+ WORKING PAPER CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment Lincoln Kaffenberger and Emanuel Kopp SEPTEMBER 2019 Cyber Policy Initiative Working Paper Series | “Cybersecurity and the Financial System” #4
Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment
Sep 23, 2022
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
WORKING PAPER
C A R N E G I E E N D O W M E N T F O R I N T E R N AT I O N A L P E A C E
Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment
Lincoln Kaffenberger and Emanuel Kopp
SEPTEMBER 2019 Cyber Policy Initiative Working Paper Series | “Cybersecurity and the Financial System” #4
Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment
Lincoln Kaffenberger and Emanuel Kopp
For your convenience, this document contains hyperlinked source notes indicated by teal-colored text.
© 2019 Carnegie Endowment for International Peace. All rights reserved.
The views expressed in this book are those of the authors and do not necessarily represent the views of the IMF, its Executive Board, or IMF management.
Carnegie does not take institutional positions on public policy issues: the views represented herein are the authors’ own and do not necessarily reflect the views of Carnegie, its staff, or its trustees.
No part of this publication may be reproduced or transmitted in any form or by any means without permission in writing from the Carnegie Endowment for International Peace. Please direct inquiries to:
Carnegie Endowment for International Peace Publications Department 1779 Massachusetts Avenue NW Washington, DC 20036 P: + 1 202 483 7600 F: + 1 202 483 1840 CarnegieEndowment.org
This publication can be downloaded at no cost at CarnegieEndowment.org.
+CONTENTS
About the Authors vi
Scenarios 8
Ways to Mitigate Risk 19
Conclusion 21
Notes 23
Cybersecurity and the Financial System
Carnegie’s working paper series “Cybersecurity and the Financial System” is designed to be a platform for thought-provoking studies and in-depth research focusing on this increasingly important nexus. Bridging the gap between the finance policy and cyber policy communities and tracks, contributors to this paper series include government officials, industry representatives, and other relevant experts in addition to work produced by Carnegie scholars. In light of the emerging and nascent nature of this field, these working papers are not expected to offer any silver bullets but to stimulate the debate, inject fresh (occasionally controversial) ideas, and offer interesting data.
If you are interested in this topic, we also invite you to sign up for Carnegie’s FinCyber newsletter providing you with a curated regular update on latest developments regarding cybersecurity and the financial system: https://carnegieendowment.org/subscribe/fincyber.
If you would like to learn more about this paper series and Carnegie’s work in this area, please contact Tim Maurer, co-director of the Cyber Policy Initiative, at [email protected].
Papers in this Series:
• “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment” Lincoln Kaffenberger and Emanuel Kopp, September 2019
• “The Cyber Threat Landscape: Confronting Challenges to the Financial System” Adrian Nish and Saher Naumaan, March 2019
• “Protecting Financial Institutions Against Cyber Threats: A National Security Issue” Erica D. Borghard, September 2018
• “Toward a Global Norm Against Manipulating the Integrity of Financial Data” Tim Maurer, Ariel (Eli) Levite, and George Perkovich, March 2017
vi
About the Authors
Lincoln Kaffenberger works as an information security professional in the financial sector. He is also a co-author of the IMF’s seminal paper on cyber risk (“Cyber Risk, Market Failures, and Financial Stability,” 2017). He has over a decade of experience helping organizations understand the threats they face and make informed, risk-based decisions.
Emanuel Kopp is a senior economist with the International Monetary Fund. His research interests include macrofinancial risk, financial stability and regulation, investment, and macroeconomic forecasting. Before joining IMF, Kopp was an assistant professor of finance and a central banker.
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 1
Abstract
Cyber risk has become a key issue for stakeholders in the financial system. But its properties are still not precisely characterized and well understood. To help develop a better understanding, we discuss the properties of cyber risk and categorize vari ous cyber risk scenarios. Furthermore, we pre sent a conceptual framework for assessing systemic cyber risk to individual countries. This involves analyz- ing cyber risk exposures, assessing cybersecurity and preparedness capabilities, and identifying buffers available to absorb cyber risk– induced shocks.
