What's new

P2.T9.900. Cyber Risk, Market Failures, and Financial Stability (Part 1 of 2)

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Evaluate the private market’s ability to provide the socially optimal level of cybersecurity. Describe how systemic cyber risk interacts with financial stability risk.


900.1. According to Kopp, Kaffenberger and Wilson (who are the authors of Cyber Risk, Market Failures, and Financial Stability), "Increased digitalization brings efficiency gains for financial institutions and fosters financial inclusion but it also creates a range of new and partially understood risks that evolve quickly and take multiple forms. One of the key risks is cyber-attacks against financial institutions. These are becoming more common and considerably more sophisticated." Further, a vexing feature of cyber risk is its diversity among geographies and industries: cyber event (i.e., incident and breach) patterns differ greatly across industries and over time; for example, web application attacks (in contrast to other patterns such as cyber espionage or stolen assets) surged to over 80% of the breach patterns experienced by the financial industry in 2015.

According to the authors, each of the following statements is TRUE about cyber risk EXCEPT which is false?

a. Cyber risk is a textbook example of a systemic risk, and the main sources of systemic cyber risk are exposures to access vulnerabilities, risk concentration, risk correlation and contagion
b. A key function of a proxy organization is to provide an incentive for target organizations to reveal and report the scale and nature of cyber-attacks to which they are exposed so that comprehensive and coherent databases are maintained
c. Incidents are security events that compromise the integrity, confidentiality or availability of an information asset. Breaches are incidents that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party
d. The true aggregation of risks related to cyberspace extend far beyond the internal monitoring and risk management capacities of an individual organization: the individual organization's "loss of local control" extends to upstream infrastructure, technological externalities, and ultimately external shocks

900.2. Peter is the Chief Risk Officer (CRO) of a bank that yesterday experienced a cyber breach affecting a material percentage of the bank's customers. The Chief Executive Officer (CEO), Barbara, asks Peter to prepare a report of the true, total potential cost of the breach. She instructs him to include "the cost of forensic investigation, legal assistance, customer notification, post-breach customer security and credit protection, and post-event measures to strengthen cybersecurity." Further, because she needs the report in time for next week's Board meeting, she suggests that he employ generally accepted accounting principles (GAAP) with respect to his cost estimation, and supplement any information gaps with a reputable third-party vendor's database of historical incident/breach data. She notes that this vendor's incident database is large and extends back over a decade.

Peter responds that it will be difficult to honor Barbara's request for the following three reasons:

I. There is currently no generally accepted cost estimate framework for reporting the impact of cyber events
II. Her instructions include only the direct costs; however the indirect costs are typically a greater fraction of a cyber event's total cost
III. The true cost is likely to manifest over several years and, further, the vendor's historical incident/breach database may be a poor predictor of potential losses

According to Kopp et al, which of Peter's reasons is valid?

a. None of his reasons are valid
b. Only I. is true
c. Only III. is true.
d. All three responses are valid

900.3. According to Kopp et al, the private market can fail to provide a socially optimal level of cybersecurity. Interestingly, "it is still under debate which approach works best in preventing the market from failing: ex-ante regulation and ex-post liability. Ex-ante regulation aims at preventing security risks to materialize, and can take the form of rules (laws) or guidance (compliance). While guidance is more adaptive when technologies or risks change rapidly, laws are more specific and easier to enforce. With ex-post liability, responsibility is assigned to a certain party. It is implicitly assumed that legal threats motivate the liable party to take security seriously, and invest accordingly. Critiques say that, with ex-ante regulation, the introduction of software liability would slow down innovation. and that it would basically be impossible for software developers to deliver a perfect product from the very start, as many bugs and inconsistencies are detected only when a new software is used in practice."

Each of the following is a prominent factor in the private market's failure EXCEPT which does not contribute to the private market's tendency to fail?

a. Positive externalities
b. Negative externalities
c. Information asymmetries
d. Concentration in the market for security services and insurance provision

Answers here: