defined in terms of a multiple, m, of the volatility of variable margin. The value of the multiple is determined from the desired solvency standard. The difference between mean VM and worst case VM is the amount of business risk capital:

25

• Operational cyber risk
• Business cyber risk
• Systemic cyber risk

26

Systemic Cyber Risk

WannaCry Chronology

27

Systemic Cyber Risk – Scenario Design

28

Calculating Systemic Cyber Risk

Business risk and Earning-at-Risk (EAR) underpin business risk as maximum frequency of earnings shortfalls of a given severity.

• Define top-down GRAFT scenarios
• Develop explanatory variable from the scenarios to forecast

earning volatility.

• The earning volatility rate is a function of the values of the

systemic risk factors triggered by GRAFT scenarios.

• Example (stock market crash, inflation, etc.)
• Earnings at Risk

29

Calculating Systemic Cyber Risk

Once the systemic risk parameters are finalized, experts can then forecast medium term values for both the base and stressed GRAFT cases.

30

Systemic Cyber Risk – Normally Distributed Earnings Data

GRAFT Scenarios

Breakdown of Int’l Governance

Deception and misinformation in cyber space Supply chain disruption

Cyber politics

…

Sources of systemic risks and correlated risks, e.g., reputational risk

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

90% CI Earnings deviation

Historic volatility

Assumed future volatility due to GRAFT

Earnings distribution

EaR at 90% CI using cdf = 1.645

Cumulative probability

Probability

• f outcome

EaR at 90% CI using pdf= 1.645

31

Insurability of Cyber Risk

• Case by case basis
• Limited effect on capital reducing
• Often effected by per-claim limits
• Scope limitations

32

Next Steps

• Data collection
• Consolidation of cyber risk into a single organization wide taxonomy
• Use cyber scenarios and quantification to improve controls

frameworks and prevent attacks

• Include cyber quantification in risk appetite and development of key

risk indicators to develop a robust control framework

• Deep dives
• Enhanced communication with stakeholders