Introduction
Internet usage is globally expanding at a rapid pace. According to the International Telecommu- nications Union (ITU), 1.5 billion new users accessed the internet between 2010 and 2016.1 Al- though internet access fosters digital, social, and financial inclusion, the ever- expanding digitalization of life increasingly provides opportunities for adversaries. These opportunities range from criminals conducting financial fraud and information theft to sophisticated hackers conducting disruptive and even destructive cyber attacks.
Assessing and managing systemic cyber risk remains challenging. The financial system has so far weathered larger- scale cyber attacks, but some argue that the system has not been tested for a truly systemic event.2 As the connection between cyberspace and the real economy intensifies— amid widely expected further increases in interde pen dency, interconnectivity, and complexity— the prob- ability that an external shock will affect the financial system and become a systemic event increases.3 Further, the inherent lack of transparency into highly integrated operations and interdependencies complicates an ex- ante assessment and quantification of systemic cyber risk. Data are scarce, and only rarely is cyber risk mea sured in terms of economic costs. Fi nally, modeling techniques for both idiosyncratic and systemic cyber risk are less advanced than they are for other insurable risks, and it appears that more work needs to be done to put these on a solid footing.
Although companies have become increasingly aware of the need to prevent cyber breaches, the concept of systemic cyber risk remains largely abstract. Some see cyber risk as simple opera- tional risk— a cost component of doing business in an interconnected world— and do not factor systemic cyber risk into their risk calculus. Others float Armageddon- style scenarios about a massive cyber attack that would bring our modern financial and social system to its knees, though rarely in a way that is useful for risk management. In an attempt to increase the understanding of how cyber risk can potentially manifest, we pre sent a systematization of potential cyber risk events, ranging from limited, idiosyncratic scenarios to widespread, systemic ones.
2
This paper aims to help strengthen the understanding and increase the awareness of systemic cyber risk among stakeholders in the financial system. First, we discuss the properties of cyber risk, including risk aggregation and the diff er ent dimensions of cyber risk. To make cyber risk less abstract, we outline vari ous scenarios, ranging from firm- specific operational risks to upstream infrastructure disruptions and external shocks. Reading about pos si ble scenarios can help policymak- ers develop a more comprehensive view of how cyber risk can manifest. Second, we outline a frame- work for assessing systemic cyber risk on the country level, based on cyber risk exposures, cybersecurity preparedness, and resilience to shocks.
Properties of Cyber Risk
Complexity and Risk Aggregation
Especially over the past fifteen years, the number of users and devices connected to the inter- net has skyrocketed. This trend has been driven predominantly by the widespread use of mobile phones throughout the world. According to Cisco, worldwide, the number of internet- connected devices increased from 500 million in 2003 to 12.5 billion in 2010, equivalent to an average increase of 35 percent a year.4 According to estimates, the number of Internet of Things (IoT) devices— electronic items that can connect to the internet or local networks, including smart TVs and refrigerators— increased from approximately 20 billion in 2017 to 31 billion in 2018.5 As with other technical devices and software, many of these IoT devices are assumed (or known) to have techno- logical vulnerabilities that are often left unaddressed by both the manufacturers and the owners.
Software flaws expose users to cybersecurity risk. Many software prob lems only become known when products have been used by a sufficiently large network of people. With increasing software matu- rity (Figure 1, left chart), products typically become safer. But there are also economic incentives for software vendors to roll out products sooner than the competition, and to address security issues on the fly.6 Software vendors may decide to invest less in security so that their ser vices can compete at lower prices.7 The use of third- party software or networks necessarily means being exposed to undiversifiable risk (that is, the portion of cyber risk that cannot be diversified away irrespective of individual cyber hygiene; Figure 1, right chart). No matter how careful network participants are (that is, how well they manage their idiosyncratic risk), the mere use of third- party software or the internet means exposure to undiversifiable risk.8 Information asymmetries and misaligned incentives can cause chronic underinvest- ment in cybersecurity, creating negative externalities that are borne by other network participants.
