While US banks are generally well-positioned to handle average modeled cyber risk losses, tail events following a systemic cyber event can lead to significant losses, according to a new report from Fitch Ratings.
The financial impact of a cyber event is often centered around the reported remediation – or, in the case of ransomware, the ransom payment. However, the financial cost of a cyber event is likely to be a good deal more than the headline figures, Fitch said. Additional costs from tail events can include data restoration, investigation and response, regulatory legal fines, and brand damage. Cyber insurance can mitigate some of these costs, Fitch said.
Fitch collaborated with cybersecurity company CyberCube to model the impact of systemic cyber events on the US banking sector under various scenarios. CyberCube’s model focuses on “single points of failure” (SPoF) for cyber incidents that could impact parts of the country’s banking system. SPOFs are technologies – like operating systems and cloud service providers – for which connectivity and dependencies are identified by bank, Fitch said. A cyberattack on a SPoF may have a knock-on effect on the connected banks.
Fitch said an attack on an SPoF is a “force multiplier” that creates significantly larger areas of compromise than attacks that infect one bank or system at a time.
“Systemic cyber risks are as important to analyze as idiosyncratic cyber risks,” said Christopher Wolfe, Fitch managing director. “Cyber risk is evolving into broader aggregations and concentrations within the vendor management and supply chain. An incident at a single critical third- or fourth-party vendor could lead to significant business interruption losses.”
For the report, Fitch and CyberCube analyzed the entire US banking sector – approximately 4,900 banks with more than $1.1 trillion in total revenues. The report applied CyberCube’s proprietary model to quantify the impact of cybersecurity incidents on the banking sector over a one-year period.
“Our work with Fitch has identified the top threat scenarios for the US banking, and the repercussions a cyber risk might have on an individual bank,” said Souki Chahid, CyberCube principal product advisor. “A greater understanding of the inherent risks faced by the banking sector will support banks in their decision-making with regards to their insurance purchasing and their operational risk.”
