Top Banner
1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001
57
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Ecommerce(2)

1

Quantifying e-Commerce Risk

David Fishbaum, FSAChuck McClenahan, FCAS

MMC ENTERPRISE RISK

CAS Seminar on Ratemaking - March, 2001

Page 2: Ecommerce(2)

2

The Problem

You’re the risk manager of a financial institution with a new web site

Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits

Your not exactly sure what the risks of the web site are

What to do?

Page 3: Ecommerce(2)

3

Background

The financial institution provides community banks with a product portfolio of ancillary products such as:

investments (mutual funds and stock trading) insurance other banking services

You provide web sites for these community banks for investments, insurance and lending

Page 4: Ecommerce(2)

4

What are the risks?

Failure of the web site problems with the surroundings, power failure,

fire or flooding failure of the hardware failure of the software attack through virus or computer hacker

Page 5: Ecommerce(2)

5

Resultant damages are also varied

Delay in performing a service Loss of brand value due to unreliability of

service or transmission of computer virus loss of value through failure to deliver

for example, an uncompleted stock trade

Page 6: Ecommerce(2)

6

Background: E-commerce insurance coverage

There is an intensive application the problem is that you can’t figure out how

complex or risky a web site you are running A system audit is part of the insurance

coverage there is a bias to find fault

Page 7: Ecommerce(2)

7

How do you insure the high P/E ratio

Its 1999 and the price/earnings ratio of the e-commerce function seems to have broken down

The unspoken issue is how do you insure the value lost if something happens to the web site?

Not sure this is an issue today

Page 8: Ecommerce(2)

8

Why bring in Actuaries?

Looking for someone to quantify the risk We brought a multidisciplinary team of

actuaries, economists and policy expert The actuaries provided the quantification

and modeling skill sets

Page 9: Ecommerce(2)

9

Methodology

Model the web site Stochastic testing Scenario testing

Page 10: Ecommerce(2)

10

Model

MMC ER developed a computer program to model the economic performance of the e-commerce infrastructure

Used company’s performance statistics Used a Monte Carlo simulation to produce

expected revenue and branding values Based on this quantification, valued the

potential losses of a series of scenarios

Page 11: Ecommerce(2)

11

Application Server/Firewall/Proxy Layer

ISP Provider

Application Host - I Application Host - III

In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered.

Application Host - II

Flow of Information and quantification of failure probabilities

User's Browser

Page 12: Ecommerce(2)

12

Assumptions

Visits per week Usage over the week Revenue Customer value Application acceptance Downtime

Page 13: Ecommerce(2)

13

Results-Base Case2000 2001 2002

# of participating banks

Internet applications

Application feesInsurance underwriting

TOTAL

New loans to banksPresent value of income onnew loans

Page 14: Ecommerce(2)

14

The Scenarios

Denial of service Physical damage to hardware location New virus brings down complete system Malicious employee Threats/extortion Theft of credit card numbers

Page 15: Ecommerce(2)

15

The Scenarios

Attack causes a degradation of performance or loss of service to web site

Not covered under current coverage Modeling assumption: site down for 3

hours Income loss/Customer value loss

Denial of service

Page 16: Ecommerce(2)

16

The Scenarios

Location of where hardware is kept is disabled

Covered under current insurance Modeling assumption: site down for 10

days Income loss/Customer value loss Client bank’s lost revenue

Physical damage to hardware location

Page 17: Ecommerce(2)

17

The Scenarios

Not covered under current coverage Model assumption: system down for 2

days Income loss/Customer loss

New virus brings down complete system

Page 18: Ecommerce(2)

18

The Scenarios

Destruction of important data or programs Cost of recovery process covered under

current coverage Not modeled Theft of policyholder info or other

intangible property Not covered under current coverage

Malicious Employee

Page 19: Ecommerce(2)

19

The Scenarios

Threat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company

Would be covered under current kidnap and ransom policies

Threats/extortion

Page 20: Ecommerce(2)

20

The Scenarios

CD universe and Salesgate (e-mall) No credit card numbers are stored

Theft of credit card numbers

Page 21: Ecommerce(2)

21

Results of analysis

Biggest risk business interruption

Third party loss is minimal at this time though in time the Internet will affect its client relationship

Page 22: Ecommerce(2)

22

Conclusions

Better quantification of risks Better able to make a purchase

decision Other risk management decisions What isn’t at risk is also important

Page 23: Ecommerce(2)

23

Postscript

The website is still in operation Strategy has been proven successful

Page 24: Ecommerce(2)

24

e-Commerce Risk

Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000)

“The insurance industry does this kind of thing all the time; it’s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result”

Page 25: Ecommerce(2)

25

e-Commerce Risk

Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000)

“Of course there’s going to be a lot of guesswork in any of these; the particular risks we’re talking about are just too new and too poorly understood to be better quantized (sic).”