Hackers exploit security weaknesses and compromise vulnerable devices to conduct cyber attacks. Threat modeling can help overcome the lack of reliable cyber risk data. Information about
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 3
the type of hacker responsible for a cyber attack helps narrow the range of relevant scenarios: motives and capabilities to perform attacks vary across diff er ent types of cyber threat actors ( Table 1).9
• Criminals, hacktivists, and insiders range from unsophisticated to sophisticated. Whereas some criminal groups demonstrate a high degree of sophistication, a large cyber event that dam- ages the financial sector does not align with their incentives to make money at minimum risk. One conceivable systemic scenario is where the volume of successful cyber crime events reaches such a high level that it disrupts consumer confidence in the financial sector. In effect, the cyber criminals would be like leaches that inadvertently kill their host.
• Proxy actors typically conduct offensive cyber operations on behalf of a beneficiary, who may be a competitor, national government, or group of individuals. Although proxy actors’ activities are mostly considered espionage, they also conduct other types of cyber attacks, including those that are logically and physically destructive.
• Nation- states engage in long- term espionage and offensive cyber operations that support geopo liti cal and strategic policy objectives. Many nations have increased their capabilities to conduct cyber attacks, including military- style, destructive cyber attacks. In 2018, the U.S. Intelligence Community identified more than thirty countries with military- grade destructive cyber attack capability.10
The financial sector and the economy in general could be potential targets in the event of war. The increasingly aggressive posture of nations’ militaries in cyberspace,11 a shift toward hybrid warfare12 or unrestricted warfare13 in the past two de cades, and recent changes in the tone of military leaders14 highlight the fact that the economy and the financial sector in par tic u lar are increasingly
0
10
20
30
40
50
60
70
80
90
100
US BRA GER ITA UK AUS CHI JAP IND
Security Maturity by Country (High and Upper Maturity as Percent of Total)
2014 2016
SOURCE: CISCO (2017), Figure 67.
4
considered potential targets. Attacks on a nation’s economy could involve the destruction, degrada- tion, or disruption of either a specific com pany or set of companies (for example, impor tant banks) or impor tant functions, like transaction clearing and settlement.
Cyber risk has long been viewed mainly as an internal information technology (IT) security issue. Cyber risk was seen as an idiosyncratic operational risk of doing business through networks (for example, the internet) and of using software. Over time, this perspective has evolved to include operational risks linked to the firm’s immediate business partners, including counterparties and third parties. Internal risk management pro cesses and controls have extended to cover firms and customers that are immediately related to the firm’s business. Indeed, the true aggregation of risks goes well beyond individual institutions (Figure 2). Risks stemming from upstream infrastructure (for exam- ple, electricity, telecommunications, financial market infrastructures) or technological externalities (for example, the entry of disruptive new technologies) are outside the control of individual firms. Despite the (typically expansive) contracting arrangements, it remains challenging to monitor cyber risk exposures even of close business partners. Risks can also arise from unanticipated external shocks, like natu ral disasters or armed conflict, that require government intervention.
TABLE 1 Threat Actors: Motives, Impact, and Relevance
Category Actions Real/Possible Impact Frequency
Nation-states Monitor other nations’ economies for espionage; conduct cyber- attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage— common Destruction— very rare
Proxy Organ izations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage— common Destruction— very rare
Cybercrime Steal money from financial sector entities; at times stealing large sums.
Affects organ izations’ profits; loss of trust if breach is publicized but org was silent
Theft— very common
Hacktivist Disrupt financial sector operations; attack the brand of individual institutions; data release individual/institutions.
Damaged reputation; loss of trust
Moderately common
Insider Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 5
Significant uncertainty surrounds the potential financial impact of cyber events. Whereas there are relatively well understood direct costs related to cyber incidents (including, for example, the cost of forensic investigation, legal assistance, customer notification, postbreach customer security, and credit protection), indirect costs are less vis i ble, longer term, and more difficult to quantify ex- ante.15 These include negative effects on brand name and customer relationships (reputational risk), depre- ciation of intellectual property value, and higher ongoing operational expenses and risk costs. Glob- ally, cyber losses have been estimated at $250 billion to $1 trillion a year.16
Systemic Risk
Cyber risk not only affects individual financial institutions but has an impor tant systemic dimension. The World Economic Forum (WEF) defines systemic cyber risk as “the risk that a cyber event (attack(s) or other adverse event(s)) at an individual component of a critical infrastructure ecosystem will cause significant delay, denial, breakdown, disruption or loss, such that ser vices are impacted not only in the originating component but consequences also cascade into related (logically and/or geo graph i cally) ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security.”17 Whereas cyber risk as an operational risk has been
Internal information technology
FIGURE 2 Impact, Shock Transmission, and Control
SOURCES: Atlantic Council, Beyond Data Breaches: Global Interconnections of Cyber Risk, Zu rich Insurance Group, Risk Nexus, April 2014; Kopp, Kaffenberger, and Wilson, “Cyber Risk, Market Failures, and Financial Stability,” International Monetary Fund Working Paper WP/17/185, 2017; and authors’ research.
