Cyber Risk Losses

Cyber Risk and information security costs are a significant source of operational risk losses reported by financial institutions. Cyber risk losses include:

internal costs of investigating, communicating, remediating the compromised data and information security infrastructure;
customer restitution costs and compensation payments which can include covering the cost of providing new identity documents, payment for any incurred losses (through fraud resulting from the lost information);
legal costs, representing the costs of legal actions and resulting claims.

Cyber risk reporting by ORX has a median severity of 0.73% of gross income (in 2022) with a frequency of 1 event per subscriber in 40 years. The median loss severity is the largest of all material losses identified by ORX in 2022, although the median frequency of the losses is somewhat lower than other material losses. These are frequency and losses reported to ORX by member institutions above the reporting threshold (€20,000).

Cyber risk events distinguish between the frequency and severity of the risk event.

Frequency is the number of events per annum
Severity is the loss per event

The following analysis applies a quantification of the cyber risk for financial institutions derived from an IMF working paper. The working paper looked at the risk for the global financial systems as a whole, this calculator applies that risk to a single institution.

In the study:

the loss frequency, the number of times per year that a loss event is likely to occur for a given institution, for example the IMF estimated this as between 990 and 2746 loss events per year across all 20,000 global financial institutions;
the loss severity, the potential monetary loss amount, including direct losses, fines, rectification and resolution overheads, the IMF estimated this as averaging US$66m per event, with a median of only US$5m and a high of US$4b also per event.

The following analysis uses the following information sources:

ORX (Operational Riskdata eXchange Association): ORX Scenarios: Insights into Material Risks 2022 Public Report
IMF (International Monetary Fund): Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment

Required functions

The following section provides the code for some of the required functions to perform the final simulation.

The density of the Poisson distribution is given by:

Probability Mass Function: Poisson Distribution

Generalised Pareto Distribution Functions

These functions apply the Generalised Pareto Distribution. Provided are functions to calculate the density and inverse cumulative distribution. A random number generator is also provided.

The density of the Generalised Pareto Distribution is given by:

Which is defined for all x > 0. The μ and σ are normalising coefficients, where μ is the minimum value, such that:

Example application of the GPT formatted random numbers, the occasional outlier value should be evident even with a sample of 10.

The 90th percentile of the IMF loss severity GPD distribution is .

EVT joint lognormal and GPD distribution

The joint distribution is lognormal in the body of the distribution and GPD is the upper tail of the distribution.

LognormGPD distribution test

The following calculates a large sample from the severity distribution, as determined by the IMF paper.

Cyber Risk Event Frequency

The IMF paper reports an expected loss frequency of cyber attack events per year for all financial institutions globally of 990. A contagion scenario is also considered where there is a 20 percent probability that each attach impacts several firms at once. This leads to the scaling of the frequency of attacks by 25 percent and a resulting event frequency of 1238:

When considering the impact for 1 bank in Australia, using the data reported in the paper.

there were 341 attacks reported in the public database over 2009-2017, see page 7;
Australia had between 5 and 10 (assumed 7.5) of those attaches, see page 7;
there are approximately 100 significant financial institutions (domestic ADIs regulated by APRA).

That is of the total risk facing the global banking industry, a single Australian institution represents 0.02% of the total risk, which is equivalent to an annual risk of cyber attack of 0.22, or 1 in 5 years. This translates into a 80% chance of no attack each year, a 17% chance of 1 attack, a 1.9% chance of 2 attacks:

Select the expected event frequency. Data shows recent event frequency has ranged between 1 event every 10 (0.1) to every 5 years (0.2). But event frequency is increasing and there some organisations seem to be more vulnerable to cyber risk events than others. Event frequency is represented by a Poisson distribution, which measures the number of events over a period of time (this case per annum). λ represents the shape parameter of the distribution and is also the mean/average.

Event Frequency is at least 1 event every years.

Cyber Risk Event Severity

Average losses are around US\$ 66 million in the dataset, the median loss is only US\$ 4.7million. There have been losses as high as US\$ 4010 million (an outlier but retained in the dataset as it reflected an attack on common infrastructure which affected 30 Brazilian banks in 2014.

Event severity is the potential loss per event.