Page 26: Ecommerce(2)

26

e-Commerce Risk

Pricing e-Commerce Risk Determine Strategy Identify the Risks Collect Available Data Develop Model Price According to Strategy

Page 27: Ecommerce(2)

27

e-Commerce Risk

Determine Strategy “Guess and Confess” Loss Leader Self-Supporting Franklin Approach

Page 28: Ecommerce(2)

28

e-Commerce Risk

Determine Strategy - “Guess and Confess”

Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate

Alternatively, rely on advice of career agents

Page 29: Ecommerce(2)

29

e-Commerce Risk

Determine Strategy - Loss Leader

Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure

Page 30: Ecommerce(2)

30

e-Commerce Risk

Determine Strategy - Self-Supporting

Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.

Page 31: Ecommerce(2)

31

e-Commerce Risk

Determine Strategy - Franklin Approach

Focuses on loss avoidance Underwrites against “undesirable” hazards, e.g.

large user base large asset base high public profile

Page 32: Ecommerce(2)

32

e-Commerce Risk

Identify the Risks

We have a good track record here Medical Malpractice Computer Leasing Asbestos and Environmental

Page 33: Ecommerce(2)

33

e-Commerce Risk

How many do you recognize? Daemon Data mining Digital wallet Extranet Luhn formula Smart card Thin client

Page 34: Ecommerce(2)

34

e-Commerce Risk

How many do you recognize? Daemon - a structured background

process

Page 35: Ecommerce(2)

35

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data

patterns

Page 36: Ecommerce(2)

36

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data

patterns Digital wallet - encryption software, user

ID

Page 37: Ecommerce(2)

37

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data

patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available

intranet

Page 38: Ecommerce(2)

38

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data

patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available

intranet Luhn formula - credit card verifying

algorithm

Page 39: Ecommerce(2)

39

e-Commerce Risk

Luhn formula

(1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits.

(2) Add up all digits. Result must be zero mod 10

Page 40: Ecommerce(2)

40

e-Commerce Risk

Luhn formula

1234 567890 12347 1438 537790 14387 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7

=70

Page 41: Ecommerce(2)

41

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card

Page 42: Ecommerce(2)

42

e-Commerce Risk

How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card Thin client - network computer w/o hard drive

Page 43: Ecommerce(2)

43

e-Commerce Risk

Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company

“The court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality.”

Page 44: Ecommerce(2)

44

e-Commerce Risk

Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company

“Restricting the policy’s language to that proposed by American [i.e.that contained in the policy] would be archaic.”

Page 45: Ecommerce(2)

45

e-Commerce Risk

TD Waterhouse fined $225,000 for repeated outages which left customers unable to trade

11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn’t keep track).

Page 46: Ecommerce(2)

46

e-Commerce Risk

Collect Available Data

Exposure base not well-defined Economic costs of losses not disclosed Industry is young and evolving Threat base is also evolving

Page 47: Ecommerce(2)

47

e-Commerce Risk

Collect Available Data

Remember, “Lloyd’s List” was started in 1696 but it wasn’t until 75 years later that the Society of Lloyd’s was formed

Page 48: Ecommerce(2)

48

e-Commerce Risk

Develop Model

Identify major processes Identify major threats Relate threats to processes Determine (or guess at) parameters

Page 49: Ecommerce(2)

49

e-Commerce Risk

Example - Distributed Denial of Service (DDoS)

Page 50: Ecommerce(2)

50

e-Commerce Risk

“Attack of the Zombies” - February,2000 Monday, February 7

- Yahoo! portal rendered inaccessible for 3 hours Tuesday, February 8

- Buy.com 90% inaccessible- eBay incapacitated- CNN 95% inaccessible - Amazon.com slowed to 5 minute access time

Wednesday, February 9

- ZDNet.com unreachable- E*Trade slowed “to a crawl”- Excite 60% inaccessible

Page 51: Ecommerce(2)

51

e-Commerce Risk

How DDoS Works Goal is to render system inoperable One attacker controls multiple servers

Method: Break into numerous sites, install “attack script” and orchestrate coordinated attack

Page 52: Ecommerce(2)

52

e-Commerce Risk

USER PCs

HACKER

UNWITTINGHOST

“ZOMBIE”

OTHERNETWORK

COMPUTERS

VICTIM’SSERVER

Page 53: Ecommerce(2)

53

Hypothetical DDoS Costs

$0

$5,000,000

$10,000,000

$15,000,000

$20,000,000

$25,000,000

1 61 121 181 241 301 361 421 481 541

Minutes of Outage

Market Cap Loss

Security Costs

Revenue Loss

Page 54: Ecommerce(2)

54

Hypothetical Cumulative DDoS Frequency

0.0%

20.0%

40.0%

60.0%

80.0%

100.0%

0 60 120 180 240 300 360 420 480 540 600

Minutes of Outage

Page 55: Ecommerce(2)

55

e-Commerce Risk

Price According to Strategy Frequency will vary with

Popularity

Profile

Potential

Page 56: Ecommerce(2)

56

e-Commerce Risk

Price According to Strategy Severity will vary

eToys v. E*Trade

Page 57: Ecommerce(2)

57

e-Commerce Risk

“You gotta be careful if you don’t know where you’re going ‘cause you might not get there.”

- Yogi Berra