6
on risk man ag ers’ radar screens for a while now, risk management in financial institutions has until recently concentrated on the individual firm, largely disregarding the systemic nature of cyber risk arising from the dependence on complex infrastructure or from disruptions of critical information systems. The predominance of cyber risk assessment on the level of individual institutions has grown but increasingly signals a relatively narrow view that often disregards, or inadequately includes, the systemic dimension of cyber risk to systems and networks.
Assessing systemic cyber risk is hampered by structural challenges. These arise from inexperience with large cyber events; uncertainty around how shocks would transmit; the lack of comprehensive and cohesive data about events; and uncertainties around long- term impacts of cyber breaches. Complex risk aggregation in the cyber domain has been particularly challenging for estimating the cost of past and future cyber events.18 Further, incentives are skewed toward the victim institution not revealing the scale or nature of cyber attacks.19
Systemic risk arises from risk concentration, risk correlation, and shock amplification. The Office of Financial Research refers to lack of substitutability, loss of confidence, and loss of data integrity as channels through which cybersecurity events can threaten financial stability.20 Columbia School of International and Public Affairs discusses “lack of financial substitutability, lack of IT substitutability, loss of…
C A R N E G I E E N D O W M E N T F O R I N T E R N AT I O N A L P E A C E
Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment
Lincoln Kaffenberger and Emanuel Kopp
SEPTEMBER 2019 Cyber Policy Initiative Working Paper Series | “Cybersecurity and the Financial System” #4
Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment
Lincoln Kaffenberger and Emanuel Kopp
For your convenience, this document contains hyperlinked source notes indicated by teal-colored text.
© 2019 Carnegie Endowment for International Peace. All rights reserved.
The views expressed in this book are those of the authors and do not necessarily represent the views of the IMF, its Executive Board, or IMF management.
Carnegie does not take institutional positions on public policy issues: the views represented herein are the authors’ own and do not necessarily reflect the views of Carnegie, its staff, or its trustees.
No part of this publication may be reproduced or transmitted in any form or by any means without permission in writing from the Carnegie Endowment for International Peace. Please direct inquiries to:
Carnegie Endowment for International Peace Publications Department 1779 Massachusetts Avenue NW Washington, DC 20036 P: + 1 202 483 7600 F: + 1 202 483 1840 CarnegieEndowment.org
This publication can be downloaded at no cost at CarnegieEndowment.org.
+CONTENTS
About the Authors vi
Scenarios 8
Ways to Mitigate Risk 19
Conclusion 21
Notes 23
Cybersecurity and the Financial System
Carnegie’s working paper series “Cybersecurity and the Financial System” is designed to be a platform for thought-provoking studies and in-depth research focusing on this increasingly important nexus. Bridging the gap between the finance policy and cyber policy communities and tracks, contributors to this paper series include government officials, industry representatives, and other relevant experts in addition to work produced by Carnegie scholars. In light of the emerging and nascent nature of this field, these working papers are not expected to offer any silver bullets but to stimulate the debate, inject fresh (occasionally controversial) ideas, and offer interesting data.
If you are interested in this topic, we also invite you to sign up for Carnegie’s FinCyber newsletter providing you with a curated regular update on latest developments regarding cybersecurity and the financial system: https://carnegieendowment.org/subscribe/fincyber.
If you would like to learn more about this paper series and Carnegie’s work in this area, please contact Tim Maurer, co-director of the Cyber Policy Initiative, at [email protected].
