Industry to take up Fed’s white paper on cyber risk

The financial sector will get a chance to rake over a white paper by Federal Reserve researchers that attempts to define and measure cyber risk at an industry workshop in Charlotte, North Carolina, next week.

The meeting, slated for November 20, aims to bring uniformity to gauging cyber risk, a category that encompasses the threat of hackers from far-flung corners of the planet, thieving in-house employees, defects in software, as well as innocent screw-ups by staff. The meeting is sponsored by the Federal Reserve Bank of Richmond, where four of the proposal’s five authors work.

The white paper, which appeared in August, treats cyber as a form of operational risk – not all banks do – and has the twin objectives of creating a common language for cyber losses and putting together a record of incidents that can be shared by the whole industry.

The paper classified cyber risk five ways: by cause, consequences, whether internal or external parties were involved, whether it was intentional or not, and by the Basel Committee on Banking Supervision’s cyber event categories.

The causes refer to the method of attack: denial of service, phishing, malware, man-in-the-middle attacks, stolen passwords and zero-day attacks, among others. Consequences include business disruptions, system failures, breaches and theft.

Notably, the white paper called for cyber incidents to be mapped to one of the seven event types in Basel’s op risk taxonomy – this is seen as a prerequisite to coming up with a common way of measuring the fallout of cyber events. Some banks treat cyber as a subcategory of fraud, for instance, while others treat it as a distinct category. Greater harmony would go a long way to promoting comparability and data sharing among banks.

“There is a great deal of divergence in the industry on whether cyber should be a self-contained category,” says Evan Sekeris, a partner in the financial services practice at Oliver Wyman, and a former assistant vice-president at the Richmond Fed.

“The paper makes clear that cyber is a form of operational risk,” he continues. “You don’t need a separate cyber taxonomy. If everybody uses the same taxonomy, you can start comparing data and having a dialogue.”

Getting a grip on cyber

The paper’s authors hope to provide a template for collecting and reporting data on cyber losses using some 20 fields, among them date of discovery, loss and recovery amounts and business line. Only incidents resulting in losses would need to be reported; near-misses and forgone revenues from cyber failures would be excluded.

Cyber risk experts praised the white paper as a needed step towards getting a grip on cyber, the top operational risk at banks.

“Nomenclature is the Achilles heel for the cyber risk profession,” says Jack Jones, creator of the Factor Analysis of Information Risk methodology, a widely used system for measuring the impact of cyber risk. The white paper “represents an important step for financial services risk management around cyber”, adds Jones.

Cyber breaches, fraud and disruption to business resulted in $935 million in losses in the financial sector in 2018, according to ORX News. But that number is just publicly reported losses – most firms are averse to broadcasting their mishaps, preferring to keep quiet – or, as the Fed’s paper notes, to chalk them up as something else.

Back in March, an initial workshop at the Richmond Fed highlighted the lack of agreement among banks on what constitutes cyber risk, and how to tie it into existing op risk taxonomies. The white paper’s authors aim to finalise a system for classifying cyber risk by the end of this year, to be followed in 2020 by developing a system for measuring financial losses.

The paper’s authors – a team of two economists, two quants and an analyst – emphasised that the views expressed are their own and do not represent official Fed policy. They also nodded to private efforts to define and measure cyber losses, and stressed that their white paper is intended to supplement, not replace those ideas.

Complex problem, complex solution

Whether the paper is adopted in its current form is an open question. Banks would need to make substantial changes to their existing frameworks for defining and measuring cyber risk, and may be reluctant to do so. They may also balk at its complexity. With its five ways of classifying cyber risk, it may prove unwieldy in practice, especially for smaller firms.

But industry experts say that shouldn’t deter the Fed – cyber risk is notoriously convoluted to begin with.

“Operational risk events have become so complex that one-dimensional taxonomies are not very useful,” says Sekeris. “Some might feel that it’s overly complex, but complex problems require complex solutions.”

Most firms have used variants of the Basel taxonomy as a starting point for their own taxonomies, which may include cyber risk. ORX, the industry consortium, is developing its own op risk taxonomy, and has a separate project for sharing of cyber loss information, best practices and taxonomies.

“The Fed’s work is one of several complementary initiatives to ORX’s own cyber risk programme,” says Luke Carrivick, head of analytics and research at ORX. “We welcome the overall message of sharing information for cyber risk management. This is exactly what our member institutions have been asking for.”

Industry experts view the Fed and ORX efforts as trying to bring a semblance of order to the current conflating of cyber and operational risk.

“I was pleased to see that the paper regards cyber as a form of operational risk. The various operational risk silos hinder the development of a holistic understanding of operational risk in many firms,” says Andrew Sheen, an op risk consultant and former manager at the UK’s Financial Conduct Authority.