Opinion: Regulators Should be More Prescriptive About the Quantification of Cyber Risks

Opinion: Regulators Should be More Prescriptive About the Quantification of Cyber Risks

This guest post on cyber risks was written by Mete Feridun*

Although operational risk capital requirements drive a substantial proportion of banks’ capital requirements, quantification of cyber incidents still represent a relative “backwater” of the ever-evolving global regulatory framework. Surprisingly, the new “Basel IV” operational risk framework does not include any specific reference to cyber risks.

While regulators expect firms to integrate cyber risk management into their enterprise-wide risk management frameworks and reflect this in their risk appetites, there are no clear rules as to how cyber risks should be quantified. In the absence of an accepted standard set of indicators, or “cybermetrics”, which can be used to benchmark firms’ cyber resilience, the global regulatory landscape remains fragmented.

Given the increase in the frequency, severity, and sophistication of cyber incidents in recent years, a limited number of regulatory and supervisory initiatives have been established to quantify cyber risks. Noteworthy initiatives include the Basel Committee on Banking Supervision’s (‘Basel Committee’) report on cyber resilience, the G7’s Fundamental Elements of Cybersecurity for the Financial Sector, and the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions’ (CPMI-IOSCO) Guidance on cyber resilience for financial market infrastructures.

Despite these efforts, regulators have by and large failed to address the lack of prescriptive measurements for cyber risk. Instead, their attention has predominantly focused on cyber resilience. The Operational Resilience Working Group, a sub-committee established by the Basel Committee, has spent more time looking at the identification of cyber resilience practices across jurisdictions rather than formulating how to quantify cyber risks.

While the existing regulatory initiatives have been useful in terms of raising awareness of cyber risks ­– such as providing insight into different practices in the industry and highlighting the increasing regulatory and supervisory focus on strengthening cyber resilience across different jurisdictions – they have yielded no reliable and standardized quantitative metrics or indicators comparable to those available for other risks.

The absence of regulatory guidelines makes it challenging for firms to articulate and demonstrate their cyber resilience to supervisors. It also creates difficulties in quantifying the magnitude of their cyber risk exposure, which is required to determine how much capital allocate for potential losses from cyber incidents.

Cyber risks are generally thought to include: malware, exploits, social engineering, identity fraud, and information access. However, the metrics and indicators used to quantify cybersecurity and resilience differ widely across jurisdictions. In some jurisdictions, regulators have introduced methodologies to assess or benchmark regulated institutions’ cybersecurity and resilience, but these generally consist of reported incidents, surveys, penetration tests, and on-site inspections – which do not help firms calculate the amount of economic or regulatory capital they should hold to account for cyber risks.

Although operational risk-weighted assets constitute one of the three components of the denominator in risk-based capital ratios, the existing Basel operational risk framework remains weak in terms of accurately reflecting cyber risks. It can even be argued that the new Basel IV operational risk framework creates a disincentive for firms to strengthen their operational risk management by incorporating cyber risks. Basel IV introduces a standardized operational risk approach, which is much simpler and less risk-sensitive than the current advanced measurement approach.

Estimating how much capital to set aside for all types of operational risk is a significant challenge. This is partially because using backward-looking indicators to predict future performance are only useful in scenarios where a firms’ operations and risk environment are fairly stable over time. Cyber incidents, on the other hand, are largely dynamic, external incidents with low frequency but high impact (i.e. the loss distribution is unusually fat-tailed).

While this challenge applies to all operational risk types, it is especially acute for cyber risk given the paucity of statistical data on cyber incidents, particularly in the absence of common reporting and disclosure standards to record them. So far, most regulators have failed to address such data gaps by providing a standardized, regulatory reporting framework for firms to record cyber incidents.

Under the current Basel capital framework, the onus is on firms to determine the level of additional capital they need to cover operational risks, including cyber risks. However, despite convergence in regulatory and supervisory expectations across different jurisdictions, the technical specifications and supervisory practices on how to quantify cyber risks differ widely.

In most jurisdictions, firms are generally expected to capture cyber risks using scenario analyses under their Pillar 2 operational risk assessments, as the current Basel Pillar 1 Standardized Approach and Alternative Standardized Approach for operational risk use gross income as a measure of risk, which is a non-risk sensitive crude measure of operational exposures. The Basic Indicator Approach for calculating Pillar 1 operational risk capital is not useful in terms of reflecting the nature and scale of potential cyber risk losses either.

In the UK, the Prudential Regulatory Authority (PRA) applies different methodologies to inform the setting of a firm’s Pillar 2A capital requirement add-on for operational risk based on its size and complexity, as well as the sophistication of its internal operational risk management. But the loss estimates it uses in calculating firms’ non-conduct risks hardly deliver better outcomes than relying on the non-risk sensitive standardized Pillar 1 approaches. Consequently, the regulator also uses supervisory judgement to determine the operational risk – taking into account the firm’s scenario analysis process and the robustness of the firm’s operational risk management and measurement framework – as well as peer group comparisons.

For tech-led firms, the PRA places more emphasis on the firms’ Pillar 2B capital, i.e. the PRA buffer, which is an amount of additional capital that firms should hold to cover potential losses that may arise under a severe stress scenario. This generally includes a stylized, firm-specific scenario which takes into account factors including the extent of the breach, number of customers affected, type of cyberattack, time to respond, customer compensation, fines, and remediation costs. But a key practical challenge remains capturing intangible impacts of cyber incidents such as reputational damage, loss of stakeholder confidence, and increased supervisory scrutiny.

Regulators have yet to introduce guidelines that can inform firms’ risk management and capital assessment practices with respect to cyber risks. Having finalized the new standardized operational risk approach under Basel IV, they should now divert their attention to the quantification of cyber risks.

However, a critical first step firms should consider prior to these activities is establishing a formal definition for cyber risk incidents. Once the nature of the risk is defined, firms can create a standard set of indicators and develop a formal regulatory reporting framework to report such incidents. Only then, will accurate and useful data be available for firms to rely on to calculate their economic and regulatory capital for cyber risks.

* The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official views and opinions of PwC.

This post was originally published by the Duke Law Global Financial Markets Center’s FinReg Blog. We are grateful to both Mete Feridun and Duke Law for granting us permission to re-publish this article as the first post in our Cyber Series, which will be running throughout European Cyber Security Month

Photo credit: Longmont Power and Communications-68 –