Papers in this Series:
• “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment” Lincoln Kaffenberger and Emanuel Kopp, September 2019
• “The Cyber Threat Landscape: Confronting Challenges to the Financial System” Adrian Nish and Saher Naumaan, March 2019
• “Protecting Financial Institutions Against Cyber Threats: A National Security Issue” Erica D. Borghard, September 2018
• “Toward a Global Norm Against Manipulating the Integrity of Financial Data” Tim Maurer, Ariel (Eli) Levite, and George Perkovich, March 2017
vi
About the Authors
Lincoln Kaffenberger works as an information security professional in the financial sector. He is also a co-author of the IMF’s seminal paper on cyber risk (“Cyber Risk, Market Failures, and Financial Stability,” 2017). He has over a decade of experience helping organizations understand the threats they face and make informed, risk-based decisions.
Emanuel Kopp is a senior economist with the International Monetary Fund. His research interests include macrofinancial risk, financial stability and regulation, investment, and macroeconomic forecasting. Before joining IMF, Kopp was an assistant professor of finance and a central banker.
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 1
Abstract
Cyber risk has become a key issue for stakeholders in the financial system. But its properties are still not precisely characterized and well understood. To help develop a better understanding, we discuss the properties of cyber risk and categorize vari ous cyber risk scenarios. Furthermore, we pre sent a conceptual framework for assessing systemic cyber risk to individual countries. This involves analyz- ing cyber risk exposures, assessing cybersecurity and preparedness capabilities, and identifying buffers available to absorb cyber risk– induced shocks.
Introduction
Internet usage is globally expanding at a rapid pace. According to the International Telecommu- nications Union (ITU), 1.5 billion new users accessed the internet between 2010 and 2016.1 Al- though internet access fosters digital, social, and financial inclusion, the ever- expanding digitalization of life increasingly provides opportunities for adversaries. These opportunities range from criminals conducting financial fraud and information theft to sophisticated hackers conducting disruptive and even destructive cyber attacks.
Assessing and managing systemic cyber risk remains challenging. The financial system has so far weathered larger- scale cyber attacks, but some argue that the system has not been tested for a truly systemic event.2 As the connection between cyberspace and the real economy intensifies— amid widely expected further increases in interde pen dency, interconnectivity, and complexity— the prob- ability that an external shock will affect the financial system and become a systemic event increases.3 Further, the inherent lack of transparency into highly integrated operations and interdependencies complicates an ex- ante assessment and quantification of systemic cyber risk. Data are scarce, and only rarely is cyber risk mea sured in terms of economic costs. Fi nally, modeling techniques for both idiosyncratic and systemic cyber risk are less advanced than they are for other insurable risks, and it appears that more work needs to be done to put these on a solid footing.
Although companies have become increasingly aware of the need to prevent cyber breaches, the concept of systemic cyber risk remains largely abstract. Some see cyber risk as simple opera- tional risk— a cost component of doing business in an interconnected world— and do not factor systemic cyber risk into their risk calculus. Others float Armageddon- style scenarios about a massive cyber attack that would bring our modern financial and social system to its knees, though rarely in a way that is useful for risk management. In an attempt to increase the understanding of how cyber risk can potentially manifest, we pre sent a systematization of potential cyber risk events, ranging from limited, idiosyncratic scenarios to widespread, systemic ones.
2
This paper aims to help strengthen the understanding and increase the awareness of systemic cyber risk among stakeholders in the financial system. First, we discuss the properties of cyber risk, including risk aggregation and the diff er ent dimensions of cyber risk. To make cyber risk less abstract, we outline vari ous scenarios, ranging from firm- specific operational risks to upstream infrastructure disruptions and external shocks. Reading about pos si ble scenarios can help policymak- ers develop a more comprehensive view of how cyber risk can manifest. Second, we outline a frame- work for assessing systemic cyber risk on the country level, based on cyber risk exposures, cybersecurity preparedness, and resilience to shocks.
