CyberCube and Fitch Ratings have collaborated to analyse how systemic cyber risks, under various cyber threat scenarios, affect the US banking sector and what the financial losses may look like, using CyberCube’s proprietary cyber risk aggregation model.
For the purpose of this recent study, Fitch Ratings and CyberCube analysed the US banking sector, with a portfolio of approximately 4900 banks of different sizes with more than $1.1 trillion in total revenues.
Actionable insights for (re)insurers: The results of the Fitch analysis provide key insights into how financial institutions of distinct sizes approach risk transfer. For (re)insurers, the profile of financial institutions in a given portfolio may not align with the risk appetite and risk tolerance set out. As a result, adjustments to underwriting guidelines or other risk accumulation strategies may be necessary.
In terms of underlying exposure data, the US bank portfolio includes the individual bank name, size (large, medium, small and micro) and revenue as at year end 2020. In relation to information about the number of employees or number of records, these are usually not easily available at the individual entity in general. Given the importance of such information and the difference it can make from a modelling perspective, CyberCube used its proprietary Enterprise Intelligence Layer, a data lake that encompasses firmographic information for a large set of companies across multiple industries and territories, to augment the underlying data inputs. This augmented dataset formed the basis of the analysis detailed further below.
Before we start discussing the results and conclusions of the analysis, there are some aspects of CyberCube’s proprietary cyber risk aggregation model (Portfolio Manager) worth highlighting:
The report’s analysis shows that the average annual loss (AAL) is $213.3M for the US banking sector. When breaking down this AAL into the 5 biggest contributors, expressed in terms of cyber threat scenarios, these include large scale ransomware, large scale data loss, large scale data theft, mass revocation and long lasting outages type of events. According to Fitch Ratings, whilst this AAL is deemed to be manageable for the industry, there are extreme events in the tail that are multiples of the AAL.
When considering the industry composition, we observed that smaller banks, with an AAL of $18.2M, are more impacted by cyber events, on aggregate, in comparison to medium sized banks. This is driven by the fact small banks dominate the industry in terms of number of entities and share in the sector revenue. In contrast, there aren’t as many medium sized banks as there are small ones but the AAL of $15.2M for medium banks is not far behind the AAL of small banks. This is indicative of how severely medium sized banks are affected given the strong dependencies that these have on certain SPoFs across the top cyber threat scenarios.
When considering higher-rated banks, these generally tend to be larger and to have better cybersecurity defensive capabilities relative to the rest of the banking industry. From a cyber risk modelling perspective, these banks are the largest contributor to the AAL as well as by return period. The implication here is that the strong dependencies that exist between large banks and known technologies (SPoFs) result in significant losses despite the defensive measures in place. In other words, the significant estimated losses do not indicate whether large banks’ defensive measures are appropriate or not — it simply demonstrates how deeply known SPoFs are embedded within large banks infrastructure which increases their susceptibility to systemic cyber risks.
From the above, we understand that large scale ransomware, data loss, data theft and long lasting outages are the top risks for the sector and that depending on the dependencies to certain SPoFs, US banks, specifically large and medium, will generate greater losses relative to their number of entities in the industry. But what are the top loss types that US banks need to pay a closer attention to?
For example, we observed that for the largest cyber threat scenario (ransomware at a cloud-based file sharing provider), the most significant loss component is business interruption. This remains true for the other top threat scenarios aforementioned except for the large scale data theft on a leading email services provider, where financial fraud contributes the most to the overall loss.
Through our work with Fitch Ratings, not only have we identified what the top cyber threat scenarios are for the banking industry in the US but we have also formed a view on what the repercussions these threats may have on an individual bank and the risk mitigating actions US banks may take, such as increased security measures or cyber insurance purchase.
In doing so, we have analysed several banks across the size spectrum. This analysis showed that large banks tend to purchase higher limits for their cyber insurance covers than smaller banks. These high limits indicate that large banks prefer to mitigate their cyber risk exposure by limiting their tail risk and hence the purchase of cyber insurance policies that protect them from moderate (medium frequency and medium severity) to extreme events (low frequency and high severity). This generally aligns with large banks practices, i.e. these banks tend to retain more of the lower risks given the size of their capital and their investments in cyber risk mitigation measures. Conversely, smaller banks tend to expose their capital to low frequency but high severity events and use their cyber insurance to transfer the more frequent and less severe cyber events.
From an insurance perspective, the above implies that large banks purchase insurance with deductibles that are relatively high compared to smaller banks. With respect to the insurance limits, larger banks tend to purchase high limits in comparison to smaller banks, which are more interested in relatively moderate limits. This means that smaller banks will have to spend relatively more to transfer their risk compared to large banks. This analysis excludes other factors that may influence the cost of cyber insurance, e.g. historical performance of the bank and/or industry, the bank’s financial strength, etc.
To conclude, US banks can be heavily exposed to systemic cyber attacks which continue to be an increasing risk for the sector so banks in general must adapt to the evolving threat landscape. Those who are equipped with the right tools will be best placed to flag risks early on and make the right business decisions. Cyber risk analytics contribute to a clearer picture for banks in particular and all industries in general to make more informed, data driven and risk-based decisions.
Given the dynamic nature of cyber risk, defining the problems it poses for the insurance industry requires multiple disciplines to develop a framework to understand, analyse and quantify the risk. Created by its team of cybersecurity, data science and insurance experts, CyberCube’s solutions deliver a forward looking view with up-to-date and reliable data and analytics that can assess the future cyber threat landscape and help the insurance industry quantify their aggregate cyber risk. When the problem is defined appropriately, cyber risk modeling enables the industry to make long-term decisions with confidence.
Read the full report and its findings here (Fitch subscription required) — Quantifying U.S. Bank Systemic Cybersecurity Risk.