Properties of Cyber Risk
Complexity and Risk Aggregation
Especially over the past fifteen years, the number of users and devices connected to the inter- net has skyrocketed. This trend has been driven predominantly by the widespread use of mobile phones throughout the world. According to Cisco, worldwide, the number of internet- connected devices increased from 500 million in 2003 to 12.5 billion in 2010, equivalent to an average increase of 35 percent a year.4 According to estimates, the number of Internet of Things (IoT) devices— electronic items that can connect to the internet or local networks, including smart TVs and refrigerators— increased from approximately 20 billion in 2017 to 31 billion in 2018.5 As with other technical devices and software, many of these IoT devices are assumed (or known) to have techno- logical vulnerabilities that are often left unaddressed by both the manufacturers and the owners.
Software flaws expose users to cybersecurity risk. Many software prob lems only become known when products have been used by a sufficiently large network of people. With increasing software matu- rity (Figure 1, left chart), products typically become safer. But there are also economic incentives for software vendors to roll out products sooner than the competition, and to address security issues on the fly.6 Software vendors may decide to invest less in security so that their ser vices can compete at lower prices.7 The use of third- party software or networks necessarily means being exposed to undiversifiable risk (that is, the portion of cyber risk that cannot be diversified away irrespective of individual cyber hygiene; Figure 1, right chart). No matter how careful network participants are (that is, how well they manage their idiosyncratic risk), the mere use of third- party software or the internet means exposure to undiversifiable risk.8 Information asymmetries and misaligned incentives can cause chronic underinvest- ment in cybersecurity, creating negative externalities that are borne by other network participants.
Hackers exploit security weaknesses and compromise vulnerable devices to conduct cyber attacks. Threat modeling can help overcome the lack of reliable cyber risk data. Information about
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 3
the type of hacker responsible for a cyber attack helps narrow the range of relevant scenarios: motives and capabilities to perform attacks vary across diff er ent types of cyber threat actors ( Table 1).9
• Criminals, hacktivists, and insiders range from unsophisticated to sophisticated. Whereas some criminal groups demonstrate a high degree of sophistication, a large cyber event that dam- ages the financial sector does not align with their incentives to make money at minimum risk. One conceivable systemic scenario is where the volume of successful cyber crime events reaches such a high level that it disrupts consumer confidence in the financial sector. In effect, the cyber criminals would be like leaches that inadvertently kill their host.
• Proxy actors typically conduct offensive cyber operations on behalf of a beneficiary, who may be a competitor, national government, or group of individuals. Although proxy actors’ activities are mostly considered espionage, they also conduct other types of cyber attacks, including those that are logically and physically destructive.
• Nation- states engage in long- term espionage and offensive cyber operations that support geopo liti cal and strategic policy objectives. Many nations have increased their capabilities to conduct cyber attacks, including military- style, destructive cyber attacks. In 2018, the U.S. Intelligence Community identified more than thirty countries with military- grade destructive cyber attack capability.10
The financial sector and the economy in general could be potential targets in the event of war. The increasingly aggressive posture of nations’ militaries in cyberspace,11 a shift toward hybrid warfare12 or unrestricted warfare13 in the past two de cades, and recent changes in the tone of military leaders14 highlight the fact that the economy and the financial sector in par tic u lar are increasingly
0
10
20
30
40
50
60
70
80
90
100
US BRA GER ITA UK AUS CHI JAP IND
Security Maturity by Country (High and Upper Maturity as Percent of Total)
2014 2016
SOURCE: CISCO (2017), Figure 67.
4
considered potential targets. Attacks on a nation’s economy could involve the destruction, degrada- tion, or disruption of either a specific com pany or set of companies (for example, impor tant banks) or impor tant functions, like transaction clearing and settlement.
Cyber risk has long been viewed mainly as an internal information technology (IT) security issue. Cyber risk was seen as an idiosyncratic operational risk of doing business through networks (for example, the internet) and of using software. Over time, this perspective has evolved to include operational risks linked to the firm’s immediate business partners, including counterparties and third parties. Internal risk management pro cesses and controls have extended to cover firms and customers that are immediately related to the firm’s business. Indeed, the true aggregation of risks goes well beyond individual institutions (Figure 2). Risks stemming from upstream infrastructure (for exam- ple, electricity, telecommunications, financial market infrastructures) or technological externalities (for example, the entry of disruptive new technologies) are outside the control of individual firms. Despite the (typically expansive) contracting arrangements, it remains challenging to monitor cyber risk exposures even of close business partners. Risks can also arise from unanticipated external shocks, like natu ral disasters or armed conflict, that require government intervention.
TABLE 1 Threat Actors: Motives, Impact, and Relevance
Category Actions Real/Possible Impact Frequency
Nation-states Monitor other nations’ economies for espionage; conduct cyber- attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage— common Destruction— very rare
Proxy Organ izations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage— common Destruction— very rare
Cybercrime Steal money from financial sector entities; at times stealing large sums.
Affects organ izations’ profits; loss of trust if breach is publicized but org was silent
Theft— very common
Hacktivist Disrupt financial sector operations; attack the brand of individual institutions; data release individual/institutions.
Damaged reputation; loss of trust
Moderately common
Insider Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
Nation-States Monitor other nations’ economies for espionage; conduct cyber attacks in rare cases.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Proxy Organizations
Steal information for espionage; possibly conduct destructive attacks.
Loss of trust once breach is discovered; disruption to the financial sector.
Espionage – common Destruction – very rare
Cyber Criminals Steal money from financial sector entities, at times stealing large sums.
Affects organizations’ profits; loss of trust if breach is publicized but organization was silent.
Theft – very common
Hacktivists Disrupt financial sector operations; attack the brand of individual institutions; data release individuals/institutions.
Damaged reputation; loss of trust. Moderately common
Insiders Steal money; get revenge through destruction or data release.
Affects organizations’ profits; damaged reputation.
Moderately rare
CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 5
Significant uncertainty surrounds the potential financial impact of cyber events. Whereas there are relatively well understood direct costs related to cyber incidents (including, for example, the cost of forensic investigation, legal assistance, customer notification, postbreach customer security, and credit protection), indirect costs are less vis i ble, longer term, and more difficult to quantify ex- ante.15 These include negative effects on brand name and customer relationships (reputational risk), depre- ciation of intellectual property value, and higher ongoing operational expenses and risk costs. Glob- ally, cyber losses have been estimated at $250 billion to $1 trillion a year.16
Systemic Risk
Cyber risk not only affects individual financial institutions but has an impor tant systemic dimension. The World Economic Forum (WEF) defines systemic cyber risk as “the risk that a cyber event (attack(s) or other adverse event(s)) at an individual component of a critical infrastructure ecosystem will cause significant delay, denial, breakdown, disruption or loss, such that ser vices are impacted not only in the originating component but consequences also cascade into related (logically and/or geo graph i cally) ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security.”17 Whereas cyber risk as an operational risk has been
Internal information technology
FIGURE 2 Impact, Shock Transmission, and Control
SOURCES: Atlantic Council, Beyond Data Breaches: Global Interconnections of Cyber Risk, Zu rich Insurance Group, Risk Nexus, April 2014; Kopp, Kaffenberger, and Wilson, “Cyber Risk, Market Failures, and Financial Stability,” International Monetary Fund Working Paper WP/17/185, 2017; and authors’ research.
6
on risk man ag ers’ radar screens for a while now, risk management in financial institutions has until recently concentrated on the individual firm, largely disregarding the systemic nature of cyber risk arising from the dependence on complex infrastructure or from disruptions of critical information systems. The predominance of cyber risk assessment on the level of individual institutions has grown but increasingly signals a relatively narrow view that often disregards, or inadequately includes, the systemic dimension of cyber risk to systems and networks.
Assessing systemic cyber risk is hampered by structural challenges. These arise from inexperience with large cyber events; uncertainty around how shocks would transmit; the lack of comprehensive and cohesive data about events; and uncertainties around long- term impacts of cyber breaches. Complex risk aggregation in the cyber domain has been particularly challenging for estimating the cost of past and future cyber events.18 Further, incentives are skewed toward the victim institution not revealing the scale or nature of cyber attacks.19
Systemic risk arises from risk concentration, risk correlation, and shock amplification. The Office of Financial Research refers to lack of substitutability, loss of confidence, and loss of data integrity as channels through which cybersecurity events can threaten financial stability.20 Columbia School of International and Public Affairs discusses “lack of financial substitutability, lack of IT substitutability, loss of…
Related Documents
